Security Basics mailing list archives
RE: CISSP Question
From: "David Harley" <david.a.harley () gmail com>
Date: Wed, 16 May 2007 11:32:12 +0100
Simmons, in your defense I must say that the cert sponsors and supporters seem to be quite exaggerated in their defensive postures. You're probably LAO right in inferring that there must be some reasons for the fear of an open and engaged dialog over the value of these certificates.
There's a difference between "open and engaged dialog" and mudslinging. We've engaged in that dialogue over many days now. It's the innuendo about SANS and (ISC)2 that's irritating me, not the discussion of cert values. I just happen to feel that the innuendo has been introduced as an indirect attack on certification, and even if there's any truth in it, that doesn't affect the discussion I -thought- we were having.
For example, when I passed my CISSP exam, several years ago, it was already well established that buffer overflows were the largest source of hostile system compromises, yet the topic was then, and continues to today, grossly ignored.
I'm not sure that buffer overflows are the only game in town. :) But the exam by itself is not and cannot be a complete measure of knowledge. Heck, it hardly covers my specialisms at all, though the quality of the questions relating to some of them has lifted a bit in recent years.
But these are the discussions the industry should be having about certs - what do they cover, how rigorously are topics addressed, what competencies are really measured? They ARE flawed. They NEED improvement. But that's what we should ALL be trying to do because they're still all we have to work with, for now.
Agreed. 100%. So let's look at the real issues, not straw men arguments about who's making a profit.
I hope your effort to raise a meaningful dialog will continue but remember there are deeply rooted vested interests and certainly a reasonable level of defensiveness with every certification community.
Please. I don't represent (ISC)2, and I've never "needed" the qualification personally, though I'm certainly not ashamed of it. What vested interests do I have? I've said most of this before, but I'll say it once more and then I really am done. * CISSP ain't perfect, but it seems to me that it's an honest and valid attempt to measure experience and knowledge for certain kinds of job (management rather than technical, in many cases). No cert is a substitute for experience (or common sense). I'm not banging the drum for CISSP in particular: it's a reasonable measure of broad experience, whereas GIAC certs are usually a better test of knowledge in one area, and don't require experience. Neither is "better" than the other, and there are many other perfectly valid certs - horses for courses. I'd be happy to go on discussing that practically anywhere, but not in this thread, because I think the value of the discussion has been seriously devalued by the pursuit of one person's agenda. * Many of the problems with certification are not with the certifying process per se, but with the misconceptions of employers who use them as applicant evaluation criteria. But that's true in many areas that have nothing to do with security. * I'm not saying that cert holders are automatically better than non-holders. I am saying that remarks about cert holders being purely self-interested and wanting letters after their name to prove their own importance are unfair and unhelpful. And that dark mutterings about scams and profiteering muddy the waters without adding any value to the debate about what a cert is worth in real terms. Certs don't have to be about job hunting. They can be about personal development in much broader terms. They don't have to be about self-interest at all. Why do highly qualified people like Craig with highly responsible jobs subscribe to a list called security-basics? Because they need the information? Well, there's always more to learn, sometimes from unexpected sources, but a lot of the issues discussed here are - well, basic. There are other resources for sharing highly specialized info. So maybe such people have primarily altruistic motives, like sharing information and even their expertise. That doesn't mean people who don't have multiple certs and high-octane jobs should fall down and worship them, or believe everything they say, and never argue. But it's a poor reason for assuming that they're trying to keep the pie all to themselves. EOT. As far as I'm concerned. Though I welcome rational discussion offline. -- David Harley CISSP, Small Blue-Green World Security Author/Editor/Consultant/Researcher AVIEN Guide to Malware: http://www.smallblue-greenworld.co.uk/pages/avienguide.html Security Bibliography: http://www.smallblue-greenworld.co.uk/pages/bibliography.html
Current thread:
- RE: CISSP Question, (continued)
- RE: CISSP Question David Harley (May 11)
- RE: CISSP Question Simmons, James (May 14)
- RE: CISSP Question David Harley (May 14)
- RE: CISSP Question Craig Wright (May 14)
- RE: CISSP Question Simmons, James (May 15)
- RE: CISSP Question David Harley (May 15)
- RE: CISSP Question Simmons, James (May 15)
- Re: CISSP Question Florian Rommel (May 15)
- RE: CISSP Question David Harley (May 16)
- RE: CISSP Question Ken Kousky (May 16)
- RE: CISSP Question David Harley (May 16)
- RE: CISSP Question Ken Kousky (May 16)
- RE: CISSP Question David Harley (May 16)
- Clarifications to the CISSP experiance requirement Craig Wright (May 16)
- RE: CISSP Question Simmons, James (May 16)
- RE: CISSP Question Simmons, James (May 09)
- RE: CISSP Question Simmons, James (May 09)