Dailydave mailing list archives
Re: Information security certifications diversity and getting lost
From: "Andre Gironda" <andreg () gmail com>
Date: Mon, 10 Sep 2007 17:07:07 -0500
On 9/10/07, Dave Aitel <dave () immunityinc com> wrote:
We passed out "Not a CISSP" buttons at DefCon and they were a big hit. To get one you had to not have CISSP on your business card though.
Did you have to have a business card to get a button? What's wrong with CISSP? I read through all 900 possible questions a few times over the years and it doesn't seem that bad. It doesn't make you a security expert in anything, but it allows you to "talk-the-talk" using meaningful definitions. My biggest gripe with the CISSP is not with the CISSP itself but instead with anyone who would make it a requirement. I have the same gripe with high school or any diploma/degree requirements. Heck, I have the same problem with "years of experience". Interview the people (or accept their RFP response) and ask them the right questions. Hire or no hire.
I would say the problem with the CISSP is "irrelevance" but that's just me.
How is this a response to Tom's very valid questions? How and why is CISSP irrelevant? Please explain.
Thomas Ptacek wrote:How do you plan on solving the problems the CISSP has? 1. People will "teach to the test". 2. Certs get stale fast. 3. Cert businesses are high-overhead, but the IP for a cert is hard to protect (if your cert is going to be fair and meaningful).
This quickly becomes a catch-22. An organization focused on certification material is attempting to do two things: 1) Teach people how to learn their solutions in a standardized way so that they can be tested in a standardized way 2) Get knowledge of their product out there and available in trade magazines, whitepapers, articles, and even blogs So, if they hide the information needed to pass a test - they lose the marketing potential of instructional capital. Just look at the marketing potential of the original MCSE and CCNA certs. If they make the information too available, they risk constant restructure of the program to hold any value - this was the failure of the MCSE and CCIE certs. Cisco internal had too many programs that made it easy for employees to get CCIE, and thus in the first 5 years it became very polluted with these people. Of the companies that have intellectual property in instructional capital - only a few are currently able to keep their training material and test questions out of reach. They are: Agilent, Altiris, Aruba, Avaya, Brocade, Business Objects, Radware, Riverbed, RSA, SAP, and Siemens. I would add SANS to the list, but I have not done extensive research on GIAC et al. Are there any super secret "SANS Answers" forums or "trading circles" that anybody knows about? Now consider the above 11 companies. Avaya, in particular suffers in the instructional capital marketspace. When was the last time you saw a book on "Installing IP Office" at a bookstore? A magazine article on "tips and tricks". Seen some lines of config explained well in an article or blog post? Went to a free event or conference covering that material? Most of the others fall into this same category. The exceptions are Brocade, Business Objects, and SAP (also Gartner favorites BTW). I'm sure the training material to these does get around, but less-so than any other major organization that has IP in training and certification material. Name somebody else and I'll tell you how bad it is. Some certifications I'm just happy exist, are cheap, and actually do have loads of material available to easily learn the material and pass the test. For example: CWNA and ITSM (ITIL). Others I wish I had access to any information about - OPST, QDSP, or CSTE as great examples of this. Cheers, dre _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Information security certifications diversity and getting lost Michael Myers (Sep 03)
- Re: Information security certifications diversity and getting lost Andre Gironda (Sep 03)
- Re: Information security certifications diversity andgetting lost J.M. Seitz (Sep 04)
- Re: Information security certifications diversity andgetting lost Security Admin (NetSec) (Sep 06)
- Re: Information security certifications diversity andgetting lost Dave Aitel (Sep 10)
- Re: Information security certifications diversity andgetting lost Thomas Ptacek (Sep 10)
- Re: Information security certifications diversity and getting lost Dave Aitel (Sep 10)
- Re: Information security certifications diversity and getting lost Andre Gironda (Sep 10)
- Re: Information security certifications diversity Lindley James R (Sep 10)
- Re: Information security certifications diversity andgetting lost Weston, David (Sep 10)
- Re: Information security certifications diversity andgetting lost nnp (Sep 10)
- Re: Information security certifications diversity andgetting lost Paul Wouters (Sep 11)
- Re: Information security certifications diversity andgetting lost matthew wollenweber (Sep 11)
- <Possible follow-ups>
- Re: Information security certifications diversity and getting lost Kristian Erik Hermansen (Sep 10)
- Re: Information security certifications diversity and getting lost Darren Spruell (Sep 10)
- Re: Information security certifications diversity and getting lost Thomas Ptacek (Sep 10)
- Re: Information security certifications diversity and getting lost Bruce Ediger (Sep 10)
- Re: Information security certifications diversity and getting lost Jason Alexander (Sep 11)