Re: Network Security Certification

["Bruce K. Marshall" <bkmarsh () feist com>]

Paul D. Robertson wrote:

> I seriously questioned the real-world value of such certifications
> based on my experiences with the people who held them.  I know folks who
> have them who are _seriously_ missing pieces of the real-world puzzle.
> Some of them are fair at the business side things, but I've yet to meet a
> certificate holder who impressed me because of the certifcation
> process, or other than one case, their grasp of real-world security problems.
>
> In the ensuing time since this went around, I've met another couple of
> holders, one of whom I would actually trust to do real-world
> evaluations of my networks.  All the experience and knowledge said person gleaned
> that made them meet my criteria was prior to them even considering the
> test.

    And this really is the criteria that certifications focused on in
the beginning.  A CDP or CNE was supposed to be a standard of proving
that you had experience in your given field.  Of course, people who
didn't have this experience also wanted to become certified so
vendors/organizations designed courseware to "supplement" a person's
knowledge and essentially prepare them for the exam.  Some trainers
still mention (tongue-in-cheek) that this course is for education and
not to prepare you for a test, others have dropped the charade
altogether.

    In my opinion, some courseware has continued to lower their
requirements for prior knowledge so that you really only need to be
familiar with using a mouse and keyboard to become a certified
something.  The term "paper" CNEs/MCSEs/etc. has gained popularity among
those of us having experienced the real lack of knowledge among some
certified individuals.

    After all, what is that rule about learning and retention? 
Something like you lose 50% after a few weeks or so.  It takes real
world experience to be able to truly understand and utilize computer
concepts.  The more the better, since everything tends to have some
relation in computing.

    Certification isn't necessary to do this, but with some people it
helps to put the point across in the beginning (or on resumes). 
Obviously this depends on your prior experiences with certified
individuals, as you state.

> If your resume came accross my desk, and you had certification but not
> experience, it wouldn't mean much to have the certification.  If you
> had experience but not certification, it wouldn't mean much not to
> have the certification.

    The (ISC)^2 has been fairly sensitive of this fact and tries to
address it through several measures.  Foremost is their requirement that
you have at least 5 years of related experience in the information
security industry before you can take the CISSP exam.  This doesn't stop
people from lying, but they would risk possible detection and
certification stripping.

    Ongoing education and training is also required for you to maintain
your certification.  Over a three year period a certified individual
must earn 120 Continuing Professional Education credits (CPEs) through a
variety of methods.  Essentially things like attending classes,
conferences, teaching, writing articles/books, self study, submitting
new exam questions, or retaking the exam all count towards earning
CPEs.  Plus, they limit how many CPEs you can earn doing certain
activities.  More info on this can be found at
http://www.isc2.org/recert.htm

    The biggest complaint about the (ISC)^2 and the CISSP exam is the
age of the material (it does have a slight mainframe slant due to the
founder's own experience) and the quality of the exam.  I understand
that since I sat for the exam some significant steps (including an open
two day meeting to review questions) have been taken.  The CISSP will
gain a lot more value if this path of improvement is continually
followed.

> I've been RACF "special", I've been a VM sysprog, my first job had IBM
> 360 mainframes running DOS.  I've yet to see a certification process
> that tests enough current knowledge to be more useful than the same ammount
> of time spent doing individual research.

    This is indeed the main fault with current certification testing
which in turn can place the blame on our industry's rapid growth and
expansion.  Some organizations obviously make more of an effort to keep
up to date than others.  Unfortunately, most people are left to find
this out for themselves during a test.

    Your other point about individual research is also quite valid.  I
would love to tell management that I'm taking off a week (non-vacation
time) to study the intricacies of IPv6 and have them accept it.  Somehow
they seem a little more receptive to letting me go for a week to sit in
a classroom and learn the basics of TCP/IP from Microsoft.  Luckily this
doesn't prevent me from also supplementing my textbook education with
any other materials either during this time or off-hours.

    It also boils down to what type of a learning you respond to the
best.  Some people are able to grasp concepts better when they provided
by an instructor.  Some people hate classroom environments and won't
utilize them.  Each to his own, I suppose.  The main goal should always
be to achieve an accurate and useful education.

-- 
Bruce K. Marshall, CISSP - bkmarsh () feist com - Feist Communications
      2424 S. St. Francis - Wichita, KS 67216 - 316-264-2248

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature