RE: CISSP Test

["DAN MORRILL" <dan_20407 () msn com>]

I think in reading the multiple threads on this issue, there there are a 
number of perspectives on the value of the CISSP.

What was most interesting was the CEO's perspective. Since the CISSP is a 
boot camp, and the SANS is bootcampable in the longer run with the removal 
of the practicle. The real question is working towards a certificate that 
demonstrates ability to work in the security arena, one that is really hard 
to get, and one that really tests the ability to do the work.

While CISSP and SANS are great to have as a resume filter, it does not imply 
that anyone with either certificate to their name can actually do the work. 
What I am seeing is that many people are going for these, and have them, but 
had them a result from an IDS system, or ask them to do a security design 
for either a network or a chunk of code, the ability to actually perform the 
task is not there, even though they have the certificate.

Personally, I believe the community needs something, certificate, degree, 
internship, what ever, that actually means you can perform competently in 
the security arena. That there is a skill set there that the entire 
community agree's upon is the minimum recommended skill set to work in this 
field. If we had something like that, then any school that is pumping out 
Bachelors of Information Security folks would have a standard. Anyone 
building a bootcamp or certificate program would have an agreed upon 
community standard to work with.

ISC2, ISSA, WSA, SANS, et al. Could build a board in conjunction with the 
community, develop the minimum qualifications to work in the field, and 
actually accomplish something once they have been certified or degreed. NSA 
has been hugely successful in developing security schools through James 
Madison, Boise, et al. But they have to agree to and teach to the minimum 
standard that NSA has put together to meet the needs that NSA has 
identified.

I think until we as a community agree upon a minimum standard, apply it 
consistantly across the board much like doctors, lawyers, social workers, 
and other degreed or licensed professionals, we will continue to have this 
debate until the house burns down. As security professionals, as security 
folks, we have the same ability to either do good, or do harm as any other 
profession does. We need to understand this, and begin working towards skill 
sets either certificate or degree that actually mean something useful at the 
end of the day.

My thoughts, flames invited.
r/
Dan



Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.





> From: "Clement Dupuis" <cdupuis () cccure org>
> To: <robert () dyadsecurity com>,"'Vladamir'" <wireless.insecurity () gmail com>
> CC: full-disclosure () lists grok org uk
> Subject: RE: [Full-disclosure] CISSP Test
> Date: Wed, 23 Mar 2005 06:45:47 -0500
>
> Robert E. Lee wrote:
>
> "SANS programs have little to do with security.  I'm glad they changed 
> their
> policy.  They seem more honest now."
>
> Good day Robert,
>
> Honesty is a very neat goal to achieve, however it has many facets.
>
> I lately learned (under all reserve, please correct me if you know
> otherwise) that SANS no longer has any NON PROFIT portion left.  They used
> to be registered as a non-profit entity in the state of Maryland but it
> seems that it was dissolved.  Technically we could say there is no SANS
> Institute left anymore as we knew it on the non profit side.  After they
> dissolve SANS they created a FOR PROFIT corporation called ESCAL which
> registered the names used in the non-profit as trademarks for their new for
> profit organization.  Even thou you see the name GIAC and SANS being used
> everywhere, they are all trademark (not organizations) of the new privately
> owned company.
>
> Principals at SANS have NEVER claimed to be non-profit, it is a myth that 
> we
> the people that have been dealing with SANS for a long time (since the time
> they were non profit) have been propagating.  We have been keeping this 
> myth
> alive simply because we did not know any better and we did not know that 
> the
> non-profit was dissolved.  It was done without any noise or public
> announcement to the people that were already certified.
>
> So they NEVER lied but they never went to any length to inform people of 
> the
> real and current status of their corporation activity.  Most people think
> that GIAC is non profit which is not the case anymore and this better
> explains the decision of dropping the practical requirement: it does not
> generate money and it is not a good business decision to keep something
> alive that will become a drain on the bottom line.  Which is a bit contrary
> to the reason given of improving the overall state of the security 
> community
> :-)
>
> Take care
>
> Clement
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/