Re: INFOSEC: Certifiably Certified

[InfoSec News <isn () c4i org>]

Forwarded from: Aj Effin Reznor <aj () reznor com>

[Last reply on this subject....  - WK]


"InfoSec News was known to say....."
> Forwarded from: "BERNARD, Mark" <MEBERNAR () mccain ca>
>
> Dear Associates,
>
> The one thing that you appear to have over looked is one fundamental
> principle of incident handling and Information Security, that is to
> ensure that who you are getting advice has some basis for their
> decision making.

...or to also display an assumed level of competency to be able to
sufficiently locate knowledge if not already possesed (as in lawyer
referrence, below.  Case study is rather recurring)
 
> Certification simply implies that a person has a basic level of
> knowledge it does not imply that they know how to use that knowledge
> that only comes with experience and/or mentoring.

And herein lies the lab...

 
> If you look at the most revered professions within our society you
> will see that some level of certification under a common body of
> knowledge is necessary for that profession to become stable and
> continue to develop. A few examples are lawyers, doctors, mechanics,
> etc...

Where the professions you list typically have a serious governing body
over them (state bars, ama, ase) what does the security arena have?  
Mutliple conflicting and competing (and practically ad hoc)
organizations that, well, conflict and compete for attention, respect,
and god bless the almighty dollar yet again.  CISSP's.  There's an
*excellent* example of something where you have a "common body of
knowledge" yet knowing how to *apply* this knowledge never comes into
play.  Of the CISSP's I know or have met, I think maybe 3 are what I
would consider to be "competent" at the very least when it comes to
security.  The rest are, well... certified on paper, but I wouldn't
trust them to secure an NT or a RedHat box.  Seriously.  
Certifications are like *any* test from grade school through college
and beyond:  They are a way of showing that you can regurgitate
requisite data in a more or less coherent manner.  They in NO way show
that you understand, or comprehend the material in question.

At least, there isn't currently with security certs.  Again,
*currently* with *security certs*.  How do they differ from lawyers,
docs and mechanics?  Typically any one of the above requires a few
years of schooling in a structured environ and periodic testing
showing ability to not only learn, retain *and* apply but to continue
applying over time that which was learned previously coupled with
current doctrine.  Security?  Shell out the cash, take a test.  In
some cases, attend a few seminars and write a few papers on them to
get/retain your "currency".

Problem is, security changes so much, so fast that having written
coursework on it would be expired before it was half completed.  Some
universities are working on security based skills and titles with
their CS degrees but would I trust a student fresh out of school to
hire?  Hell no!  Experience is a must, of course!

Oh, and don't get me started on CISSPs (esp. the grandfathered ones,
of whom I'll spare you all my usual discourse wherein I question just
about everything about the subject matter) and their smug attitudes.  
I was accused recently of being 'glib' with some of my postings on
this list.  Personally, I'd rather be glib than smug :)
 
> To boldly state, as a few of you have, that all certifications are
> basically useless is not to understand the goals of these
> certifications.

I'll boldy state the opposite and say that all certs are useless
because of their goals: "showing that the bearer could repeat
requisite material without necc. understanding how to apply that
knowledge in a real-world situation".  That some skilled people *do*
have certs does not legitimize the cert at all.


-aj.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.