Penetration Testing mailing list archives
RE: Re: CISSP
From: "Clement Dupuis" <cdupuis () cccure org>
Date: Tue, 5 Dec 2006 08:10:15 -0500
Good day Danny, Cony, and all, Of course the CISSP certification was never meant to be a technical certification. It is means to validate your overall knowledge of security and whether or not you understand that specific jobs and hardware such as IDS, IPS, Security Analyst, Intrusion Analyst, etc... are just one piece of the whole security puzzle and none of these by itself can solve the whole puzzle. There are tons of security professionals (or proclaimed professionals) who could not even tell you what is taking place behind their fancy GUI when a connection to a secure web server or a VPN gateway is taking place. They simply have no clue and when they attempt to troubleshoot problems they lack the know how to understand what are the logical steps required. There are other people who are extremely skilled on the technical side, they will read packet in Hexadecimal format while coding low level exploit in some esoteric language, however often time they lack understanding of the business side and how their employment fit in the grand scheme of things. Right now there are lots of people who are required to take the CISSP because of the 8570 directive that came out of DoD. Is this the best investment for a Firewall Analyst to take a CISSP class, I am not convinced at all, it would be a better investment to have him go through a GCFW class instead. If you work into a technical role, the SANS, CEH, CISCO, MS, and other vendors certifications are probably more adapted to what you are trying to do and will give you the technical skills to do it. That being said, for many years the technical side of security was driving the orientation that security would take within most company. I think that it has changed a bit over the past few years and it will change more in the future. We need to deploy a security architecture that meets the business requirements and that can support the functions we need to provide to our customers. This is where the CISSP will come into play, you do not deploy countermeasures only because they are great product, the product has to make sense for what you are trying to protect and it has to make sense on the cost and benefit side as well. You could stack 25 of the best firewall/security devices and that does not guarantee that you will get instant security if you do not have trained people to manage those boxes (the soft side), if you do not have a process in place to keep them updated, and if you no not have any policies about what can and cannot be done on those devices. You need a mix of all of the above and this mix has to be customized to fit your business needs. The CISSP was never meant to make you a Guru in all of the 10 domains. Anyone who claim to be would simply be filling you with BS. There is no way one could be an expert in all of the domains and remain current in all of them. The CISSP forces an individual to learn about key areas of security that he would have never touched by himself. It forces him to better understand that security is more than a black box and that people, process, and policies must be in place to succeed. It will give you enough knowledge to understand the different subjects within each of the domains at a high level. The next time you interact with someone who does development for example, you will have the basic foundation to understand what they are speaking about, and whether or not they have basic competency in the domain they claim to be experts. In summary, even if you are a pen tester with GCIH and GHTQ and you are really good at what you do, I think the CISSP could still benefit you by making you understand where pen testing fit within the whole security architecture, what are the benefits to your clients, how this can be justified as a cost. If you wish to interact with CISO and other C level executive, it might help to talk their cost/benefit language and be able to demonstrate how it can help them within their security plan. As you well know, FUD (Fear, Uncertainty, and Doubt) used to be a nice way to sell services. Today, this no longer work and this is not how you will build long term relationship with your clients. If you really understand the business side and demonstrate to your clients how they can avoid or minimize losses, I am sure your client will listen very carefully to what you have to offer. As far as glorifying the CISSP and offering a chicken once a week to the ISC2 god, I do not think it is necessary. The problem right now is we need to educate people in HR about what is the CISSP and other certifications are and also what they are NOT. That's the problem. Take care Clement ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: CISSP, (continued)
- Re: CISSP Jeremiah Cornelius (Dec 03)
- Re: CISSP R. DuFresne (Dec 11)
- Re: CISSP Jamie Riden (Dec 03)
- Re: CISSP Philosophil (Dec 03)
- Re: CISSP ruud . geelen (Dec 03)
- Re: CISSP killy (Dec 07)
- RE: CISSP Shenk, Jerry A (Dec 03)
- Re: RE: CISSP mr . nasty (Dec 04)
- Re: Re: CISSP dfullerton (Dec 04)
- RE: Re: CISSP Cony.Zhou (Dec 05)
- RE: Re: CISSP Clement Dupuis (Dec 05)
- Re: Re: CISSP Bruno Cesar Moreira de Souza (Dec 05)
- Re: CISSP Anders Thulin (Dec 07)
- RE: Re: CISSP Clement Dupuis (Dec 07)
- Re: CISSP Joey Peloquin (Dec 07)
- Re: CISSP Nick Besant (Dec 05)
- RE: CISSP Angelacci, Anna M CTR SPAWAR, J616 (Dec 07)
- RE: Re: CISSP Cony.Zhou (Dec 05)
- Re: Re: CISSP R. DuFresne (Dec 19)
- RE: Re: CISSP Mueller, Daniel (NMCI CIRT) (Dec 20)
- Re: CISSP Jeremiah Cornelius (Dec 03)