Penetration Testing mailing list archives
RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 28 Jul 2006 18:32:00 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 28 Jul 2006, David Cross wrote:
CISSP != network admin.
Never on this side was I sating these were "equal", I made a distinction in how my organization pays both sides. Please don;t try and confuse the issue with your misinterpretations.
CISSP = massive amounts of information on how security works, how to structure security in an organization, how to manage it, how to audit it, how to keep it compliant with laws and how to meet best practices. This information is useful only to senior security people who intend to manage security.
CISSP is a managment track certification at best. Not a handson massive skills certification, deal with that fact.
If you want to know the details of what keeping your credential requires go to ISC2.org and read the details yourself. I'm not going to spend my time babysitting you through it.
And I outlined how that process has changed over time. I guess you are only familiar with current and lack the history.
Also if you actually read the response you see a cert only serves to add credibility to what experience a person claims to have. A cert does not magically imbue you with power from above. WHAT IT DOES DO IS PROVE YOU KNOW ENOUGH OF WHAT YOU'RE DOING TO PASS A VERY DIFFICULT TEST AND IT BINDS YOU TO A CODE OF ETHICS THAT REQUIRES YOU RESPONSIBLY REPORT AND RESOLVE VULNERABILITIES. (the industry as a whole needs that)
What is does is prove you can study for and pass an exam, nothing more.
A cert, in most cases is better than none. When I hire people I ask them about certifications. People tell me "oh, I'm a security expert" and I ask them why they didn't spend the money to prove that they know what they're talking about. The response is always, "I don't have the money," or "I studied but got too busy to take the test." I've never had a person say they didn't think it was necessary. But at this point the burden is on me to test them. So I have to spend $99 of my own money to set them up with an online test to test their knowledge. I have to spend another hundred dollars to have my HR person track down all their references and call each one and quiz them at length. I have to spend 2 or more hours versus one hour to interview them costing a few hundred dollars of my time to try to coax out of them all the insipid details of their experience in all the companies they've ever worked for. So by the time it's all done I've basically paid for them to take the stinking test anyway.
When I've interviewed folks, I avoid asking about certs, I ask pointed questions that can outline if the person knows his stuff, or if he's tryinf to bluff his way into something over his head.
A lot of people come to me to find out how they can get certified in computer security. Usually it someone who's been programming for 10 years and they're bummed because they want a more exciting job or a better paying job.
And I pointed out how in recent years, sec folks tend to not make the money that others trained in as my example define, admins do to this day. There was a time whence sec folks that could demonstrate real skills, real hands-on experience far beyond whosing a cert number for a passed CISSP exam made real money. These days it's far from that...
Willl a cert get you past a clueless HR rep, sure, will it automatically put you into hig paying jobs, far less likely these days.
They say, "I have always wanted to be a security expert. How did you get your certification?" Notice they don't ask how to become a security expert... only how to get the piece of paper. When I explain what it takes they cheerfully ignore the details and wander starry-eyed back to their cube dreaming of how they will be the next big security expert. Most of them even go buy a study book or books before they get discouraged but there are always one or two that take it a step further. But I've never had one come back and ask for an endorsement or never known one to actually complete it. What I do know is that some of them have gone on to other jobs and convinced companies to hire them as "security experts" sans a certification. <<hey that's s pun - sans meaning "without" and SANS being a certifying body>>
At least the SAN certs show a level of expertise, and thus perhaps have more real value to an employer, if they are seeking skilled professionals.
Granted I've known great security gurus without certifications... fine... in my opinion if you have a very public and unassailable rep to stand on. If you don't have an industry known rep then you'd better have a cert or string of CVEs to tack on to your resume to get noticed. Either way I'm happy with my investment and I earn a modest 6 figure income netting a cool 25k more than my cert-less buddies. Plus when I consult I can charge well above $100/hr and companies don't even blink. So for me the investment in myself and in my test-taking ability has paid off. If you can do as well without a cert then I concede you are a winner.
<smile> I have lots of certs in various areas, some I had to gain at employer expense, though I seriopusly flout none, I rely upon my experience, and if need, can tap many persons for a referal that have knowledge of my skills and abilities. Those referals, pay off better then any 3-4 letter cert credits I might tack onto my .sig.
Thanks, Ron DuFresne- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins <Still Life With Woodpecker> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFEypBjst+vzJSwZikRAtY4AJ9WuRSqsjkNCNL2togb38uIvGHFrQCfUL2S ezZhYkgL0Be+iJ1nr+H1F7M= =NLhl -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE), (continued)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Strand, John (Mission Systems) (Jul 29)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) R. DuFresne (Jul 29)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) Pete Herzog (Jul 30)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer ankur jindal (Jul 31)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Marc Munk (Jul 31)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Michal Merta (Jul 31)
- Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer Nathan Sportsman (Jul 31)
- RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE) R. DuFresne (Jul 29)