Re: Re: Re: CREST or TIGER?

[cwright () bdosyd com au]

Danny,
I do not know you personally, but you have stretched your neck out and I am in one of those moods.
I have many certs, Degrees and accreditations etc. I have over 20 publications (peer reviewed) and even a couple books. 
This includes being one of the VERY few people with a GSE (mine being the only GSE in compliance). [Forgive the self 
promotion, but I am getting to a point]. What I personally do is try to round out my skills. I have enough tech skills 
to cover most things. These have been tested by comprehensive long-term evaluations, publications and training. 
[Gratuitous plug for those people in Australia looking @ SANS Training there is a staysharp session in Sydney in Nov 
and AUD507 as a mentor session in Jan 2008 that I am leading].
I round my tech skills by learning outside of IT. I have Post Grad Management and am completing an LLM (Masters in 
Law). Certs are a way to demonstrate that you still learn and have some level of measurement to a standard.
Looking at your CV Danny, (http://dfullerton.mantor.org/) and page I see that you have completed a couple GIAC certs. 
You also seem proud of this – as you should be.
“Members new certifications
Danny Fullerton has complete GCIH and GHTQ certifications (Giac Certified Incident Handler and Giac cutting edge 
Hacking Techniques respectively).”
So does this mean that you know all? Are you at the pinnacle of all there is and can talk on all topics? I see that you 
do not have a CISM. It is easy to descry the failings of something you do not have. To state that it shows nothing, but 
this is when you err. It demonstrates a minimum competency in a security management level of knowledge. Does this mean 
that managers need to be hands on? No, it means that they know a base set of terminology needed to talk to IT techs. 
This is not the same thing. The same with a PhD, a PhD is proof of expertise in an area. What the area happens to be is 
what matters and this does not mean security – it means a focused area. 
My first doctorate compared the mythos and origins of Greco-Roman and pre-Judaic belief structures. So I guess that 
this has no relation to security. On the other hand the couple masters degrees in IT do. Even then, the doctorate has 
helped my security career. It provided me with research skills and rounded my writing. 
So where does this all lead. Not all certs are equal. They are popping up daily. The main thing is to:
1.   Demonstrate that you continue to learn. Peer reviewed papers, certs and other learning help show this.
2.   Stay fresh. That cert you completed 5 years back – what have you done to maintain it? Is it a standard “get a 
helpdesk job” one – or a premium one? How long has it been around? Is it international?
I am old enough and ugly enough to be able to “bitch” to and about management – after all – I am management (even if I 
maintain my tech skills). However, remember that all these posts are there for HR to read (Hi HR person :) for MANY 
years to come. What we state now regards these things may come to haunt you in the future. It is easy to state I do not 
care on a list. When however, you also have a web page contradicting this assertion, then there are conflicts in the 
story. 
People outside the security community are the majority. This is a good thing to remember. We are effectively “helper 
parasites”. We offer the services of a communal anti-body or Tcell macro-phage. We can make life easier for those 
non-security people, but we can not live without them. They however can survive without us (though in a more limited 
fashion). Something that people may wish to remember in security.
Regards,
Craig Wright
GSE-Compliance

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------