Security Basics mailing list archives

RE: Distinctions in Certification

From: James Taylor <james_n_taylor () yahoo com>
Date: Thu, 14 Aug 2003 01:08:21 -0700 (PDT)

ATTACHMENT part 3 message/rfc822 
From: "Peter Baxter" <peter.baxter () bt com>
To: "'Jarrod Loidl'" <loidlja () corp earthlink net>,
  <security-basics () securityfocus com>
Subject: RE: Distinctions in Certification
Date: Wed, 13 Aug 2003 18:16:09 +0100

Well as someone who hires security staff, I look for hands-on real world
experience. The CISSP and the rest are all too conceptual based, I've
had students with these certs who do not know how to do fragmented port
scans.


'CISSP and the rest'

You've had students with the CISSP certification? Either they hookwinked the
examiners or perhaps you are confused as to the certification they actually
have..... You need to make sure you are employing the correct people into the
right roles with the correct certification.

The CISSP is a management security certification and you have to have at least
4 years professional experience in a number of 'domains' before you can sit it.
Which are:

   Access Control Systems & Methodology 
   Applications & Systems Development 
   Business Continuity Planning 
   Cryptography 
   Law, Investigation & Ethics 
   Operations Security 
   Physical Security 
   Security Architecture & Models 
   Security Management Practices 
   Telecommunications, Network & Internet Security 

There are technical certifications, and managerial certifications. You should
not be employing CISSPS to run fragmented port scans. You should employ a
security analyst to do that.

Would I trust a security compliance program/BCP/large website installation
project to someone with am particular technical exam? Nope. Where is the
technical project management experience? What about Law? BCP? DR? Programming
techniques? I've seen a few 'firewall engineer' who knows not much more than
TCPIP ports.

Of the people I have met who have taken the CISSP, they all agreed it was one
of the toughest exams they had ever taken, and definitely not some boot-camp
qualification. In general they are 1) experienced. 2) mature, 3) respected in
the industry and 4) can be trusted and have the know-how to complete projects
on-time and on-target. 

Perhaps you should think about taking it yourself, then pass more informed
comment.

James
CISSP MIEE BEng


From my experience a pratical security certification such as the ESA
from www.securityassociate.org really puts into practise text-book
knowledge. We have around 20 ESA's at BT and are happy with the skills
of the engineers. 

But nothing beats real world experience and no cert can give you this. 


Peter Baxter
British Telecommunications PLC
Head of Information Security - Europe and Asia
Tel: +44 (0)20 450 5000 ext. 4456
[Email is spam protected]

ATTACHMENT part 7 message/rfc822 
Subject: RE: Distinctions in Certification
From: Jaymz Ringler <jringler () nebrinfosecurity no-ip com>
To: peter.baxter () bt com
CC: security-basics () securityfocus com
Date: 13 Aug 2003 17:28:33 -0500

I agree.  I've had a few employees and interns that have certs, such as
a 2k pro MCP.  One of which I went to school with in the same
classes...  and he didn't know how to add a user.

I've come to find that even someone with a bachelors degree in IT has no
clue what a subnet mask is for.  They remember reading about them..


What a complete load of claptrap! If there is one single goal of any engineers
degree - and that is to teach the engineer in how to be an engineer - if I can
sum it up (and not do it justice) - project management and problem solving
ability. They might not have a clue what a subnet is, but for sure they have
the capacity to learn (on their own) what it is, and what to do with it in the
wider world...


Degrees and Certs don't mean anything other than they can absorb some
information and retain it to take a test.  The Hands On Experience is
everything.


Yes, certain certifications are not worth the paper they are written on, but
all of them? Degrees teach you much much more than how to retain information,
they teach you how to apply yourself. However, what no degree or certification
will teach you is work ethic.

James


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Distinctions in Certification Jarrod Loidl (Aug 13)
- Re: Distinctions in Certification Meritt James (Aug 13)
- RE: Distinctions in Certification Peter Baxter (Aug 13)
  - RE: Distinctions in Certification Jaymz Ringler (Aug 13)
    - RE: Distinctions in Certification Dustin Howard (Aug 14)
- <Possible follow-ups>
- RE: Distinctions in Certification Sadanapalli, Pradeep Kumar (MED, TCS) (Aug 13)
- RE: Distinctions in Certification Chai Chi (Aug 13)
- RE: Distinctions in Certification Nelson, Ernie (Aug 13)
- RE: Distinctions in Certification DeGennaro, Gregory (Aug 13)
- RE: Distinctions in Certification James Taylor (Aug 14)
- RE: Distinctions in Certification Bill Hardstone (Aug 14)
- RE: Distinctions in Certification Mitchell (Aug 14)