Re: what is required for an engineer to become an SECURITY engineer

["S. Schappert" <scottsch () ix netcom com>]

All,

Yes, practical knowledge.  However the burden of an engineer is theory; root
cause analytical discipline.  Foe example: a working knowledge of TCP/IP,
all layers, IPv4 / IPv6.  There seems to be an advent of individuals who
purport to be an "engineer", yet really lack the resourcefulness and dynamic
abilities to learn, to learn fast and accurately.  The "two year" colleges
are the scourge of the engineering world, thanks to the leading
organizations I would like to mention, but as a professional, cannot.

There also seems a feeling that a working knowledge of the myriad of network
security tools that are free and easy, are the key to being able to judge,
in real-time, what is a threat, what looks like a threat, and what,
depending on dissector settings, is quasi-normal.  The tools are only as
good as the interpreted output, put into action, and are of value only to an
inherent, cognizant engineer.

It seems that although certificates, and their resultant surname-suffixes,
are sometimes just that.  Even the posts from these great security-based
lists, are questionable when the author has several attributes as to qualify
themselves as "engineers"

Theory, adaptation, resourcefulness, and the lifetime commitment to learn as
technology demands, and an ability to take critique, however harsh, and move
forward.  These are the attributes of one who wishes to carry the obligatory
weight of the simple, yet critical title.

Network security demands that while research is going on in real-time, one
has to practice with hardware, and ask questions, and be humble.  There is
truth that although many  people claim to be a lot of things, those who are
what they say, I know in my heart, have one common thread.  Theory.  And
consummate dedication to stay ahead of "conventional wisdom", and excel.

-Scott

----- Original Message ----- 
From: "Ravi Kumar" <ravivsn () rocsys com>
To: "Liran Cohen" <theog () tehila gov il>
Cc: <security-basics () lists securityfocus com>
Sent: Thursday, December 23, 2004 1:04 AM
Subject: Re: what is required for an engineer to become an SECURITY engineer


> Theog,
>   I agree with you completely. Unless one have practical knowledge,
> there is no need for him in market.
>
> As I mentioned in my mail, the concept is to build people with practical
> knowledge. Give us your valuable inputs to frame the syllabus in that
> direction.
>
> Thanks,
> -Ravi
>
>
> Liran Cohen wrote:
> > Well, I don't think there is really a way to measure one's expertise
> > regarding Information security, Would you trust you're money with some
> > banker who just finished his economics degree and opened a bank? , I
> > guess, as in many fields, so in the Information security business,
> > experience,recommendation and reputation will be the criteria, one
> > cannot simply take a test and become a  security engineer (although many
> > people claim to be a lot of things... :) ).
> >
> > Liran Cohen
> > TheOg
> >
> > Ravi Kumar wrote:
> >
> > > [I am reposting the question with modifications]
> > >
> > > Hi,
> > >  I was asked to prepare syllabus for security management,incident
> > > handling,forensics analysis, intrusion detection etc., Th intention is
> > > train an engineer to become a SECURITY engineer.
> > >
> > >   we know there are several certifications which are designed for this
> > > purpose. I want from you with your security experience tell us what
> > > should an BASIC course for security really requires.
> > >
> > >  If industry wants to recruit an engineer for its security needs what
> > > type of experience they look for?
> > >
> > > Note: Please dont relate my question with any certifications and be
> > > generic.
> > >
> > > Thanks for any help,
> > > -Ravi