Re: University Degree or CISSP

[Mark Teicher <mht3 () earthlink net>]

> > comments inserted

-----Original Message-----
From: techlists () securityfocus com, at () securityfocus com, comcast () securityfocus com, 
        dot () securityfocus com, net () securityfocus com
Sent: Sep 2, 2005 5:19 PM
To: security-basics () securityfocus com
Subject: Re: University Degree or CISSP

Like anything, it depends. 

If you work for someone that sells your services to someone else, i.e. like a government contractor, the degree is 
almost mandatory. From the employers point of view, they can charge more for you depending on your educational level. 
The way salary range levels are calculated almost always take into account your educational level.

> > Actually not true, some people with a very slick bio and NSA IAM certification can probably expect to receive a a 
> > salary in the high 6 digit arena, those with more advanced degrees and can prove they have obtained certain level of 
> > certification in a particular product area (i.e. CCIE), with hands-on experience in the field can expect more.  
> > Those without degrees but have earned the street cred via publishing proof of concepts or exploits can be observed 
> > earning that kind of mind also.  It sometimes helps if you attended a certain southern tech college, and had some 
> > good business sense.


It's not that having the bachelors degree is such a great plus; it's just that having anything less is considered a 
negative because the bachelors is just assumed.

> > Actually, not true, in the dot-com era, if you knew how to market your product and services really really well, one 
> > could be very successful, in today's economy, it is not what you know, it is who you know.

The value of a cert also depends on the employer/client. A lot of contracts specifically ask for CISSPs these days. I 
have a CISSP and don't even have such a great impression of the cert (as far as technical depth goes), but got it 
anyway because it does add value to a resume.

> > Not as many as one would think, most look for product specific.  Anyone got Juniper Certifications?  How about 
> > Extreme certifications ?  How about EMC?  If not, Go fish.  It really depends on the organization one is pursuing to 
> > join and what is expected of the employee.  If clear direction is not precisely provided by management or management 
> > is completely mystefied on how to grow a consulting practice beyond a one man cross your heart and pull a rabbit out 
> > the hat type of security consulting company.  

> > Again, it is not what you know, but who you know, and how long before senior management figures out the pattern of 
> > employment is followed by two years of spending, traveling and not landing one gig > 100K in less than a 11 month 
> > time frame.  Don't forget all those alliance deals, gossip and im'ing to former people.  Slurping the ideas of 
> > others and taking claim of ownership is one thing to look for a potential candidate but actually pulling off the 
> > management speak claims is another.

Building a good security practice is tough work, especially with the various talent available today and all those 
credentials, degrees to choose from.  Remember if more than 3 people in the group, split the group to cover the various 
states, always a good morale booster.