RE: Value of certifications

["Craig Wright" <Craig.Wright () bdo com au>]

Hello James,
I have to agree at some level, but I can not completely agree with your
assertions on your blog. You state:

"They do not offer research, or any sort of consulting service, or
anything more then certifications at a bloated price. Their business
model is supply and demand. Their prime concern is money, not quality
assurance or education. They charge high prices because everyone else
will pay them. It is the difference between $57 and thousands of dollars
for a single certification. "

In some cases as you mention - this is true. However, CISA and CISM for
instance from ISACA do not follow this model. ISACA does research and
has issued one of the most highly used audit models - CoBIT.

The capitalist market system is supply and demand. It may be impersional
and have its faults, but it works better than the existing alternatives.

Greed is too simple. There is a market and people willing to pay. Thus
there are people willing to take money to offer this service.

ISC2 as another example does offer quality assurance, but the level of
what they offer is the issue. Many put more faith in it than is valid.

As for the car issue, there are more people doing this. This is supply
and demand at work. The IT security field has a greater demand than the
mechanic. Try a comparision with a specialist plumber. This is closer to
the model in economic terms.

Regards,
Craig



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Simmons, James
Sent: Thursday, 26 April 2007 8:12 AM
To: security-basics () securityfocus com
Subject: RE: Value of certifications

 I will have to disagree about the validity of certs. It is true that
certs will get you the interview. But I find them only to be good if you
want a basic level system admin job. Everyone is putting too much
emphasis about certifications these days. Granted it is a way to
determine that at some point an individual was able to remember (or at
least guess) the right answers for a group of questions at some point in
time, but that doesn't necessarily prove that someone is competent. 

http://san2600.org/index.php?name=Blogs&mode=display&id=10

I will have to refer you to my long rant about the subject, but
ultimately my recommendation, work on a few projects in your spare time.
Write some white papers, do some research and present your results a
webpage.  Actually do something that would impress employers. You can
either try to prove that you know something, or you can do something
that proves you know it.
And if you are worried that you might get passed over from HR because
you do not have a cert.  Do you really want to work at a place that uses
an algorithm that pre-screens for minimal requirements? Sounds like a
place that is just looking for bodies to me. 

Simmons