RE: Value of certifications

["Simmons, James" <jsimmons () eds com>]

Of course vendor certs are in it for the money also.  But they at least
have more substance to stand on. It is their choice to determine how
skilled they want their trainees to be. All you can do is look at the
company and comment on how they are really lacking in the quality of
their certs. From there you can speculate on your own about their
quality assurance in other aspects. And of course you will always get
fakers on every cert. Which is why it pains me to see the slide of the
industry's reliance on certs as a benchmark of skill, or dedication. 
While looking for a job that states "CISSP Required", and your resume
doesn't have CISSP on it, more times then not, HR will not even look at
twice at you. Which is absurd since most of the most influential people
in computer security do not have a CISSP. They are hired by companies
that have a clue, and pay big bucks for quality. These people have put
in the time to teach themselves, do their own research, and built
themselves from the bottom based on the skill set they acquired
themselves. 

***Below is an opinion piece. This in no way reflects upon anyone else
view point.
And of course there are always exceptions, but they are rare and far
between.***
CISSP for me just feels like a mark for mediocrity. How I see it is that
if you want the entry level, or the mid-level position, then your CISSP
will get that for you. I feel that if you have not worked from the
bottom, or at least proven yourself in some other way, then what good
are you? You want a cert to show that you can do something, but those
that really know that are hiring, do not rely on the cert in the first
place. They would rather see a list of accomplishments that you have
done, then a single cert on your resume. So why bother with the cert in
the first place. You can spend you time and money building your own
skill sets, or you can spend them studying for a cert.
Now I am not saying that certs are useless. They just shouldn't be
relied upon for as much as they are.
DoD is now mandating security certifications for employee's working in
IA positions. Of course ISC2 certs are there with a few others. But what
does that accomplish? Their policy is suppose to be that they will not
hire anyone new without meeting these requirements, and that is what I
fear a lot of companies are moving towards.

Regards,

Simmons

-----Original Message-----
From: Yousef Syed [mailto:yousef.syed () gmail com] 
Sent: Friday, April 27, 2007 9:42 AM
To: Simmons, James
Cc: security-basics () securityfocus com
Subject: Re: Value of certifications

James,
On the matter of Vendor certs I would definitely have to disagree.

I've met plenty of MCSE people that just happened to study hard for the
exam and passed it, but haven't the first clue about setting up an
enterprise Windows system.

For a previous consultancy that I worked at, I was forced to take the
Sun Java Certification (despite the fact that I already had 8years
Java/J2EE real world experience). It is the the most worthless
certification that I've ever come accross and it actually teaches you
things that you'll NEVER do in the real world! I'd gone so long in my
career without it, in-part, due to the fact that so many
"Java-Certified" types that I'd meet, were useless developers.

The vendors care just as little about the student's knowledge as anyone
else - they are also in it for the money. Anytime they change the OS,
you need a new Cert. Anytime a new version of Java comes out, they want
a new Cert... KER-CHING!

What I like about the CISSP is that you are expected to have atleast 4
years prior experience before you take the exam. It covers ten different
security domains. It isn't a technical paper where you memories a bunch
or procedures; rather, you really have to know what you are security,
why it needs security. It isn't at such a high-level to make it
irrelevant, and nor is it at such a low-level as to make it too
technically demanding for people that might never have used a firewall
before.

Are you going to get Fakers picking a CISSP; ofcourse you are (just as
is the case with any qualification); but such persons will be weeded out
swiftly once they are in the workforce and can't produce.

Is it a substitute for experience, no. But it does complement your
experience and if all your experience is only in one particular security
domain, it shows you that there are other security domains and they all
need to be considired together.

Yes, I would prefer to have externally audited orgs performing such
certifications that aren't profit driven; but outside of Universities,
they don't exist - and accademic knowledge and real world knowledge are
two very different things.

ys

On 26/04/07, Simmons, James <jsimmons () eds com> wrote:
> Yes, I agree about determining the pecking order, but what is a better

> way of proving that you know something? Actually going out there and 
> demonstrating that you know it. Or taking some cheaply made test, that

> no one knows how it was formed, as your validation?
> I am not saying that certifications do not serve a purpose, but I have

> found very few that are actually good enough to live up to that
purpose.
> My example differs between vendor certs (CCNA, MCSE, etc.) and general

> knowledge certs (CISSP, security+, etc.)  The vendor certs are by far 
> superior (though expensive for no reason) because who would know the 
> subject matter better then vendor.  The general knowledge certs are a 
> joke. What designates these people as experts? Both in the field that 
> the cert is focusing on, and in creating a meaningful cert?
> In my rant off my link I make reference to the ASE certs for 
> Automotive technicians. ASE was formed by the major automakers of the 
> day to maintain a acceptable skill level. They employed psychologists,

> professors, and other education experts to research and ensure that 
> their testing methods give an accurate portrayal of the skill level of

> the individual. Do you honestly think that any of these companies have

> put that much time and effort into their tests? These are start-up 
> companies that believe they can make some money off of trying to 
> sudo-train individuals to do a complicated job. And companies are 
> trusting these "certified" professionals to protect them and conduct 
> business critical work on their systems.
> And I am not saying that this is the case for everyone. Some very 
> intelligent, and capable individuals are getting the certs because 
> that is what will attract customers. They are not getting the certs to

> learn anything new. They are getting them to prove that they know. And

> at that point I question why these certs have to cost so much?
> While every other question I see in this forum about certs is "I want 
> to learn about security, what is the cert I should go after?".
> It is just a messed up system that really needs an overhaul.
>
> Regards,
>
> Simmons



--
Yousef Syed
"To ask a question is to show ignorance; not to ask a question, means
you remain ignorant" - Japanese Proverb