RE: CISSP Question

["Simmons, James" <jsimmons () eds com>]

And that is a particularly special case also. If you have to go in front
of a jury and prove your validation, that is a valid reason. I knew a
professor that did the same thing.  The only reason he was still a
professor is because he believed that it showed that he not only knew
his stuff, but he knew it enough to teach the next generation. If you
are having to deal with image to the general unknowing populace, then of
course it makes sense to get a full plumage of alphabets behind your
name. It is the association that extra words tacked on to your name
convey importance. It is to stand out, and convey yourself as important
next to others. 

Also I would have to argue, that if you hire someone that isn't already
constantly training and learning, (especially in the IT field with its
rate of change), and needs a certification to force them, they were not
a good choose in hiring.

Regards,

Simmons

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Craig Wright
Sent: Tuesday, May 08, 2007 5:26 PM
To: Simmons, James; security-basics () securityfocus com
Subject: RE: CISSP Question

As a pointy haired manager, it demonstrates that staff are continuing to
learn. As a manager, I find that this demonstrates commitment and
involvement. At times I will have those doing the training and
certification present what they have covered to the group (I know I am
mean and nasty). As terrible as it may seem there are always those who
state that they have been studying, but don't (though the threat of
having to stand in front of your peers can be a good control).

Being able to point out editorial positions, papers etc is valuable I
admit, but you can still do the cert and the other. 

A part of my role comprises of digital forensic engagements. So having
staff gain credentials is good. More the merrier as this helps impress
jurists and clients. You get a lot further with a list of certs than
industry networking when you are associating with those who have no
involvement with IT security.

Regards,
Craig



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497 www.bdo.com.au

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If
you are not the named addressee you must not read, print, copy,
distribute, or use in any way this transmission or any information it
contains.  If you have received this message in error, please notify the
sender by return email, destroy all copies and delete it from your
system. 

Any views expressed in this message are those of the individual sender
and not necessarily endorsed by BDO Kendalls.  You may not rely on this
message as advice unless subsequently confirmed by fax or letter signed
by a Partner or Director of BDO Kendalls.  It is your responsibility to
scan this communication and any files attached for computer viruses and
other defects.  BDO Kendalls does not accept liability for any loss or
damage however caused which may result from this communication or any
files attached.  A full version of the BDO Kendalls disclaimer, and our
Privacy statement, can be found on the BDO Kendalls website at
http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and
entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Simmons, James
Sent: Wednesday, 9 May 2007 5:47 AM
To: security-basics () securityfocus com
Subject: CISSP Question

        >>Being that they have stated that employment as an Operators
etc are not considered as valid experience, I would
        >>state that I feel that this would be a role where there is
some management, design, consulting or other similar
        >>activity involved.

So if you already have 4 years of experience in management, or design,
or consulting, what is the value of the CISSP? You are already doing the
job that most people are getting the certification are aiming for. Now
of course this is a majority case, as there are people who get the cert
for other reasons. 
But this is all my point.
http://www.securityfocus.com/archive/105/466897/30/210/threaded
Experience in doing the projects, actually getting involved in the
industry on your own, is the better way to spend your money then getting
a certification.

And here we arrive back at the beginning.

 
Regards,

Simmons

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Craig Wright
Sent: Monday, May 07, 2007 3:41 PM
To: Simmons, James
Cc: security-basics () securityfocus com
Subject: RE: CISSP Question

I would look at this from the perspective of several of the ISC2
comments. Being that they have stated that employment as an Operators
etc are not considered as valid experience, I would state that I feel
that this would be a role where there is some management, design,
consulting or other similar activity involved.

That is - not just going through the motions as set by another, but
actually having input into the process.

As for what the ISC2 would do, this is up to them. They have options,
but they have to have these weighted against the alternatives. This is
the repercussions of dismissing people against the value of the
certificate. So it is a matter of degree I would hazard to guess.

Regards,
Craig



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497 www.bdo.com.au

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If
you are not the named addressee you must not read, print, copy,
distribute, or use in any way this transmission or any information it
contains.  If you have received this message in error, please notify the
sender by return email, destroy all copies and delete it from your
system. 

Any views expressed in this message are those of the individual sender
and not necessarily endorsed by BDO Kendalls.  You may not rely on this
message as advice unless subsequently confirmed by fax or letter signed
by a Partner or Director of BDO Kendalls.  It is your responsibility to
scan this communication and any files attached for computer viruses and
other defects.  BDO Kendalls does not accept liability for any loss or
damage however caused which may result from this communication or any
files attached.  A full version of the BDO Kendalls disclaimer, and our
Privacy statement, can be found on the BDO Kendalls website at
http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and
entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Simmons, James
Sent: Tuesday, 8 May 2007 2:48 AM
To: Craig Wright
Cc: security-basics () securityfocus com
Subject: RE: CISSP Question

Craig,
I have to say, that was a well written argument. It is so refreshing to
debate with someone who actually understands the importance of including
references.

And many of your arguments I just cannot argue with. And you do make
very good points. I guess the mind set where all this begat from was the
definition of professional experience for which ISC2 is requiring. I
guess a more proper questions would be, "What is ISC2 qualifying as
professional experience?" 
My first assumptions were based on definitions and ideas on the
difference between an amateur and a professional. Amateur is more of a
hobbies, where a professional is making a living based on the quality of
work.

I was also speaking from a platform that they are allowing any sort of
experience within the ten domains. I have come to this conclusion based
on personal contact with individuals that I have or current work with
that have already been audited. Though granted I was not involved in the
process, and cannot say for certain the mood, or perceived mindset of
the auditors, I can only draw my conclusions from conversations with
individuals where military, enlisted IT staff, and other minor
non-managerial roles experience was sufficient enough to obtain the
CISSP. (Of which, you can make an argument about enlisted individuals
having some leadership / manager experience based on rank and role. But
that is another thread altogether.)

So I guess ultimately this questions is just one based on perception and
risk analysis. If you think one way and are willing to take the risk for
a higher paying job, then go for it.  
I am curious though, as to how certain companies would react.  An
individual is hired, they obviously passed the test, and have been
working for a company for x months, only to be told that there was a
mistake regarding the what ISC2 regards as experience.
Plus, would ISC2 revoke the entire cert, or just bump the individual
down to an associate? 
Either way, this has been an interesting debate.

Regards,

Simmons