RE: CISSP Question

["Ken Kousky" <kkousky () ip3inc com>]

Simmons, in your defense I must say that the cert sponsors and supporters
seem to be quite exaggerated in their defensive postures. You're probably
LAO right in inferring that there must be some reasons for the fear of an
open and engaged dialog over the value of these certificates.

In many critical professions licensing or some form of certification serves
as a vital policing mechanism. Barbers, bug sprayers and even dog groomers
in many states must go through a licensing process so it seems inevitable
that such a process will be institutionalized for computer security.

As professional members of this community we all benefit by trying to
positively influence this process. In most economic studies it's been
clearly demonstrated that licensing serves to raise salaries in the
"protected" field - and that's just what economists consider them -
protectionism.

One objective strongly supported by the DoD is that the certifications they
mandated (for their own personnel - see Dod Directive 8570.1) was ANSI
accreditation of the certificate. This process forces a Chinese Wall between
the efforts to sell prep programs or access to exam materials and guides.
Many of the certifications have pursued this standard (while still having
ample violations to address). 

By itself the ANSI standard doesn't go far enough in forcing an open
criteria or review of the exam basis. For example, when I passed my CISSP
exam, several years ago, it was already well established that buffer
overflows were the largest source of hostile system compromises, yet the
topic was then, and continues to today, grossly ignored. 

But these are the discussions the industry should be having about certs -
what do they cover, how rigorously are topics addressed, what competencies
are really measured? They ARE flawed. They NEED improvement. But that's what
we should ALL be trying to do because they're still all we have to work
with, for now.

I hope your effort to raise a meaningful dialog will continue but remember
there are deeply rooted vested interests and certainly a reasonable level of
defensiveness with every certification community.

Keep up the discourse, from it, a better program can be forged. 

Regards

KWK
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Simmons, James
Sent: Tuesday, May 15, 2007 1:45 PM
To: david.a.harley () gmail com
Cc: security-basics () securityfocus com
Subject: RE: CISSP Question

Have I ever said anything specific about everyone who has a CISSP?
Please present my quote? I understand that people will do what they can
to obtain work, make more money, what ever.  I have never said anything
against that. My WHOLE point is that this industry is placing too much
emphasis on certifications, and that a lot of them are flawed or
suspect. That is where all this started. If anyone has found anything
that I say insulting, then they are just projecting my words upon
themselves for no reason. I have stated scenarios were unqualified
individuals see these certification as a fast track to more money. Did
that hit a never with you? Do you perceive yourself as one of those, so
you take offence? 
I have stated that HR uses certification as a cookie cutter
qualification for filling positions. Are you HR? Did you take offence to
that? Maybe it was my point that a lot of management do not understand
what to look for in a certification, and thus go with the most popular.
Are you guilty of this? Is this why you think I am attacking you?

I am not attacking any one person, because honestly I do not care about
your personal life. I am looking to raise some questions, feel out the
community, and obtain different point of views. I have received a lot of
good e-mails from people, and a few varied responses. I have ran into
very few people who are actually willing to defend certifications, let
alone engage in a discussion about the validity of them. I am pointing
out oddities I see in the industry. You can either correct them if you
have the proof or the reasoning, or you can add in your own opinions and
start a civilized discussion/debate. 

I know nothing of anyone on this forum, just as much as anyone on this
forum knows anything about me. I am not here for friends. I am here to
have a civilized discussion, and get the view points of the people that
frequent this mailing list. That is the purpose of this mailing list. If
you have too thin of skin, that you take these comments as personal
attacks, then maybe the tubes is not a place for you. 
And again I will quote myself since no one seems to want to read it.
> > Since I will have to send off and wait for the tax information for I
cannot say much at >>this time in the way of where the money is going.

My figures I quoted are called estimates. They were presented to
continue the discussion until I can obtain the final numbers. But
instead of either trying to correct the estimate, I am berated by not
using the real number, which I, time and time again, say that I am
trying to obtain. I am not saying that I am leaving it up to anyone else
to obtain for me (because honestly I would not trust anyone else's
numbers without a reputable source link anyways). I am just pointing out
that instead of attacking me someone can continue the conversation with
a rebuttal, be it with actual figures or corrected estimates.

I have enjoyed and learned a lot from this discussion based on the
positive feedback. David, I have to say that I am not attacking you
personally and if you perceive it that way, then I can only hope that
you will understand that it is not my intention. 
If anyone finds anything wrong with what I say, then I encourage them to
write me offline and I will write a retraction, or at least address the
issue and try to make my point clear against misunderstandings. In fact
I am still waiting for my retraction to be posted where I misquoted $30
million dollars annually, when it is really $5 million annually in dues
alone.

I need you to understand that I am not attacking anyone that has the
certifications. They are doing what they believe they need to. That is
understandable if not noble. It is just the whole idea of the group
mentality, I am attacking something that you are apart of and so by
association you believe that I am attack you. I am not. There is no
innuendo, just estimates. If you have a problem with my estimates, then
present your own. I tried to present them fairly in that I did not
account for a lot of the money that is coming in.  I did that as an
offset. 

So I hope we can continue this discussion, because I value the other
sides input. It prepares me for my presentation / debate I will be
submitting. So I am looking for someone to put holes in my argument, and
not make it a personal battle. 

Regards,

Simmons

-----Original Message-----
From: David Harley [mailto:david.a.harley () gmail com] 
Sent: Tuesday, May 15, 2007 9:58 AM
To: Simmons, James; 'Craig Wright'
Cc: security-basics () securityfocus com
Subject: RE: CISSP Question

> As I stated before the $24 million was a gross UNDER estimate. You can

> easily see when I were I was disclosing my figures were I was making 
> the UNDER estimates, and how in reality they would come out to far 
> more then I quoted. If you have an issue with my figures, then refute 
> them.

I know, I said I had nothing to add to this discussion, but this is
ridiculous. 

If I do have anything, it isn't a defence of (ISC)2. If you believe that
their claim to be a non-profit organization is dishonest, it's up to you
to prove it with real figures: it's not up to Craig or myself to
disprove it: I have other priorities. If you want to know about their
finances, there are better ways than posting here. Innuendo is not
debate. 

Making unsubstantiated allegations against SANS and (ISC)2 doesn't prove
anything about the value of any of their certs, and I'm tired of being
dissed, directly or obliquely, because I hold one of them.

--
David Harley CISSP, Small Blue-Green World Security
Author/Editor/Consultant/Researcher
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html