RE: CISSP Question

["David Harley" <david.a.harley () gmail com>]

> Simmons, in your defense I must say that the cert sponsors 
> and supporters seem to be quite exaggerated in their 
> defensive postures. You're probably LAO right in inferring 
> that there must be some reasons for the fear of an open and 
> engaged dialog over the value of these certificates.

There's a difference between "open and engaged dialog" and mudslinging.
We've engaged in that dialogue over many days now. It's the innuendo about
SANS and (ISC)2 that's irritating me, not the discussion of cert values. I
just happen to feel that the innuendo has been introduced as an indirect
attack on certification, and even if there's any truth in it, that doesn't
affect the discussion I -thought- we were having.

> For example, 
> when I passed my CISSP exam, several years ago, it was 
> already well established that buffer overflows were the 
> largest source of hostile system compromises, yet the topic 
> was then, and continues to today, grossly ignored. 

I'm not sure that buffer overflows are the only game in town. :) But the
exam by itself is not and cannot be a complete measure of knowledge. Heck,
it hardly covers my specialisms at all, though the quality of the questions
relating to some of them has lifted a bit in recent years.

> But these are the discussions the industry should be having 
> about certs - what do they cover, how rigorously are topics 
> addressed, what competencies are really measured? They ARE 
> flawed. They NEED improvement. But that's what we should ALL 
> be trying to do because they're still all we have to work 
> with, for now.

Agreed. 100%. So let's look at the real issues, not straw men arguments
about who's making a profit.

> I hope your effort to raise a meaningful dialog will continue 
> but remember there are deeply rooted vested interests and 
> certainly a reasonable level of defensiveness with every 
> certification community.

Please. I don't represent (ISC)2, and I've never "needed" the qualification
personally, though I'm certainly not ashamed of it. What vested interests do
I have?

I've said most of this before, but I'll say it once more and then I really
am done. 
* CISSP ain't perfect, but it seems to me that it's an honest and valid
attempt to measure experience and knowledge for certain kinds of job
(management rather than technical, in many cases). No cert is a substitute
for experience (or common sense). I'm not banging the drum for CISSP in
particular: it's a reasonable measure of broad experience, whereas GIAC
certs are usually a better test of knowledge in one area, and don't require
experience. Neither is "better" than the other, and there are many other
perfectly valid certs - horses for courses. I'd be happy to go on discussing
that practically anywhere, but not in this thread, because I think the value
of the discussion has been seriously devalued by the pursuit of one person's
agenda.
* Many of the problems with certification are not with the certifying
process per se, but with the misconceptions of employers who use them as
applicant evaluation criteria. But that's true in many areas that have
nothing to do with security. 
* I'm not saying that cert holders are automatically better than
non-holders. I am saying that remarks about cert holders being purely
self-interested and wanting letters after their name to prove their own
importance are unfair and unhelpful. And that dark mutterings about scams
and profiteering muddy the waters without adding any value to the debate
about what a cert is worth in real terms. 

Certs don't have to be about job hunting. They can be about personal
development in much broader terms. They don't have to be about self-interest
at all. 

Why do highly qualified people like Craig with highly responsible jobs
subscribe to a list called security-basics? Because they need the
information? Well, there's always more to learn, sometimes from unexpected
sources, but a lot of the issues discussed here are - well, basic. There are
other resources for sharing highly specialized info. So maybe such people
have primarily altruistic motives, like sharing information and even their
expertise. That doesn't mean people who don't have multiple certs and
high-octane jobs should fall down and worship them, or believe everything
they say, and never argue. But it's a poor reason for assuming that they're
trying to keep the pie all to themselves.

EOT. As far as I'm concerned. Though I welcome rational discussion offline.

-- 
David Harley CISSP, Small Blue-Green World
Security Author/Editor/Consultant/Researcher
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html