RE: Value of certifications

["Jones, David H" <Jones.David.H () principal com>]

Hi,

Long time reader, first time poster.

I just want to chime in (even though this horse is now glue).  I'm torn
on certs.  First, the good side of them:

Years ago, having only a couple of years of network experience under my
belt, I took a 40 hour CCNA course before taking the exam.  There was a
lot of class work, a lot of questions, and plenty of hands on lab
exercises.  I learned a *lot* from that class, and not just stuff to
help me pass the exam.  Practical stuff I was able to apply in the real
world.  The exam itself also focused on real-world scenarios.  Although
some questions were inane (What is the correct enable prompt, for
example), most of the questions were geared towards knowledge you would
use in actual network related work.

Through the years, I've touched on security in various fashion, and the
past 4+ years I've been in a strictly security-based role.

Recently, I went through a C|EH exam book.  While I was familiar with
several concepts in the book, I never actually saw or experienced some
of the activity laid out in the material.  Due to curiosity, I tried out
a lot of the "hacks" in the book.  Again, I'd say I learned quite a bit,
from an "inner workings" standpoint.  I don't think the technical
knowledge was as good as the CCNA coursework I had, but I also have more
experience in security than I had in networking when I went through the
CCNA.

Which brings us to now.  I didn't do the college thing, and looking
forward to when I may want to move on in the job market, it seems that
everyone wants the CISSP.  I ran through a practice exam someone had
here at the office.  It seemed like more of the questions were akin to a
history exam.  "Who developed the 'China Wall' theory?"  Who cares?
"What is associated with the Clark-Wilson security model?"  Who cares?
What kind of vehicle barriers should be installed?  Not much use to a
pen tester.  So much of the exam is geared towards non-technical issues.
I understand the need to have a basic understanding of, let's say, some
law issues in the case of forensics, but we have a law department that
does policies and such.  Physical security?  Not handled by the
Information Security department.  I'm not responsible for installing
"whichever windows are more secure" in the building, and as far as I
know, our department is never contacted for input.

So, since I have to learn about all these other aspects of stuff, the
physical security for example, shouldn't our physical security people
also be required to have a CISSP?  I'd like to see all of our security
guards have that! :)

An inch deep and a mile wide is a pretty good description of the CISSP.
For all the time and effort, and the cost of the exam, with maybe 30-40%
of the material being relevant to the work I do... I just don't know
that it's worth my time.  But everyone (the employers) wants it.

So, to summarize, from a knowledge aspect:  Some certs = good (you can
learn useful stuff), Some certs = bad (you'll just memorize useless
facts to pass the exam).


-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect () principal com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.