Re: Value of EC-CEH

[Matt - MRS Security <matt () mrssecurity com>]

What you should be concentrating on is joining a pen-test company or a 
security consultancy company.

They will get you jobs, train you and look after you through thick and thin.

Work for them for a couple of years, make contacts, understand the 
business, build customer relationships.

I have been in security for 10+ years now. I do not have CISSP or any 
major qualifications however i have on the job training and 10 years of 
previous experience to back me up.

Trying to break out by yourself with only qualifcations and no 
experience except what you can say on paper but not back up with 
references will really not get you where you want quick and as Jon put 
it companies get really pissed off with lamers.

Certs are great, and i get asked for it all the time. However, with the 
proof of previous employers and customers i get alot better jobs than 
most CISSP's.

CISSP is a inch deep, but a mile wide as the favoured quote goes.

MRS.

Jon Kibler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> NeZa wrote:
> <SNIP!>
>   
> > In my personal opinion, the most respected security certification in
> > the world is CISSP, and i am not talking about if it is the best one
> > or not, it is the one Companies ask for.
> >
> >     
> <SNIP!>
>
> Companies may ASK for a CISSP, but that is because they either don't
> know better, or are really really really slow learners, or both.
>
> What I find time and time again is that a company brings in a CISSP to
> DO security and they find that their grandmother could DO just as much
> security as the CISSP they hired. So, they figure they just hired a
> lamer that is good at taking tests, but no good at DOing real-world
> security. When he/she finally really screws things up, the great CISSP
> gets canned.
>
> Now, they go looking for another CISSP. They are just as bad as the
> first one, so they fire them too. Now, it is once again time to find
> still another CISSP. And the cycle repeats ad. nauseam. (Companies too
> often tend to follow 'shampoo instruction' hiring practices: Rinse.
> Lather. Repeat.)
>
> The problem is that companies get stuck on the CISSP cert. Why? Just
> because that is the cert everyone else wants. "If we do what everyone
> else does, that can't get us in trouble. Right?" (It would be
> interesting to know how many of the major data breaches [Choice Point,
> TJX, etc.] had a CISSP doing their security, instead of someone with a
> more appropriate certification. My bet: All of them!)
>
> Companies can't seem to figure out it is the cert that is the issue, NOT
> the person. The person can't help it that they memorized a ton of near
> useless knowledge just to get a piece of paper.
>
> What companies NEED is someone with GIAC or CEH/LPT types of certs. Some
> are starting to figure that out. Just check Dice if you don't believe me.
>
> As I have said before, CISSP is good for managers who need 'buzzword
> familiarity' but do not need to DO security. The problem is that the
> cert is misapplied to job descriptions more than it is not.
>
> What would make CISSP a better cert? Instead of a generic 'x years of
> security experience requirement' (I say 'x', because 10 would be more
> appropriate than 5), require that they must be DOing real-world hands-on
> security for 'x years', such as: O/S and network hardening,
> vulnerability assessments, penetration testing, incident response,
> forensics, and similar day-to-day security activities.
>
> If I had any say in the matter, I would also require a recognized
> hands-on cert, such as GIAC or CEH/LPT as a prerequisite to taking the
> CISSP exam. I would also require CISSPs to actually DO security research
> and publish research papers in peer reviewed journals and present
> research at non-(ISC)2 security conferences. I would also require them
> to recertify at least every 5 years (3 would be even better).
>
> Oh well, my $0.00001 worth.
>
> (END OF RANT)
>
> Jon Kibler
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-224-2494
> s: 843-564-4224
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkjFbIwACgkQUVxQRc85QlOf+wCePYzDCdswtXcJ1Om7tnN0Aggp
> Jz8AnRaXuxdVU2Kx059xCofuEDi6A737
> =S1KB
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>