Security Basics mailing list archives
Re: Value of EC-CEH
From: Matt - MRS Security <matt () mrssecurity com>
Date: Wed, 10 Sep 2008 19:55:19 +0100
What you should be concentrating on is joining a pen-test company or a security consultancy company.
They will get you jobs, train you and look after you through thick and thin.Work for them for a couple of years, make contacts, understand the business, build customer relationships.
I have been in security for 10+ years now. I do not have CISSP or any major qualifications however i have on the job training and 10 years of previous experience to back me up.
Trying to break out by yourself with only qualifcations and no experience except what you can say on paper but not back up with references will really not get you where you want quick and as Jon put it companies get really pissed off with lamers.
Certs are great, and i get asked for it all the time. However, with the proof of previous employers and customers i get alot better jobs than most CISSP's.
CISSP is a inch deep, but a mile wide as the favoured quote goes. MRS. Jon Kibler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NeZa wrote: <SNIP!>In my personal opinion, the most respected security certification in the world is CISSP, and i am not talking about if it is the best one or not, it is the one Companies ask for.<SNIP!> Companies may ASK for a CISSP, but that is because they either don't know better, or are really really really slow learners, or both. What I find time and time again is that a company brings in a CISSP to DO security and they find that their grandmother could DO just as much security as the CISSP they hired. So, they figure they just hired a lamer that is good at taking tests, but no good at DOing real-world security. When he/she finally really screws things up, the great CISSP gets canned. Now, they go looking for another CISSP. They are just as bad as the first one, so they fire them too. Now, it is once again time to find still another CISSP. And the cycle repeats ad. nauseam. (Companies too often tend to follow 'shampoo instruction' hiring practices: Rinse. Lather. Repeat.) The problem is that companies get stuck on the CISSP cert. Why? Just because that is the cert everyone else wants. "If we do what everyone else does, that can't get us in trouble. Right?" (It would be interesting to know how many of the major data breaches [Choice Point, TJX, etc.] had a CISSP doing their security, instead of someone with a more appropriate certification. My bet: All of them!) Companies can't seem to figure out it is the cert that is the issue, NOT the person. The person can't help it that they memorized a ton of near useless knowledge just to get a piece of paper. What companies NEED is someone with GIAC or CEH/LPT types of certs. Some are starting to figure that out. Just check Dice if you don't believe me. As I have said before, CISSP is good for managers who need 'buzzword familiarity' but do not need to DO security. The problem is that the cert is misapplied to job descriptions more than it is not. What would make CISSP a better cert? Instead of a generic 'x years of security experience requirement' (I say 'x', because 10 would be more appropriate than 5), require that they must be DOing real-world hands-on security for 'x years', such as: O/S and network hardening, vulnerability assessments, penetration testing, incident response, forensics, and similar day-to-day security activities. If I had any say in the matter, I would also require a recognized hands-on cert, such as GIAC or CEH/LPT as a prerequisite to taking the CISSP exam. I would also require CISSPs to actually DO security research and publish research papers in peer reviewed journals and present research at non-(ISC)2 security conferences. I would also require them to recertify at least every 5 years (3 would be even better). Oh well, my $0.00001 worth. (END OF RANT) Jon Kibler - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkjFbIwACgkQUVxQRc85QlOf+wCePYzDCdswtXcJ1Om7tnN0Aggp Jz8AnRaXuxdVU2Kx059xCofuEDi6A737 =S1KB -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- Value of EC-CEH Vin Oxious (Sep 04)
- Re: Value of EC-CEH Ryan Greenier (Sep 04)
- Re: Value of EC-CEH J. Oquendo (Sep 05)
- Re: Value of EC-CEH NeZa (Sep 08)
- Re: Value of EC-CEH Jon Kibler (Sep 08)
- Re: Value of EC-CEH Matt - MRS Security (Sep 10)
- Re: Value of EC-CEH J. Oquendo (Sep 05)
- Re: Value of EC-CEH Ryan Greenier (Sep 04)
- <Possible follow-ups>
- Re: Value of EC-CEH Yahoo (Sep 08)
- Re: Value of EC-CEH Yahoo (Sep 08)
- Re: Value of EC-CEH contact . fingers (Sep 08)