Security Basics mailing list archives
RE: IT Manager to CISO
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Mon, 02 May 2011 11:43:40 -0500
See comments below... -r ----- Original Message ----- From: "Sanchez, Gabriel" [mailto:gabriel.sanchez () secoenergy com] To: 'Jeremi Gosney' [mailto:Jeremi.Gosney () motricity com], Jonathan Younie [mailto:jonnyp4lsec () gmail com], olufemimogaji () gmail com Cc: security-basics () securityfocus com Subject: RE: IT Manager to CISO
Well respected or not CISSP continues to be what many companies look for to even get an interview.
** This is because many individuals who are responsible for hiring IT and IT/information security professionals at these companies/organizations are considered 'non-technical', and this represents the closest thing to matching a qualification on their checklist. The reason why the CISSP continues its popularity is because it is one of the longest running information security certifications to date.
Sure if your only book smart you will not last long anywhere.
** This goes even with any certification, too.
However being able to show that you are able to obtain the CISSP and have a high level view of many concepts along with hands on experience goes a long way.
** Maybe...or maybe not. I have been in IT for over 30 years, IT/information security over 20, and critical infrastructure over 12. I come from the 'old school' method of computer science and information systems management - formal education (such as a college or university). One of the things that I have noticed over the years is that IT moves quickly - very, very quickly - so formal education may not be an option as by the time you've learned what you needed to learn, is already out-of-date at graduation time. ** A certification, on the other hand, tends to be reflective of the current technology, architecture and software that you are verifying that you know. As far as I am concerned, both methods are flawed in today's IT and IT/information security industries for a few reasons: (1) formal educational institutions still continue having difficulties adapting to newer technologies in a relatively quick period - some are doing better than others - but overall, most formal education institutions are struggling; (2) certifications (IMHO) do not demonstrate ones knowledge on something, but that you can merely take a test. I don't care how many people may say that I am wrong, by the time you've taken your certification, and a year (or two, or three) have lapsed, you won't know the material nearly as much, or as well as you might have thought you did.
Respected or not many CISSP's are making very good money and many respected people I know in the SAN's staff even have this certification.
** Many certified professionals do tend to make 30% (or more) than those who were not certified. There have been studies conducted in recent years about this very topic (and I do believe that SANS did conduct a similar study/investigation on this very subject). ** However, many industry leaders of today have a certification because it has become the norm.
Putting a black mark on someone's resume based purely on having CISSP on it is ridiculous.
** Here's my attitude on many things in today: certifications (IMHO) apply only if you're looking for work. If I were a hiring manager, and had several candidates, I would consider certified-only individuals, provided that they could demonstrate to me their knowledge in whatever area I was looking to hire a capable individual. ** Certifications aren't bad...but they're not good, either. Like anything else, they're a 'tool', and depending on how they're implemented and used, can be very useful, esp. for individuals who might not have a formal education.
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jeremi Gosney Sent: Thursday, April 28, 2011 4:30 PM To: Jonathan Younie; olufemimogaji () gmail com Cc: security-basics () securityfocus com Subject: RE: IT Manager to CISO I wouldn't exactly call the CISSP well-respected -- it's respected within certain circles and among certain types of people. I tend to view the CISSP as a black mark on a resume. We don't really place a whole lot of weight on certifications to begin with as there are very few that actually demonstrate practical knowledge / skill, but if CISSP is the only cert on the resume, it goes in the trash. If upper management is your goal, my advice would be to go for both GSLC and G2700 (hopefully your organization does ISO 27000). At least you will still have a soul after obtaining those. ________________________________________ From: listbounce () securityfocus com [listbounce () securityfocus com] on behalf of Jonathan Younie [jonnyp4lsec () gmail com] Sent: Wednesday, April 27, 2011 5:21 PM To: olufemimogaji () gmail com Cc: security-basics () securityfocus com Subject: Re: IT Manager to CISO Femi, From any standpoint, there's no comparing the two certifications. The Security+ exam is an entry level exam suitable for most people who are just entering the field. The CISSP is a well respected exam for people who are experienced and involved in designing and managing all forms of security at a high level. In fact, the certification requires being vouched for by other certified CISSPs and demonstration of numerous years of InfoSec related experience. It covers a broad spectrum of information and demonstrates a knowledge of industry standards rather than singular products or philosophies. Another exam you might consider is the Certified Information Security Manager (CISM) offered by ISACA [http://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/Pages/default.aspx]. This is an exam designed for high level security managers who have to cover all realms of security from a technical and administrative aspect. Both of those are hard for anyone to scoff at. Hope that helps. Jonathan Younie On 4/27/2011 4:37 AM, olufemimogaji () gmail com wrote:Hi all, I'm currently the de facto IT manager for a small IT services firm. Thenature of our business requires that we follow PCI standards as per logical security. Here's the thing, the CISO is leaving next month, and I've been told I'll be taking his position. I already have a lot of exposure to info sec, I have a CCNP (the former version with ISCW) and a I'm an MCP (Active Directory for WS 2008). What I need to know is what cert I should go out there and get to make me more cemented in this new CISO role, at least to keep the auditors happy, as they sometimes like to question your competence. The outgoing CISO, even though he was trained by some of our partners, had NO certs, and this exposed him to uncomfy questions from hard nosed auditors. Security+ or CISSP exam? Or any others? Any form of guiding light will be highly appreciated.Regards, Femi M. Sent from my BlackBerry(r) Smartphone Sent from my BlackBerry(r) Smartphone------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RE: IT Manager to CISO Sanchez, Gabriel (May 02)
- <Possible follow-ups>
- Re: IT Manager to CISO Mitchell Rowton (May 02)
- RE: IT Manager to CISO Bob Radvanovsky (May 02)