RE: IT Manager to CISO

[Bob Radvanovsky <rsradvan () unixworks net>]

See comments below...

-r

----- Original Message -----
From: "Sanchez, Gabriel" [mailto:gabriel.sanchez () secoenergy com]
To: 'Jeremi Gosney' [mailto:Jeremi.Gosney () motricity com], Jonathan Younie [mailto:jonnyp4lsec () gmail com], 
olufemimogaji () gmail com
Cc: security-basics () securityfocus com
Subject: RE: IT Manager to CISO


> Well respected or not CISSP continues to be what many companies look for to
> even get an interview.

** This is because many individuals who are responsible for hiring IT and IT/information security professionals at 
these companies/organizations are considered 'non-technical', and this represents the closest thing to matching a 
qualification on their checklist.  The reason why the CISSP continues its popularity is because it is one of the 
longest running information security certifications to date.

> Sure if your only book smart you will not last long
> anywhere.

** This goes even with any certification, too.

> However being able to show that you are able to obtain the CISSP
> and have a high level view of many concepts along with hands on experience
> goes a long way.

** Maybe...or maybe not.  I have been in IT for over 30 years, IT/information security over 20, and critical 
infrastructure over 12.  I come from the 'old school' method of computer science and information systems management - 
formal education (such as a college or university).  One of the things that I have noticed over the years is that IT 
moves quickly - very, very quickly - so formal education may not be an option as by the time you've learned what you 
needed to learn, is already out-of-date at graduation time.

** A certification, on the other hand, tends to be reflective of the current technology, architecture and software that 
you are verifying that you know.  As far as I am concerned, both methods are flawed in today's IT and IT/information 
security industries for a few reasons: (1) formal educational institutions still continue having difficulties adapting 
to newer technologies in a relatively quick period - some are doing better than others - but overall, most formal 
education institutions are struggling; (2) certifications (IMHO) do not demonstrate ones knowledge on something, but 
that you can merely take a test.  I don't care how many people may say that I am wrong, by the time you've taken your 
certification, and a year (or two, or three) have lapsed, you won't know the material nearly as much, or as well as you 
might have thought you did.

> Respected or not many CISSP's are making very good money
> and many respected people I know in the SAN's staff even have this
> certification. 

** Many certified professionals do tend to make 30% (or more) than those who were not certified.  There have been 
studies conducted in recent years about this very topic (and I do believe that SANS did conduct a similar 
study/investigation on this very subject).

** However, many industry leaders of today have a certification because it has become the norm.

> Putting a black mark on someone's resume based purely on
> having CISSP on it is ridiculous. 

** Here's my attitude on many things in today: certifications (IMHO) apply only if you're looking for work.  If I were 
a hiring manager, and had several candidates, I would consider certified-only individuals, provided that they could 
demonstrate to me their knowledge in whatever area I was looking to hire a capable individual.

** Certifications aren't bad...but they're not good, either.  Like anything else, they're a 'tool', and depending on 
how they're implemented and used, can be very useful, esp. for individuals who might not have a formal education.

> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Jeremi Gosney
> Sent: Thursday, April 28, 2011 4:30 PM
> To: Jonathan Younie; olufemimogaji () gmail com
> Cc: security-basics () securityfocus com
> Subject: RE: IT Manager to CISO
>
> I wouldn't exactly call the CISSP well-respected -- it's respected within
> certain circles and among certain types of people. I tend to view the CISSP
> as a black mark on a resume. We don't really place a whole lot of weight on
> certifications to begin with as there are very few that actually demonstrate
> practical knowledge / skill, but if CISSP is the only cert on the resume, it
> goes in the trash.
>
> If upper management is your goal, my advice would be to go for both GSLC and
> G2700 (hopefully your organization does ISO 27000). At least you will still
> have a soul after obtaining those.
>
> ________________________________________
> From: listbounce () securityfocus com [listbounce () securityfocus com] on behalf
> of Jonathan Younie [jonnyp4lsec () gmail com]
> Sent: Wednesday, April 27, 2011 5:21 PM
> To: olufemimogaji () gmail com
> Cc: security-basics () securityfocus com
> Subject: Re: IT Manager to CISO
>
> Femi,
>
>  From any standpoint, there's no comparing the two certifications. The
> Security+ exam is an entry level exam suitable for most people who are
> just entering the field. The CISSP is a well respected exam for people who
> are experienced and involved in designing and managing all forms of security
> at a high level. In fact, the certification requires being vouched for by
> other certified CISSPs and demonstration of numerous years of InfoSec
> related experience. It covers a broad spectrum of information and
> demonstrates a knowledge of industry standards rather than singular products
> or philosophies. Another exam you might consider is the Certified
> Information Security Manager (CISM) offered by ISACA
> [http://www.isaca.org/Certification/CISM-Certified-Information-Security-Manager/Pages/default.aspx].
> This is an exam designed for high level security managers who have to cover
> all realms of security from a technical and administrative aspect.
> Both of those are hard for anyone to scoff at.
>
> Hope that helps.
> Jonathan Younie
>
>
> On 4/27/2011 4:37 AM, olufemimogaji () gmail com wrote:
> > Hi all,
> >
> > I'm currently the de facto IT manager for a small IT services firm. The
> nature of our business requires that we follow PCI standards as per logical
> security. Here's the thing, the CISO is leaving next month, and I've been
> told I'll be taking his position. I already have a lot of exposure to info
> sec, I have a CCNP (the former version with ISCW) and a I'm an MCP (Active
> Directory for WS 2008). What I need to know is what cert I should go out
> there and get to make me more cemented in this new CISO role, at least to
> keep the auditors happy, as they sometimes like to question your competence.
> The outgoing CISO, even though he was trained by some of our partners, had
> NO certs, and this exposed him to uncomfy questions from hard nosed
> auditors. Security+ or CISSP exam? Or any others? Any form of guiding light
> will be highly appreciated.
> > Regards,
> >
> > Femi M.
> >
> >
> >
> >
> > Sent from my BlackBerry(r) Smartphone
> >
> >
> >
> > Sent from my BlackBerry(r) Smartphone
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate In this guide we
> examine the importance of Apache-SSL and who needs an SSL certificate.  We
> look at how SSL works, how it benefits your company and how your customers
> can tell if a site is secure. You will find out how to test, purchase,
> install and use a thawte Digital Certificate on your Apache web server.
> Throughout, best practices for set-up are highlighted to help you ensure
> efficient ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate In this guide we
> examine the importance of Apache-SSL and who needs an SSL certificate.  We
> look at how SSL works, how it benefits your company and how your customers
> can tell if a site is secure. You will find out how to test, purchase,
> install and use a thawte Digital Certificate on your Apache web server.
> Throughout, best practices for set-up are highlighted to help you ensure
> efficient ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL
> certificate.  We look at how SSL works, how it benefits your company and how
> your customers can tell if a site is secure. You will find out how to test,
> purchase, install and use a thawte Digital Certificate on your Apache web
> server. Throughout, best practices for set-up are highlighted to help you
> ensure efficient ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------