RE: Weird question (off topic one)

["Paul Melson" <pmelson () gmail com>]

I was listening to NPR last week and heard Terri Gross interview Ice-T, and
something he said made me flash back to this thread (and a handful of other
conversations I've had recently about the relative value of infosec certs
like CISSP and others).  He said, "game knows game."  Which is essentially
what you said.  If you're well-versed in a particular subject, you have
relatively little trouble determining whether another person is also
knowledgeable in that same subject.

The Catch-22 for organizations seeking to outsource expertise -- and
managers hoping to "pick the right pony" to make their projects succeed --
is that, if they had the knowledge necessary to find knowledgeable people,
they wouldn't need those knowledgeable people.  This isn't special to the
fiend of infosec, or even the IT field as a whole.  But it's the premise on
which almost all certification programs are ultimately based, and why flaws
in those certification programs are exploited for personal gain.

So, to borrow a metaphor from Ice-T's lingo, many companies are white kids
from the suburbs who are buying fake-gangsta-rap advice from
fake-gangsta-rapper consultants.

PaulM (OG)

________________________________
Subject: Re: [Dailydave] Weird question (off topic one)


Personally I go on professional reputation (i.e. someone I trust said that
they are a security professional and can be trusted), and on available
code/documentation/presentations (one great reason to do conferences, you
can get your name out in a specific subject field) and so on. Unfortunately
this severely cripples the reputation of all the "internal" information
security people who work in the bowels of a large firm who's work is never
made public, but usually if you chat with them for more then a few minutes
you can figure out where they are in the food chain so to speak.