Information security certifications diversity and getting lost

["Michael Myers" <tehshape () info-pull com>]

The CISSP is the undisputed king of information security
certifications. Currently, every now and then a security company
starts pushing their employees towards certification programs. These
are usually known for featuring insanely long exams, absurdly pedantic
requirements and other kinds of doubtfully respectable necessities.

We all know that there are several other certifications, but CISSP
brings, without doubt, the very best. Be it a security operations
manager, a field operative or some other kind of consulting freak, a
CISSP will always deliver.

The problem is that we end with such a diverse, heterogeneous (no
sexual connotations here), span of certifications that newcomers
really don't know where to start. Thus, most people approaching a
prospective career in the information security industry, feel prompted
to attempt the long way: getting every certification possible. This is
causing disruption by several means, for example with overly intrusive
e-mail signatures (not counting the pointless confidentiality
disclaimer that plagues us all), wasting quite some expensive network
traffic, as well as pine stack-based buffer overruns.

My question for people out there, is this madness _that_ necessary? Do
we have a good reason for spending loads of budget on certification
programs and wasting our companies' money in such investments?

Employees feel constrained since they might lose the certification
after quitting their jobs, surfing towards another employer as
intrusive and wasteful as the previous one, etc.

Last but not least, we have the eternal problem of evaluation
authorities: How are we supposed to trust a closed organization to
evaluate our hard-working employees? Are they skilled enough to
determine if our employee is worth his job? Are the operational needs
equal to the knowledge that these certifications require?  Does a
potential attacker need to know what ISO standard describes security
guidelines for processing credit card operations?

Joseph shouts in the background: "Hey, they just need to know how
banks use DES for generating CVV numbers!". I shouldn't hear these
details or I will end distrusting my edgy colleagues. But I'm pretty
sure the CISSP exam doesn't have such a question. Imagine: "Where does
the CVV of credit cards come from?"

a) The bank.
b) ISO-6667, XYZ-2000, PCI compliant security organization.
c) A DES generation system on card series-basis, using a key for each
bank branch, which once compromised leaves the poor taxpayers for
global fraud and spoliation of their monetary assets, covered by
insurance companies who boost these crimes for more profit.

Paraphrasing the Christian community, instead of Jesus, What would a CISSP do?

If certifications exist for ethical hackers, are we going to see
certifications for unethical hackers anytime soon? What if the mob and
shady underground organizations needed to certify that they are
employing the very best of the federal prison's Module 5? Will a
Certified Unethical Software Security Expert (CUSSE) certification
ever exist? "My name is Lincoln Six Echo, Certified Information
Insecurity Systems Professional".

Apparently a company already tried to start such a venture, although
it appears to be off-line, probably hacked by Islamic Jihad crackers:
http://64.233.183.104/search?q=cache:fItEgjbgRZQJ:cusse.org/+cusse.org
http://www.cusse.org

Regards,
-- 
Michael Myers - CISSP, CISA, HIV, GCIA, GSEC
Chief Security Officer (CSO) - Info-pull.com Inc.
"Serious business since the night I came home."
+1 (305) 374-8431 - Haddonfield, Illinois (USA).
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave