Dailydave mailing list archives
Information security certifications diversity and getting lost
From: "Michael Myers" <tehshape () info-pull com>
Date: Mon, 3 Sep 2007 16:37:22 +0200
The CISSP is the undisputed king of information security certifications. Currently, every now and then a security company starts pushing their employees towards certification programs. These are usually known for featuring insanely long exams, absurdly pedantic requirements and other kinds of doubtfully respectable necessities. We all know that there are several other certifications, but CISSP brings, without doubt, the very best. Be it a security operations manager, a field operative or some other kind of consulting freak, a CISSP will always deliver. The problem is that we end with such a diverse, heterogeneous (no sexual connotations here), span of certifications that newcomers really don't know where to start. Thus, most people approaching a prospective career in the information security industry, feel prompted to attempt the long way: getting every certification possible. This is causing disruption by several means, for example with overly intrusive e-mail signatures (not counting the pointless confidentiality disclaimer that plagues us all), wasting quite some expensive network traffic, as well as pine stack-based buffer overruns. My question for people out there, is this madness _that_ necessary? Do we have a good reason for spending loads of budget on certification programs and wasting our companies' money in such investments? Employees feel constrained since they might lose the certification after quitting their jobs, surfing towards another employer as intrusive and wasteful as the previous one, etc. Last but not least, we have the eternal problem of evaluation authorities: How are we supposed to trust a closed organization to evaluate our hard-working employees? Are they skilled enough to determine if our employee is worth his job? Are the operational needs equal to the knowledge that these certifications require? Does a potential attacker need to know what ISO standard describes security guidelines for processing credit card operations? Joseph shouts in the background: "Hey, they just need to know how banks use DES for generating CVV numbers!". I shouldn't hear these details or I will end distrusting my edgy colleagues. But I'm pretty sure the CISSP exam doesn't have such a question. Imagine: "Where does the CVV of credit cards come from?" a) The bank. b) ISO-6667, XYZ-2000, PCI compliant security organization. c) A DES generation system on card series-basis, using a key for each bank branch, which once compromised leaves the poor taxpayers for global fraud and spoliation of their monetary assets, covered by insurance companies who boost these crimes for more profit. Paraphrasing the Christian community, instead of Jesus, What would a CISSP do? If certifications exist for ethical hackers, are we going to see certifications for unethical hackers anytime soon? What if the mob and shady underground organizations needed to certify that they are employing the very best of the federal prison's Module 5? Will a Certified Unethical Software Security Expert (CUSSE) certification ever exist? "My name is Lincoln Six Echo, Certified Information Insecurity Systems Professional". Apparently a company already tried to start such a venture, although it appears to be off-line, probably hacked by Islamic Jihad crackers: http://64.233.183.104/search?q=cache:fItEgjbgRZQJ:cusse.org/+cusse.org http://www.cusse.org Regards, -- Michael Myers - CISSP, CISA, HIV, GCIA, GSEC Chief Security Officer (CSO) - Info-pull.com Inc. "Serious business since the night I came home." +1 (305) 374-8431 - Haddonfield, Illinois (USA). _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Information security certifications diversity and getting lost Michael Myers (Sep 03)
- Re: Information security certifications diversity and getting lost Andre Gironda (Sep 03)
- Re: Information security certifications diversity andgetting lost J.M. Seitz (Sep 04)
- Re: Information security certifications diversity andgetting lost Security Admin (NetSec) (Sep 06)
- Re: Information security certifications diversity andgetting lost Dave Aitel (Sep 10)
- Re: Information security certifications diversity andgetting lost Thomas Ptacek (Sep 10)
- Re: Information security certifications diversity and getting lost Dave Aitel (Sep 10)
- Re: Information security certifications diversity and getting lost Andre Gironda (Sep 10)
- Re: Information security certifications diversity Lindley James R (Sep 10)
- Re: Information security certifications diversity andgetting lost Weston, David (Sep 10)
- Re: Information security certifications diversity andgetting lost nnp (Sep 10)