Dailydave mailing list archives
Re: Information security certifications diversity and getting lost
From: "Andre Gironda" <andreg () gmail com>
Date: Mon, 3 Sep 2007 21:40:26 -0500
On 9/3/07, Michael Myers <tehshape () info-pull com> wrote:
The CISSP is the undisputed king of information security certifications.
Two reasons why: 1) The CBK (compare Business Analyst to Security Analyst) 2) The ethical sign-off
Currently, every now and then a security company starts pushing their employees towards certification programs. These are usually known for featuring insanely long exams, absurdly pedantic requirements and other kinds of doubtfully respectable necessities.
Instructional capital around a particular technology or sub-set in order to denote specialization within a field. Microsoft, Oracle, and Cisco have their equivalents. These are meant to show domination in those areas of technology by making "learning easy" by providing a path to supposed excellence.
We all know that there are several other certifications, but CISSP brings, without doubt, the very best. Be it a security operations manager, a field operative or some other kind of consulting freak, a CISSP will always deliver.
http://en.wikipedia.org/wiki/Business_Analyst
The problem is that we end with such a diverse, heterogeneous (no sexual connotations here), span of certifications that newcomers really don't know where to start.
There are too many security products/solutions. Thus, analyst level knowledge is most important. Start with CISSP. Specialization areas include: pen-testing (OSSTMM), SDLC/code review (OWASP), auditing/compliance (CISA), and incident response (FIRST). Important areas such as vulnerability management, network security, and process improvement are currently wrapped up under compliance because they are all well-known. Eventually everything will be under the compliance umbrella. Everything else is too narrow, and quickly becomes "spoon-fed" information. Nobody needs a firewall (quick thoughts of Cisco PIX/ASA, CP on Nokia, Netscreen) - what they need is network level access-control. Can a router or software firewall provide that? Nobody needs NAC - what they need is endpoint security. Can Vista and SSL provide that?
My question for people out there, is this madness _that_ necessary? Do we have a good reason for spending loads of budget on certification programs and wasting our companies' money in such investments?
Investments in individual capital (talent) that can build instructional capital (training) provides a better investment, especially over time. Instructional capital is cheapest when done in-house (Lunch 'n Learn). It is next most cheaply done at local, free events (OWASP, CitySec, 2600) or cheap local events (ISSA). Vendors sometimes offer local events on the cheap or free (Secure Software Forum from SPI). The next comes with the yearly local (or regional) conferences, specifically the cheap forty to eighty dollar ones (ToorCon). I think some certifications are great. One person at my local CitySec recently mentioned a reluctance to get CISSP because it was a lot to spend in one lump. Cheap certs are always possible - CCNA, MCSA, and ITSM being my top favorites (all under 150 dollars), and then possibly CWNA, Oracle, various Linux/Sun, and other Microsoft and Cisco specializations. Some certs are priced somewhere in between the basic level and CISSP such as SANS, Security+, CEH, and the ones that promise "hacker" level skills. I encourage you to not waste your time on these. BTW - training classes for certs are a complete waste of money... at least last I checked. If your company seeks higher levels of expertise and has the money... go with the NSA IAM / IEM classes/certs. Again, these certs provide analyst skills like CISSP, CISA, CISM, etc. Lastly, there are forms of learning left completely unmentioned such as "books". Every serious company will pay for their employees to have SafariBooksOnline Library access, full ACM (including Books24x7 access), Audible.com and an iPod, and a group spending account on Amazon or Bookpool. Want to measure something effective out of this spending? Lunch 'n Learns based on book reports.
If certifications exist for ethical hackers, are we going to see certifications for unethical hackers anytime soon?
ImmunitySec has classes for such. I suppose a good certification measure for unethical hackers would be something akin to: "wrote Metasploit module x. Here is a sample" or "I was responsible for Code Red". It appears that the online organized crime recruitment methods follow the old Andersen Consulting logic of "hire top 5% of ivy league right out of school". Why? Because they make good analysts! They have the money to pull these sorts of stunts off. Then they leverage these individuals to create instructional capital in the very same ways that I described above. Cheers, Andre _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Information security certifications diversity and getting lost Michael Myers (Sep 03)
- Re: Information security certifications diversity and getting lost Andre Gironda (Sep 03)
- Re: Information security certifications diversity andgetting lost J.M. Seitz (Sep 04)
- Re: Information security certifications diversity andgetting lost Security Admin (NetSec) (Sep 06)
- Re: Information security certifications diversity andgetting lost Dave Aitel (Sep 10)
- Re: Information security certifications diversity andgetting lost Thomas Ptacek (Sep 10)
- Re: Information security certifications diversity and getting lost Dave Aitel (Sep 10)
- Re: Information security certifications diversity and getting lost Andre Gironda (Sep 10)
- Re: Information security certifications diversity Lindley James R (Sep 10)
- Re: Information security certifications diversity andgetting lost Weston, David (Sep 10)
- Re: Information security certifications diversity andgetting lost nnp (Sep 10)
- Re: Information security certifications diversity andgetting lost Paul Wouters (Sep 11)