Re: Information security certifications diversity and getting lost

["Andre Gironda" <andreg () gmail com>]

On 9/10/07, Dave Aitel <dave () immunityinc com> wrote:
> We passed out "Not a CISSP" buttons at DefCon and they were a
> big hit. To get one you had to not have CISSP on your business card
> though.

Did you have to have a business card to get a button?

What's wrong with CISSP?  I read through all 900 possible questions a
few times over the years and it doesn't seem that bad.  It doesn't
make you a security expert in anything, but it allows you to
"talk-the-talk" using meaningful definitions.

My biggest gripe with the CISSP is not with the CISSP itself but
instead with anyone who would make it a requirement.  I have the same
gripe with high school or any diploma/degree requirements.  Heck, I
have the same problem with "years of experience".  Interview the
people (or accept their RFP response) and ask them the right
questions.  Hire or no hire.

> I would say the problem with the CISSP is "irrelevance" but that's
> just me.

How is this a response to Tom's very valid questions?  How and why is
CISSP irrelevant?  Please explain.

> Thomas Ptacek wrote:
> > How do you plan on solving the problems the CISSP has?
> >
> > 1. People will "teach to the test".
> > 2. Certs get stale fast.
> > 3. Cert businesses are high-overhead, but the IP for a cert is hard
> >  to protect (if your cert is going to be fair and meaningful).

This quickly becomes a catch-22.  An organization focused on
certification material is attempting to do two things:
1) Teach people how to learn their solutions in a standardized way so
that they can be tested in a standardized way
2) Get knowledge of their product out there and available in trade
magazines, whitepapers, articles, and even blogs

So, if they hide the information needed to pass a test - they lose the
marketing potential of instructional capital.  Just look at the
marketing potential of the original MCSE and CCNA certs.

If they make the information too available, they risk constant
restructure of the program to hold any value - this was the failure of
the MCSE and CCIE certs.  Cisco internal had too many programs that
made it easy for employees to get CCIE, and thus in the first 5 years
it became very polluted with these people.

Of the companies that have intellectual property in instructional
capital - only a few are currently able to keep their training
material and test questions out of reach.

They are: Agilent, Altiris, Aruba, Avaya, Brocade, Business Objects,
Radware, Riverbed, RSA, SAP, and Siemens.

I would add SANS to the list, but I have not done extensive research
on GIAC et al.  Are there any super secret "SANS Answers" forums or
"trading circles" that anybody knows about?

Now consider the above 11 companies.  Avaya, in particular suffers in
the instructional capital marketspace.  When was the last time you saw
a book on "Installing IP Office" at a bookstore?  A magazine article
on "tips and tricks".  Seen some lines of config explained well in an
article or blog post?  Went to a free event or conference covering
that material?  Most of the others fall into this same category.

The exceptions are Brocade, Business Objects, and SAP (also Gartner
favorites BTW).  I'm sure the training material to these does get
around, but less-so than any other major organization that has IP in
training and certification material.  Name somebody else and I'll tell
you how bad it is.

Some certifications I'm just happy exist, are cheap, and actually do
have loads of material available to easily learn the material and pass
the test.  For example: CWNA and ITSM (ITIL).  Others I wish I had
access to any information about - OPST, QDSP, or CSTE as great
examples of this.

Cheers,
dre
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave