Re: Network Security Certification

["Shane Mason" <Shane_Mason () securecomputing com>]

I have been listening to this thread, and I have a couple of things to add,
hopefully to clear some air.

If you are a "security professional", or want to be, I would recommend
taking a certification course from a company that has pull within the
industry.  I have worded this very specifically.  The valid derision of
current security professionals notwithstanding, a security certification
will provide you with enhanced credibility when presenting yourself as an
authority on security.  As the industry grows, and more and more people who
know nothing about security are looking for people to manage security for
their organizations, the certification will be something that business
people will use as a litmus test for keeping or discarding resumes.  If
there is a company with a certification process that is at least
reconizable by name, it will increase your marketability.

This has been true for over two decades, and not just in our industry.  A
university degree does not say anything about a person's ability to perform
and grow in a certain job.  Many highy motivated, highly skilled, and
highly experienced people have been passed over for a position because they
don't have a university degree listed in the Education section of their
resume.  In fact, companies may pass over the best candidate in exactly
this manner.  As an anecdote, I know a research scientist who teaches at a
University in Canada, and this person never completed their degree.  They
did a great job on thier 4th year thesis, started working for their
professor, consulted to companies in their area of expertise, etc., but
never actually graduated.  But who cares?!  These lucky/resourceful people
are in the minority.  When an employer has 100 resumes on their desk, they
are going to choose who looks best on paper to bring in for interviews.
Anything that can go on the resume to make you look better will increase
your chances of success.  This is true for MCSEs, and CNEs as well.

My plea to business people is exactly the opposite.  You must take great
care.  When you are hiring for a mission critical position, there is no
substitute for experience and knowledge.  It is necessary to "go the extra
mile" in determining fitness for the position.  If you end up hiring
someone beacuse of their paper skills, it could cost you more than a larger
salary in lost productivity and, in the case of a security manager, in lost
information resources.

ICMan



Please respond to "Paul D. Robertson" <proberts () clark net>

To:   Alec Muffett - SunLabs <Alec.Muffett () UK Sun com>
cc:   Anton J Aylward <anton () the-wire com>, firewall-wizards () nfr net (bcc:
      Shane Mason/SECURE)
Subject:  Re: Network Security Certification




On Tue, 28 Apr 1998, Alec Muffett - SunLabs wrote:
> > I've been doing this for nearly 20 years and I find the material
> > a challenge.   Despite what people like Paul Robertson say, this is a
> > true test.
Adhearing to what I like to think of as "Bernstein's law" I'm apt to
respond to anywhere I'm quoted ;)
> I won't argue with the fact that taking some kind of exam in the field
> at least shows some sort of dedication to the topic of security, and
> therefore could help employers sort some of the wheat from the chaff
> of job applications.
I'm not so sure it doesn't show some sort of dedication to taking tests.
While Anton has obviously not been motivated to do this by lack of a
future, I'd be interested in hearing his apprasial of the other test
takers to contrast with what I've seen for the last 3 or 4 years.
 [snip]
> Without "CLUES"(TM), all the knowledge in the world will not protect
> your network; it is a regrettable almost-certaintly, however, that
> your insurance premiums will eventually be bound to how many certificates
> your staff have passed, rather than how many "CLUES"(TM) they possess.
I seriously fear this case.  It's difficult enough now to get a valid
business case for security funded.
> [2] Speaking as someone whose only security (or indeed computing)
> qualification whatsoever is a "Introductory Fortran for Numerical
Analysis"
> course segment taken in 1986 as part of an Astronomy degree.[3]
>
> [3] Presumably this means I know nothing about security and therefore
> am unemployable in the field.
Hey, for the paltry sum of a few rounds of beer, the Gargoyle which sits
on my monitor will certify you.  He got the idea from Marcus' cat's
firewall certification process.  Never fear, you too can be part of the
"Information Superhighway Highway Patrol."  Badges are extra ;)
Paul
---------------------------------------------------------------------------
--
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."

PSB#9280