Firewall Wizards mailing list archives
Re: Network Security Certification
From: "Bruce K. Marshall" <bkmarsh () feist com>
Date: Wed, 29 Apr 1998 10:19:12 -0500
Paul D. Robertson wrote:
I seriously questioned the real-world value of such certifications based on my experiences with the people who held them. I know folks who have them who are _seriously_ missing pieces of the real-world puzzle. Some of them are fair at the business side things, but I've yet to meet a certificate holder who impressed me because of the certifcation process, or other than one case, their grasp of real-world security problems. In the ensuing time since this went around, I've met another couple of holders, one of whom I would actually trust to do real-world evaluations of my networks. All the experience and knowledge said person gleaned that made them meet my criteria was prior to them even considering the test.
And this really is the criteria that certifications focused on in the beginning. A CDP or CNE was supposed to be a standard of proving that you had experience in your given field. Of course, people who didn't have this experience also wanted to become certified so vendors/organizations designed courseware to "supplement" a person's knowledge and essentially prepare them for the exam. Some trainers still mention (tongue-in-cheek) that this course is for education and not to prepare you for a test, others have dropped the charade altogether. In my opinion, some courseware has continued to lower their requirements for prior knowledge so that you really only need to be familiar with using a mouse and keyboard to become a certified something. The term "paper" CNEs/MCSEs/etc. has gained popularity among those of us having experienced the real lack of knowledge among some certified individuals. After all, what is that rule about learning and retention? Something like you lose 50% after a few weeks or so. It takes real world experience to be able to truly understand and utilize computer concepts. The more the better, since everything tends to have some relation in computing. Certification isn't necessary to do this, but with some people it helps to put the point across in the beginning (or on resumes). Obviously this depends on your prior experiences with certified individuals, as you state.
If your resume came accross my desk, and you had certification but not experience, it wouldn't mean much to have the certification. If you had experience but not certification, it wouldn't mean much not to have the certification.
The (ISC)^2 has been fairly sensitive of this fact and tries to address it through several measures. Foremost is their requirement that you have at least 5 years of related experience in the information security industry before you can take the CISSP exam. This doesn't stop people from lying, but they would risk possible detection and certification stripping. Ongoing education and training is also required for you to maintain your certification. Over a three year period a certified individual must earn 120 Continuing Professional Education credits (CPEs) through a variety of methods. Essentially things like attending classes, conferences, teaching, writing articles/books, self study, submitting new exam questions, or retaking the exam all count towards earning CPEs. Plus, they limit how many CPEs you can earn doing certain activities. More info on this can be found at http://www.isc2.org/recert.htm The biggest complaint about the (ISC)^2 and the CISSP exam is the age of the material (it does have a slight mainframe slant due to the founder's own experience) and the quality of the exam. I understand that since I sat for the exam some significant steps (including an open two day meeting to review questions) have been taken. The CISSP will gain a lot more value if this path of improvement is continually followed.
I've been RACF "special", I've been a VM sysprog, my first job had IBM 360 mainframes running DOS. I've yet to see a certification process that tests enough current knowledge to be more useful than the same ammount of time spent doing individual research.
This is indeed the main fault with current certification testing which in turn can place the blame on our industry's rapid growth and expansion. Some organizations obviously make more of an effort to keep up to date than others. Unfortunately, most people are left to find this out for themselves during a test. Your other point about individual research is also quite valid. I would love to tell management that I'm taking off a week (non-vacation time) to study the intricacies of IPv6 and have them accept it. Somehow they seem a little more receptive to letting me go for a week to sit in a classroom and learn the basics of TCP/IP from Microsoft. Luckily this doesn't prevent me from also supplementing my textbook education with any other materials either during this time or off-hours. It also boils down to what type of a learning you respond to the best. Some people are able to grasp concepts better when they provided by an instructor. Some people hate classroom environments and won't utilize them. Each to his own, I suppose. The main goal should always be to achieve an accurate and useful education. -- Bruce K. Marshall, CISSP - bkmarsh () feist com - Feist Communications 2424 S. St. Francis - Wichita, KS 67216 - 316-264-2248
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: Network Security Certification, (continued)
- Re: Network Security Certification darrenr (Apr 29)
- How do we do our job? (was Re: Network Security Certification) Bennett Todd (Apr 29)
- Re: How do we do our job? (was Re: Network Security Certification) darrenr (Apr 29)
- Re: How do we do our job? Bennett Todd (Apr 29)
- Re: How do we do our job? (was Re: Network Security Certification) Marcus J. Ranum (Apr 29)
- Re: Network Security Certification darrenr (Apr 29)
- Re: Network Security Certification Paul D. Robertson (Apr 28)
- Re: Network Security Certification David Collier-Brown (Apr 29)
- Re: Network Security Certification Bruce K. Marshall (Apr 29)