Firewall Wizards mailing list archives
Re: Network Security Certification
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 29 Apr 1998 18:25:16 -0400
If you are a "security professional", or want to be, I would recommend taking a certification course from a company that has pull within the industry. I have worded this very specifically. The valid derision of current security professionals notwithstanding, a security certification will provide you with enhanced credibility when presenting yourself as an authority on security.
I'd like to mention that I do not think certification is a bad thing. The place where certification hurts is when it's used as a barrier to entry to newcomers in the field. If, for example, there was a Union of Computer Security Guys and you had to pass a test and be a member of the union before you could do security, then all innovation and energy would be lost from the field, which would die an intellectual heat death. The reason that the Internet is such a happenin' place is because ANYONE with a good idea can get in front of millions of people - fast. Someone out there right now may be about to invent some incredibly wonderful security tool and if there was a barrier to their entering the field, it wouldn't happen. The argument in favor of certification that the pro-certification forces should make (but fail to!) is that in the default of some kind of way of proving your credentials, the customer will turn to large, recognized, big names. This is known as "branding" in marketeer. I.e. "Arthur Andersen" or "Ernst & Young" become brand names. As the market grows that smaller brand names become diluted because they cannot market against all the noise. This process is taking place -- it's not bad -- it's just evolution. There are probably more CIOs now who know the name ICSA than Steve Bellovin. That doesn't mean that Steve'd be out of work; it just means that broad appeal transfers to specific targeted projects. At a previous job, I thought I was gonna get filthy stinking rich, and one of the projects I was going to do with my free time was become a certifier of experts. For free. The requirement would be to write a paper on some relevant topic, then be willing to pay your way to come take an essay test and a brief oral exam with a board of your peers. Again, for free. I'd use the exams as an excuse to get cool security people to come hang out and drink beer before the board exams. :) Unfortunately, I didn't get rich on the deal, so there ya go... The trick to certification is to prove that the proposed expert can reason about problems in their area of expertise, not simply memorize test answers. I don't know enough about the test procedures used by the various testing boards, but I do not believe in static testing. A dissertation/essay exam/peer board review is something I'd have no problem with at all. I'm showing a lot of bias I inherited from my dad the professor, who believes you can't be said to know something unless you can stand up without preparation, and talk about it until everyone else falls asleep (his description of a doctoral defense). mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: How do we do our job? (was Re: Network Security Certification), (continued)
- Re: How do we do our job? (was Re: Network Security Certification) darrenr (Apr 29)
- Re: How do we do our job? Bennett Todd (Apr 29)
- Re: How do we do our job? (was Re: Network Security Certification) Marcus J. Ranum (Apr 29)
- Re: Network Security Certification Bruce K. Marshall (Apr 28)
- Re: Network Security Certification Alec Muffett - SunLabs (Apr 28)
- Re: Network Security Certification Paul D. Robertson (Apr 28)
- Re: Network Security Certification David Collier-Brown (Apr 29)
- Re: Network Security Certification Paul D. Robertson (Apr 28)
- Re: Network Security Certification Bruce K. Marshall (Apr 29)
- Re: Network Security Certification Shane Mason (Apr 29)
- Re: Network Security Certification Marcus J. Ranum (Apr 29)