Re: Network Security Certification

["Marcus J. Ranum" <mjr () nfr net>]

> If you are a "security professional", or want to be, I would recommend
> taking a certification course from a company that has pull within the
> industry.  I have worded this very specifically.  The valid derision of
> current security professionals notwithstanding, a security certification
> will provide you with enhanced credibility when presenting yourself as an
> authority on security.

I'd like to mention that I do not think certification is a bad thing.

The place where certification hurts is when it's used as a barrier
to entry to newcomers in the field. If, for example, there was a
Union of Computer Security Guys and you had to pass a test and be
a member of the union before you could do security, then all innovation
and energy would be lost from the field, which would die an intellectual
heat death. The reason that the Internet is such a happenin' place is
because ANYONE with a good idea can get in front of millions of
people - fast. Someone out there right now may be about to invent
some incredibly wonderful security tool and if there was a barrier
to their entering the field, it wouldn't happen.

The argument in favor of certification that the pro-certification
forces should make (but fail to!) is that in the default of some
kind of way of proving your credentials, the customer will turn
to large, recognized, big names. This is known as "branding" in
marketeer. I.e. "Arthur Andersen" or "Ernst & Young" become brand
names. As the market grows that smaller brand names become diluted
because they cannot market against all the noise. This process
is taking place -- it's not bad -- it's just evolution. There are
probably more CIOs now who know the name ICSA than Steve Bellovin.
That doesn't mean that Steve'd be out of work; it just means that
broad appeal transfers to specific targeted projects.

At a previous job, I thought I was gonna get filthy stinking
rich, and one of the projects I was going to do with my free
time was become a certifier of experts. For free. The requirement
would be to write a paper on some relevant topic, then be
willing to pay your way to come take an essay test and a brief
oral exam with a board of your peers. Again, for free. I'd use
the exams as an excuse to get cool security people to come hang
out and drink beer before the board exams. :) Unfortunately, I
didn't get rich on the deal, so there ya go...

The trick to certification is to prove that the proposed expert
can reason about problems in their area of expertise, not simply
memorize test answers. I don't know enough about the test
procedures used by the various testing boards, but I do not believe
in static testing. A dissertation/essay exam/peer board review is
something I'd have no problem with at all. I'm showing a lot of
bias I inherited from my dad the professor, who believes you can't
be said to know something unless you can stand up without preparation,
and talk about it until everyone else falls asleep (his description
of a doctoral defense).

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr