RE: Trust validation of programmers

["Burden, James" <JBurden () caiso com>]

We should all be wary of stereo typing and prejudices of any kind.  

I fail to see how possessing any certification can be harmful on a
resume.  Regardless of having a College degree, certifications or tons
of experience (or not) on your resume the potential employee should have
to demonstrate his/her abilities and knowledge for the job at hand.  It
does not matter if they have savvy security people or not.  The
employers responsibility is to find the right choice for the job and for
the right price.   Whether he has the savvy staff or has to hire a firm
to accomplish the task, it is the employer's responsibility to choose
appropriately.  

It is the prospective employee's job to make him/her self attractive to
the position. Any security professional who takes the time to gain the
certification (CISSP or other certification) has at least shown
prospective employers their willingness to learn on their own time, and
possesses an ambitious attitude.  A resume is nothing but an ad.  It may
display accomplishments, experience, college, buzz words, certifications
and the like, but the sole purpose is to get an interview.  Some
companies or head hunters may find you while searching the web (finding
your ad).  College, school, and experience may prepare you for the
interview but when you arrive you are on your own and pointing to
certifications will not help.

        This is a mighty bold statement: "Certification tests have
absolutely nothing to do with the ability to
        perform well as a security consultant."  

Following this logic:
Could this mean that no information tested in certifications is worth
knowing?  Performing under stressful conditions is not a requirement for
a security consultant?  The ability to read and answer questions is not
a requirement for a security consultant?

I can sympathize with your view.  Several years ago I met a young lady
who with only 2 years of Algebra, CLEP'd Trig and Calculus at the UT in
Austin.  She said it was simply common sense and problem solving.
However, it would be hard for me not to invite someone like that onto my
staff.



James L. Burden Phone - 916.351.2243
Security Engineer       Page - 916.814.2563
California ISO  Fax - 916.351.2181
http://www.caiso.com    Email - jburden () caiso com
41DF 0E4C 26E0 2FD3 8C81  A260 5C40 280E B4AE 7420
____________________________________________
   To Teach is to Learn   - Aaron Nimzovich
____________________________________________

Disclaimer:  The above represents my personal opinions and not an 
official endorsement or position by the California ISO, my current 
employer.  I reserve the right to disavow them at my convenience.   

> -----Original Message-----
> From: tqbf () pobox com [SMTP:tqbf () pobox com]
> Sent: Monday, July 06, 1998 12:38 AM
> To:   rachel.rosencrantz () predictive com
> Cc:   firewall-wizards () nfr net
> Subject:      Re: Trust validation of programmers
>
> > CISSP cert does look good on your resume. (How is the non-security 
>
> Not everywhere. In places staffed with savvy security people, having
> "CISSP" on your resume may put you at a distinct disadvantage (you
> will
> wind up having to demonstrate to your potential employer that you are
> not
> a clueless certificate weenie).
>
> Certification tests have absolutely nothing to do with the ability to
> perform well as a security consultant. 
>
> ----------------------------------------------------------------------
> -------
> Thomas H. Ptacek                         SNI Labs, Network Associates,
> Inc.
> ----------------------------------------------------------------------
> -------
> http://www.pobox.com/~tqbf     "If you're so special, why aren't you
> dead?"
>