Re: How do we do our job?

[darrenr () reed wattle id au]

In some email I received from Bennett Todd, sie wrote:
[...]
> To sum up, what I'm hearing is that people with experience working in
> the computer security field deride certification; they've seen it used
> primarily as a resume-padder for the unqualified, and note that given
> the speed with which the field evolves, all a certificate demonstrates
> is a desire to get certificates. Supporters of certification claim
> that such approaches could be good; if the computer security industry
> were like e.g. medicine, perhaps we could have an organization like
> the AMA. No wait, if the computer security industry were like the
> practice of law, we could have something like the ABA. No, hang on, that
> still sounds pretty slimy, maybe if the computer industry were like
> accounting, we could have certificates like the CPA and the CFA. That's
> the ticket! Heck, I'd agree, give it a few thousand years to mature and
> stabilize, and perhaps computer security practice will be as amenable to
> certification as accounting practice.

Maybe...but what about those who feel slighted because working
with computers isn't regarded the same as it is accountancy ?

What's so good about a Doctors that makes them able to sign for
passports/statutory declarations but not us ?  Do they have some
magic about them that we don't, hmmm ?

My hypothesis about this is that because our profession doesn't
currently have any use for this, it is convienient for some to
pick on those that do.

For example, it's a lot harder for a person to grab a book on
accountancy, read a bit and then go around charging people $10,000
to do XYZ for them and not give them value for money.  Whereas in
the computer industry, what surety do we have that your references
are worth anything ?  Who has ever given bad references on a resume ?
If Joe Bloggs puts on a suit, reads an article or two in the newspaper
on firewalls, learns the jive and then sells his services successfully
to a person for $10,000, what benefit does it give our industry ?

Yet, at the same time we're all saying that taking measures that would
attempt to deal with these scenarios are worthless.

I can't believe anyone who actually takes pride in their work as a
computer security professional would want to make it any easier for
frauds to inhabit the industry but yet here you all are saying that
taking the time to "certify" those who can at least meet some common
level is pointless.  Sure, there will always be "good" and "bad"
people who manage to pass whatever tests there is, but at least if
they screw up they can be de-bar'd or deregistered or whatever and
no longer able to legally portray themselves as being certified.

And if you don't think they exist, just search this list and others
related to firewalls for reports of people auditting poorly setup
firewalls, etc.

Personally, I agree with those who say the certificates only prove you
can acquire said certificate.  But if said certificate also helps us
keep scum out of the industry, then that's an evil I'm prepared to
endure.