Re: How do we do our job?

[Bennett Todd <bet () rahul net>]

1998-04-30-11:28:08 Darren:
> 1998-04-29-17:05:16 Bennett Todd:
> > 1998-04-29-16:01:00 Darren:
> > > What about cases where there's a need to get certificates in order to
> > > get business?
> >
> > Never worked in such a field. Some of my employers have, but never
> > anywhere near the computer side of operations.
>
> Really ?  Never seen a job advert asking for a CNE or MCSE ?

Nope. I'm not a Cisco networking specialist, nor a Microsoft Windows
supporter (``I don't do windows''). More importantly, I've never billed
myself as a single-vendor specialist, for which a vendor certification
would be a benefit. Never been around the hiring of same, either.

In fact, I've never seen a job advert for anyone doing anything like the
work I do. Where do people advertise for security analysts and senior
systems analysts? I've only heard of positions via word of mouth, and
the mouths whose words I listen to have never mentioned certifications
as a desireable job qualification.

> > [ Bennett said basically, ISO 9000 is for deceitful vermin ]
> Are you sure you want to make a generalisation like this?

I'm not really basing my sweeping generalization on personal experience,
more on hearsay and lack of personal experience:-). It may or may not be
significant that no organization I've worked in has regarded ISO 9000 as
anything other than a topic of derision.

Can anybody out there cite an example of a respectable and reputable
company that has pursued ISO 9000 certification, or a customer that has
mandated it in a contract to their benefit?

> > > In my mind, it is reasonable to expect that some certificates
> > > are there because they don't represent just a desire to get the
> > > certificates, but a desire to do the work required to get them too
> > > and a desire to meet a client's needs.
> >
> > In some industries this is true. Such industries aren't places where
> > I'd work. Interestingly, such industries have been quite impressively
> > conspicuous for poor security. Hmm.
>
> You must be talking about the computer industry then :-)

I wouldn't say so, no. Parts of the computer industry. Government
contractors, for instance.

In the financial sector, where I've been working the last 8 years,
people take security very very seriously, and there are very few
incidents, which get a lot of publicity. By contrast, it's hardly
news anymore when a government system gets burgled; certificates
notwithstanding, they get burgled all the time. Fortunately the cost is
small; they just run off another mimeograph of the press release that
states that no classified computers are attached to the internet, so
this incident isn't significant.

To sum up, what I'm hearing is that people with experience working in
the computer security field deride certification; they've seen it used
primarily as a resume-padder for the unqualified, and note that given
the speed with which the field evolves, all a certificate demonstrates
is a desire to get certificates. Supporters of certification claim
that such approaches could be good; if the computer security industry
were like e.g. medicine, perhaps we could have an organization like
the AMA. No wait, if the computer security industry were like the
practice of law, we could have something like the ABA. No, hang on, that
still sounds pretty slimy, maybe if the computer industry were like
accounting, we could have certificates like the CPA and the CFA. That's
the ticket! Heck, I'd agree, give it a few thousand years to mature and
stabilize, and perhaps computer security practice will be as amenable to
certification as accounting practice.

-Bennett