Re: How do we do our job?

["Bruce K. Marshall" <bkmarsh () feist com>]

Bennett Todd wrote:

> I don't propose making it easier for frauds; I'm all in favour of
> effective measures to make their life harder. Sadly, certification in
> computer security doesn't seem to profit anyone except those same
> frauds.

    I would also take exception to your blatant generalization.  Not
because I'm certified, but because I know of many more qualified people
who do carry industry/vendor specific certifications and they are most
definitely not frauds.

    You sound a lot like I used to be in regards to college degrees. 
Having decided not to pursue a college degree myself I proceeded to
denounce their importance and worth to my peers.  After all, what is the
value of a piece of paper, especially when it is borne from studies of
COBOL and Microcomputer basics?

    After realizing that the Sun and Earth didn't revolve around me, I
started looking a little deeper into what a college degree consisted
of.  First, I realized some employers simply won't hire you unless you
have a degree.  I still find this quite ignorant, but have learned to
deal with the fact that they are losing out, not me or many other
people.  Second, I saw that even if some of the coursework was what I
would consider outdated, they were teaching concepts that applied to
many other aspects of computers and networking.  Third, most computer
geeks weren't just relying on their classes to provide them with an
education.  Extra-curricular  activities or independent projects served
a great deal of education and growth.  Internships, hands-on lab time,
library resources, etc.. all contribute to the potential value of a
college education.

    I still don't think that I'm at much of a disadvantage when compared
to those who attended college because I took measures to pursue a lot of
these same areas on my own.  But, I don't immediately dismiss the value
of a college education either.  I have to weigh that in any decisions
about a persons worth or qualifications.  Whether they took advantage of
their opportunities there usually becomes quite clear.

    Certifications can be in this same boat.  Because I took the time to
learn about physical security and how the legal system deals with
computer crime for the CISSP exam makes me better at doing my job and
understanding how the industry functions.  It doesn't mean that an
employer should hire me over you.  As I said, this should just be one
factor in your judgment of me or anyone else, but you have to consider
it.

    My point being, don't make broad characterizations (negative or
positive) about something until you've thought through the process and
met enough people to make a valid decision.  It just doesn't seem like
you've really done that.

> I've never met anyone with experience and credentials in the security
> field who believed that computer security expertise could be usefully
> tested for and certified.

    This depends on the extent and focus of your testing.  For me to
claim that my CISSP proves I'm a security guru would be quite false.  To
claim that my CISSP proves I understood at the time of my exam (and
hopefully still do) the Bell-Lapadula model, OSI layers, telecom
security basics, how to do Business Continuity planning, etc. would be
quite valid.  I've passed a test designed to measure my comprehension of
those subjects.

    If you ask me to design an exam that would test your ability at
understanding the properties of TCP/IP, I could do that without much
trouble.  However, change that criteria to creating a test that would
test your ability to effectively implement TCP/IP in business
environments and my job has just skyrocketed in complexity.

    Ultimately, a lot of tests try to meet the later goal and do it so
poorly that my view of certification tests is also a bit negative.  A
Cisco exam, as well as my CISSP test, I took had some obvious
grammatical errors that should have been caught in the evaluation
process.  That doesn't make me feel too comfortable with their overall
evaluations if they can't meet even such a basic requirement.  However,
that doesn't stop me from trying to adapt and add what is perceived by
most as value to my career.

    We'll never get complete agreement from a group of people on the
value of X vs. Y, but I hope that my view  helps expand the overall
understanding in the same way that I've gained insight from others.

-- 
Bruce K. Marshall, CISSP - bkmarsh () feist com - Feist Communications
      2424 S. St. Francis - Wichita, KS 67216 - 316-264-2248

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature