Re: Network Security Certification

[emaiwald () bigdog fred net]

Marcus wrote: 
> The trick to certification is to prove that the proposed expert
> can reason about problems in their area of expertise, not simply
> memorize test answers. I don't know enough about the test
> procedures used by the various testing boards, but I do not believe
> in static testing. A dissertation/essay exam/peer board review is
> something I'd have no problem with at all. I'm showing a lot of
> bias I inherited from my dad the professor, who believes you can't
> be said to know something unless you can stand up without preparation,
> and talk about it until everyone else falls asleep (his description
> of a doctoral defense).

Speaking as someone who took the CISSP exam, I have to agree with Marcus
here.  Any certification exam should attempt to test the candidte's
understanding and ability to use that understanding to solve a problem.

That said, I am still not a fan of certification.  Why, then do I 
have one?  I have one because the business I am in (security consulting)
will eventually require it and I hate to be the last person through
the door.

Certification can be a good thing if used correctly.  What
I mean by that is that if a company with no security
experience or expertise needs to hire a consultant or an
employee, how does that company know that the consultant
or employee actually knows what they say they know?  
Certification, used in conjunction with interviews, reference
checks, etc. can help.

If I were to design the perfect certification program it
would include some requirement for working in different
areas of the industry.  For instance, a certified security
person would have experience in development, system administration,
physical security, auditing, policy development, and policy
implementation.  I probably forgot a few areas in the list.
Not too many people will have experience in all of these
areas.  So how about having a general certification (this person
has a clue to general security) along with area certifications
(this person not only has a general clue but is an expert in
.....).  The tests for these certifications would include some
type of board process as Marcus suggested.  It should also
include some type of test on general knowledge (such as the
CISSP test), and a requirement to show experience in the
areas in question.  In order to maintain certification, 
there should be some type of continuing ed requirement (the
ISC2 did get this mostly right for the CISSP).

Eric


-- 
---------------------------------------------------------------------
Eric Maiwald, CISSP                                 emaiwald () fred net
Director Security Services                               301-977-6966
Fortrex Technologies, Inc.                          North Potomac, MD
---------------------------------------------------------------------