Firewall Wizards mailing list archives
Re: Network Security Certification
From: emaiwald () bigdog fred net
Date: Thu, 30 Apr 98 9:07:20 EDT
Marcus wrote:
The trick to certification is to prove that the proposed expert can reason about problems in their area of expertise, not simply memorize test answers. I don't know enough about the test procedures used by the various testing boards, but I do not believe in static testing. A dissertation/essay exam/peer board review is something I'd have no problem with at all. I'm showing a lot of bias I inherited from my dad the professor, who believes you can't be said to know something unless you can stand up without preparation, and talk about it until everyone else falls asleep (his description of a doctoral defense).
Speaking as someone who took the CISSP exam, I have to agree with Marcus here. Any certification exam should attempt to test the candidte's understanding and ability to use that understanding to solve a problem. That said, I am still not a fan of certification. Why, then do I have one? I have one because the business I am in (security consulting) will eventually require it and I hate to be the last person through the door. Certification can be a good thing if used correctly. What I mean by that is that if a company with no security experience or expertise needs to hire a consultant or an employee, how does that company know that the consultant or employee actually knows what they say they know? Certification, used in conjunction with interviews, reference checks, etc. can help. If I were to design the perfect certification program it would include some requirement for working in different areas of the industry. For instance, a certified security person would have experience in development, system administration, physical security, auditing, policy development, and policy implementation. I probably forgot a few areas in the list. Not too many people will have experience in all of these areas. So how about having a general certification (this person has a clue to general security) along with area certifications (this person not only has a general clue but is an expert in .....). The tests for these certifications would include some type of board process as Marcus suggested. It should also include some type of test on general knowledge (such as the CISSP test), and a requirement to show experience in the areas in question. In order to maintain certification, there should be some type of continuing ed requirement (the ISC2 did get this mostly right for the CISSP). Eric -- --------------------------------------------------------------------- Eric Maiwald, CISSP emaiwald () fred net Director Security Services 301-977-6966 Fortrex Technologies, Inc. North Potomac, MD ---------------------------------------------------------------------
Current thread:
- Re: Network Security Certification Bennett Todd (May 01)
- <Possible follow-ups>
- Re: Network Security Certification emaiwald (May 01)
- Re: Network Security Certification Shane Mason (May 01)
- Re: Network Security Certification Bennett Todd (May 01)
- RE: Network Security Certification Feeney, Tim (May 01)
- Re: Network Security Certification Joseph S. D. Yao (May 01)