RE: Contract Rates & CISSP or not

["David Hawley" <chiman () hawaiian net>]

Crispin,

Your viewpoint, is *very* refreshing!  Anytime you need help on a project,
please drop me a line.
I wish my experience of working in this Industry was filled with more
like-minded folks...

Please don't laugh too hard at me for playing "devil's advocate", as I came
to the group with the question, but unfortunately,  the reality of being a
consultant or contractor is sometimes filled with drudgery (picture writing
the Gauntlet rules, (which is a "where the rubber hits the asphalt" security
policy in a sense for a set of subnets that include 10 firewalls, 20 access
and choke routers) keeping in mind that all the IP's and all the subnet
masks and
All the ports, all of them mind you, must be correct or you will be let go,
and doing it for 6 months or a year straight.

Often the Full Time Employees (FTE) will be going to meetings, explaining
the concept of a firewall to a PM, or in the lab playing with the next
generation firewall where there is room for error.  That is tedious....  Of
course it's not always that way, sometimes we do get to design the entire
security architecture for an entire company, while all the brilliant FTE's
are working on writing Java code, or designing the next generation chipset,
or something (often times writing emails protesting the security measures we
are trying to put into place).  Those are the fun contracts!

My point is that as contractors or consultants we, like a day trader, get in
and out of the market a *LOT* more often than a FTE, so we are of necessity
faced with dealing with HR folks who have no idea about technology, who's
only recourse is to look at our credentials (or ask a set of questions
generated by the FTE's) and those credentials aren't always in a nice
Masters degree, or a PHD, often they were gotten at the last minute to stay
up on the latest technology, or concurrent with competing for an open job
order, or in this case fighting it out for the few contracts that are out
there in a recession (I've been through 3-4 in my career, it's the only time
you can get around in the Silicon Valley in any semblance of a timely
manner, in a car :-).  So there is brilliance, and there is brilliance.
Sometimes the brilliance, ignores $$$ and develops a whole new generation of
products, or a better mousetrap
(a Synaptic touch pad?), sometimes that brilliance decides to risk it all
and go for the gold, found in consulting/contract work...  Please don't
judge us too harshly for doing what we need to do to survive in this bloody
marketplace.

Cheers, David

Another example of drudgery is sorting through tools designed to do in the
Microsoft world, what has been done in *NIX for 20-30 years...  Bill Gates
said 2 things I like to quote, "The Net is a passing fad", and "you will
never need more than a megabyte of RAM".


                                           David Hawley
                        UNIX & NT Network Security, LLC.
                                drh () 123netsecurity com
                                www.123netsecurity.com

 -----Original Message-----
From:   Crispin Cowan [mailto:crispin () wirex com]
Sent:   Monday, November 26, 2001 12:09 PM
To:     Darren Reed
Cc:     R. DuFresne; chiman () hawaiian net; firewall-wizards () nfr net
Subject:        Re: [fw-wiz] Contract Rates & CISSP or not

Darren Reed wrote:

> One would hope that this would perhaps deter the snake oil security folk
> from polluting the waters but there are guarantees in this world besides
> death and taxes.
"Death, Taxes, and Imperfect Software: Surviving the Inevitable".
Crispin Cowan, Calton Pu, and Heather Hinton. Presented at the  New
Security Paradigms Workshop 1998
<http://www-hsc.usc.edu/%7Eessin/nspw98.html> . Postscript
<http://www.cse.ogi.edu/%7Ecrispin/bugtol.ps.gz> 130 KB, PDF
<http://www.cse.ogi.edu/%7Ecrispin/bugtol.pdf> 92 KB.  :-)

> A different take on the CISSP issue is this: if people with the same
> experience quote for the same job and the person with the CISSP gives
> a somewhat higher quote (lets say $10/hr more), is the recruiter going
> to go for the CISSP qualified person or the other?  I guess the question
> I'm asking here is does the CISSP equate to X$/hr extra when it comes to
> the consulting gig and if so, for what value of X ?
Personally, I use CISSP as a filter for who *not* to hire, as in "if
they have a CISSP, I don't hire them". Rationalle: we do advanced R&D,
so I'm shopping for brilliance, not competence & willingness to do
drugery with dilligence. The CISSP (hopefully :-) assures a minimum
level of competence, but IMHO the social filter of those who seek such
certification makes them unlikely to be a brilliant innovater.

My position used to be much stronger: that certificates are for poseurs,
give me a real degree or a Bugtraq pedigree, or don't bother. But I've
mellowed in my old age :-)

In summary, I still look at CISSP's (and other certificates that don't
start with "Bachelor's" or similar) as a negative mark, which I'm
willing to overlook if the other factors are strong. I certainly will
not pay extra for it.

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards