Re: Credibility (was User Insecurity)

[Ron DuFresne <dufresne () winternet com>]

On Fri, 19 Mar 2004, Gregory A. Gilliss wrote:

> Actually what he is describing is what I refer to as "credibility".
>
> The CISSP after my name is a measure of my credibility. It tells otherwise
> clueless people, people without first hand experience and knowledge,
> something about me. Perhaps it tells them that I exhibit some measurable
> degree of knowledge or experience in my chosen field (security).

No it does not, it simply indicates you can 'test' well.  it states
nothing about your experience, or knowledge levels and cluefullness.  I
constantly work with CISSP's that have not a clue about the basics of
tcp/ip, give blank looks when you mention that udp as well as IP
arestateless protocols.

What those letters behind your .sig do do is allow clueless HR and
recruiting folks something to key on when pouring over hundreds if not
thousands of resumes, to do 'keyword/phrase' matching.  Nothing more or
less.

> For
> people who know me or know security, it may tell them nothing more than
> the fact that that I am a person who can afford $450 and can pass a
> standardized test. The letters mean something different than they do for
> people without experience, since each group (a) bases their measure of my
> credibility on something different (personal experience, word of mouth,
> rumor, slander, etc).
>
> Credibility is a function of perception (my assertion - YMMV). Sales
> people with crappy clothes and long hair may be "less credible" than "Ken
> dolls". MCSE is "more credible" than "pimply-kid-who-knows-how-to-install-
> NT". Doesn't necessarily mean that MCSE is "more knowledgeable" or "more
> professional" than "NT kid", but if *you* see it that way then *you* have
> defined the credibility. A hiring manager may look at two resumes and,
> all else being equal, will likely hire the one with the college degree or
> the certification because that person is "more qualified" - or, IOW, that
> person has more credibility. May not be the best choice, but that's what
> goes on. (Hiring managers who take exception may email me off list pls).

Credibility comes from either direct experience or iin some cases feedback
from others with established Credibility.  For most credability and trust
go hand in hand.  and once lost it can take leaping tall buildings to
regain.  Such as swerving away from ics2's ethics clause.

> Credibility equates to experience equates to clue (my assertion). In a
> "trust" relationship, you can start from "no trust" or "full trust" or
> anywhere in between (some trust, limited trust, etc). SSL is a good example
> of "full trust". Holes, exploits, etc reduce "trust" for a time (until the
> hole is patched). Microsoft suffers from a credibility problem because
> (a) people keep finding holes, (b) Microsoft often denies/ignores the
> holes, and (c) Microsoft takes a subjectively long period of time to
> patch the holes found in (a) and denied in (b).
>
> Credibility. We live and die by it in the security world as much as any
> mechanic/lawyer/doctor/insert other professional designation here...

Thanks,


Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html