Full Disclosure mailing list archives
Re: IT security professionals in demand in 2006
From: Andre Ludwig <andre.ludwig () gmail com>
Date: Mon, 5 Dec 2005 22:35:11 -0500
If you guys spent half the time you do crying about why *insert certification i don't have here* blows monkey ass and just took/studied for *insert cert i am playa hatin on here* you guys would get paid evelenteen billion dollars more (oh and the free bikini girls that come with the certs are awesome). Remember guys not every hiring manager is n3td3v (or dare i say l33t3r then h3?), soooo the masses need their idiot stamp of approval so that the drooling PHB's can hire another body to warm/fill another pod/cube This way they (the PHB's) can fend off the next SOX auditor with said new hires alphabet soup ninjah skills/ Kung FU. One more thing Alphabet soup != technical skill, anyone worth a billionth of a damn knows that one. /rant / had to throw another / in for the hell of it Dre <---has a shiny idiot stamp of approval, wheres my decoder ring damnit! On 12/5/05, sk <sk () groundzero-security com> wrote:
Not everyone who gets involved in security gets there because it was theprimary objective. The implication I was trying to make was that somepeople get pushed down the security road. If they actually go down thatroad they will focus on practical security, and start to learn more, but ittakes something to push them down that road.well ok then they are in the security field, but it doesnt make them "professionals". not everyone with a CISSP is a professional and its simply to show off to bosses and people which arent familiar with the IT security filed. I'm into security since +11 years, i surely know what i am talking about.Yes, I do. At least to 19-21 year olds at community colleges. I regularlyspeak to students about to head out into the field after taking courses tolearn about networking or information security courses to let them knowwhat the real world is like. I use the security guard analogy and it clarifiesalot of things. Most of the people in these courses recognize the lack ofrespect for mall security guards they had only a few years earlier, and at thesame time the enhanced (generally speaking) respect a person has forsomeone driving an armored car. It is not a perfect example, but as ananalogy it clarifies things fairly well.ok fair enough, but you talk on a list where people have tons of certs and are security professionals, so no need to be so basic.I disagree with this. Someone who is really interested in security whodoes not have experience in the field, or at least knowledge of businessprocess will do more harm than good. At least to pass the CISSP you needto understand the basics of networking and some formalizedknowledge. It is not a good cert, but there is a minimum 'you must havememorized at least this much' threshold to finish the exam. i'm not talking about a complete moron. i mean someone who already understands the ins and outs of a network and is familiar with administration, but then goes into the security field and keeps learning. he soon will be way more skilled as anyone with a CISSP. someone whos not familiar with different operating systems,administrating those and a fair understanding of networks wont be able to go far in the security field anyway...Compare that to someone who has read a few papers on security and followsbest practices (whose? why? etc). Small businesses can't afford tohire expensive consultants, but they deserve better than budding hackers tohelp them. Furthermore, if there is an incident the business can be heldliable for, pointing at a CISSP and saying he helped set it up can go alongway to proving that at the very least some due diligence was shown.Pointing at timmy down the block who sets up wireless is not going to havethe same value from a business perspective. sure this makes sense, but i was not talking about some kid in the basement, but an professional administrator or even better a programmer going into the security field out of interest. then again, as i said, a small company will outsource security.In the real world this can cost as much as $1000 CAD an hour, for a cheapconsultant. Ongoing support is unrealistic for many businesses. i know its not like i work on the moon you know :P but i dont talk about constant support. a small company doesnt need that anyway. once in a while, maybe once a year have a real security audit of the network. with good administrators this is enough as if they are told whats wrong with the network in first place (i.e. when the company starts) and then taking the advices and work based on those, a small company should be fine if they keep updating their software (what they will be told most likely by the security team that does the audit). well but this isnt the topic really so nevermind.I know of a few that go out of the way to only hire IT guys that have asecurity background. But they are definately exceptions to the rule. yes, surely they do as some boss will obviously look at certs, but thats where we come to my original topic, those certs dont proove anything so the CEO may think he hired a good security consultant and feels save, but his trade secrets go out of the network all day unnoticed as the security guy has no idea whats really going on as most of them sit on their certs and think thats it, but without constantly learning your going nowhere. they spend all their working time on their high paid asses and brag on some forums or mailinglists on how skilled they are.Real world information security is about risk. It is an insurance policy.You spend $X,XXX in the hopes that an incident that costs $X,XXX,XXX won'thappen. Until you convince business that ideal security (not perfect, aswe agree perfect is impossible) should be the objective, not risk mitigation,businesses will not improve spending.yes its about risk, but this 1,000,000 $ or more costs after a security breach only applies to very large networks. most of the time its just that expensive because companies have to hire expensive security professionals while the actual work wouldnt cost much at all.To convince businesses that ideal security is better, we need to havelegislation that holds business owners accountable for security failures that impactindividuals other than shareholders.most of the time you can only convince a CEO to pay more for security after they have been compromised, but thats life...This is the unfortunate reality that security researchers and the talentedsecurity professionals live in. This is not a world that hackers live in. Hackerslive in an academic world that lets them posit scenarios where SHA-1 breaksare a legitimate threat (it will be soon, but it is not a realistic or crediblethreat *right now*). Hackers, regardless of their motivations, live in aworld where the only limits are their imagination, dedication, and willingness toovercome ethical 'challenges' to gain access to facilities and resourcesthey require to push the boundaries of security. well i agree somehow, but then again many many real hackers work in the professional security field and even sometimes hold such courses for certs as they know exactly that noone is a professional after such a cert, but they get paid for it well so why shouldnt they exploit that opportunity. i remember some text that vH from THC wrote "hackers go cooperate" or something ..might be a nice read for you :-) so well i just want to say that a security professional should be someone who is really professional and CISSP doesnt make you one. -sk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- IT security professionals in demand in 2006 Ivan . (Dec 04)
- Re: IT security professionals in demand in 2006 sk (Dec 05)
- Re: IT security professionals in demand in 2006 wilder_jeff Wilder (Dec 05)
- RE: [lists] Re: IT security professionals in demand in 2006 Curt Purdy (Dec 05)
- Re: [lists] Re: IT security professionals in demandin 2006 Jason Coombs (Dec 05)
- Re: [lists] Re: IT security professionals in demand in 2006 InfoSecBOFH (Dec 06)
- Re: [lists] Re: IT security professionals in demand in 2006 Andre Ludwig (Dec 06)
- Re: IT security professionals in demand in 2006 wilder_jeff Wilder (Dec 05)
- Re: IT security professionals in demand in 2006 sk (Dec 05)
- Message not available
- Message not available
- Message not available
- Re: IT security professionals in demand in 2006 sk (Dec 05)
- Re: IT security professionals in demand in 2006 Andre Ludwig (Dec 05)
- Re: IT security professionals in demand in 2006 J.A. Terranson (Dec 05)
- Re: IT security professionals in demand in 2006 Scott Renna (Dec 06)
- Re: IT security professionals in demand in 2006 Buford T. Pisser (Dec 06)
- Re: IT security professionals in demand in 2006 wilder_jeff Wilder (Dec 06)
- Re: IT security professionals in demand in 2006 6ackpace (Dec 06)
- Re: IT security professionals in demand in 2006 wilder_jeff Wilder (Dec 06)
- <Possible follow-ups>
- RE: IT security professionals in demand in 2006 J. Patterson Wicks (Dec 06)
- RE: IT security professionals in demand in 2006 Paul Schmehl (Dec 06)