Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [OT] CISSP Test

From: "SecurityLSI" <security () lan-slam com>
Date: Sat, 26 Mar 2005 12:17:55 -0500

----- Original Message ----- 
From: SecurityLSI <Security () lan-slam com>
To: "Anders Langworthy" <hades () psilanthropy org>;
<full-disclosure () lists grok org uk>
Sent: Saturday, March 26, 2005 12:16 PM
Subject: Re: [OT] [Full-disclosure] CISSP Test



  When it comes to InfoSec, its not hard to imagine the government

madating

a form of licensing for all security professionals that deal with

regulated

privacy matters (i.e. HIPPA et al).  In fact, I think this would be a good
thing as it would inevitably be extended to other realms of IT, although

it

would probably occur in an informal fashion.

  As more and more privacy regulation becomes the norm, I fully encourage
the government to require some form of high-level certification that must

be

an across-the-board mandate (i.e. licensing).  Its the only way to ensure
competent professionals are the ones filling security positions.  That's

not

to say there still won't be some duds, but at least you won't have the

flood

of bootcampers, braindumps, and paper certs who are only out to make a

fast

buck.  After all, the security of our citizens' privacy, as well as the
integrity of our nation's critical infrastructures are at stake.

--Joe

----- Original Message ----- 
From: "Anders Langworthy" <hades () psilanthropy org>
To: <full-disclosure () lists grok org uk>
Sent: Saturday, March 26, 2005 1:59 AM
Subject: Re: [OT] [Full-disclosure] CISSP Test



SecurityLSI wrote:

I wholeheartedly agree that there needs to be an industry benchmark,
something that says you cannot operate in this field unless you have

passed

x. I'm thinking along the lines of something similar to the Bar exam

that

lawyers have to take, or perhaps a license like what doctors are

required to

obtain before being able to practice. I fear its going to take

something

of

that level to truly separate the chaff from the wheat. Anything less

and

you

only end up with braindumps and bootcampers throwing resume after

resume

at

you.



There is an important distinction between something like the Bar, and
medical licensure.  The InfoSec equivalent of the legal Bar would be
impossible to implement, because unlike a courtroom, a network is not
under regulated control.  If you wish to practice law, you must do it in
a government-controlled courtroom*, and that government says that you
must pass the Bar before doing so.

My network, on the other hand--like my body--belongs to me.  Nobody has
the right to tell me who I can and cannot hire to work on them.  In the
same way, I could pay somebody off the street to perform surgery on me
if I wished.  I wouldn't recommend it, and they wouldn't be a licensed
doctor, but nobody can stop me.

So what difference does it make if we add another benchmark/"cert"?  We
already have plenty.  Even if it were possible, would we really want to
grant absolute power to something like the medical AMA?

* Judge Judy doesn't count.

--
Anders
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: