Re: "Skills gap"?

[Rich Kulawiec <rsk () gsp org>]

On Sat, Nov 24, 2012 at 09:24:29PM -0600, John Bambenek wrote:
> That said, I've been helping write/audit SANS certifications for
> awhile.  I'm simply ineligible to take them (for what should be
> obvious reasons).  I got real tired of submitting resumes and being
> told I need a GSEC/GCIH/et al.  I'd respond with I wrote part of the
> question bank and some HR bean counter just didn't get it and
> insisted I needed the paper.  I ended up taking the CISSP cold one
> weekend just to have something and even then I got tired of paying
> the annual ransom for letters that meant nothing.

Certifications are, in theory, a good idea.

Certifications are, in practice, crap.

Which isn't surprising really, if one takes Deep Throat's advice and
follows the money.  It rapidly becomes obvious that certification programs
are designed to maximize revenue, not to promote and/or measure expertise.
(Even those that start out with the latter goal and the best of intentions
inevitably gravitate to the former.)

This is a problem particularly in the security arena because, as you
astutely point out, HR bean counters look for them and resumes without
are routinely roundfiled -- never mind that the senders of those resumes
could *easily* be the most qualified applicants by a wide margin.  They
have become a shortcut for the technically illiterate and the impatient,
and unfortunately they're a shortcut that doesn't work.

I don't have any (viable) idea how to fix this.

---rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.