RE: INFOSEC: Certifiably Certified

[InfoSec News <isn () c4i org>]

Forwarded from: Brad Bemis <Brad.Bemis () airborne com>

[OK, seriously, this is the last reply on this topic, I'll start 
sending replies to Rick Forno for his next essay. ;)  - WK]


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Odd...  This never happens...  Security practitioners locked in a vocal debate
over the value of certification?  Who would have thunk it?  ;-)  

- From one side, you have those that believe that certifications have little
or no value to those operating in the security industry.  These
anti-certification pundits focus on experience as the prime attribute of a
capable security professional.  They see certifications as a pathetic
attempt by the uninitiated to lure hiring managers into slapping down a big
fat pay check, or as a play by the certifying entities for the unearned
dollars of lemmings that simply follow a trend.  

On the other end of the spectrum sits the certification advocate who voices
that certifications provide a common yardstick by which all security
professionals across a diverse field can be measured against an industry
standard.  They see certifications as a common denominator separating the
wheat from the chaff.  They smile down their noses at those who lack the
air of authenticity that comes from a rolled up piece of parchment.  

I find it so interesting to see security practitioners voice such absolutes
about their position on this matter when the basic tenants of our
profession clearly underscore the role of certification...  You just need
to step back and take another look.  How many times have you been told (or
even said yourself) that there is no panacea for information security?  How
many times have we called upon the essence of 'defense-in-depth' as our
guiding light in a dark digital world?  Who among us has learned all there
is to learn about information security and can cast disparities at those
still trying to find their way?  

Let us apply this same series of concepts to the role of certifications as
one of the myriad of responsibilities assigned to those calling themselves
professionals within this dynamic field.  

Yes, demonstrated experience on the front lines, above all other things,
stands the best chance of differentiating between varying levels of skill,
but let's not forget some of the other elements that compose the foundation
for what I will now refer to as security "competence-in-depth".  I think
you will find that there are many of us (probably a vast majority) that
would much rather denote competence through a series of activities rather
than a singular focus.  

I see it as a lifecycle process (yet another concept that we within the
security community should be intimately familiar with as a critical success
factor in most of our endeavors) consisting of (in no particular order
because they should all be continual processes):   

·       Formal Education (school)
·       Professional Education (courses)
·       Hands on Learning (daily exposure)
·       Experience (long-term exposure)
·       Reading (self learning)
·       Writing (sharing your experiences)
·       Involvement (professional associations)
·       Teaching (course instruction)
·       Certification (milestones)
·       Recognition (awards)
·       Again, and
·       Again, and
·       Again

Certifications play an important role in the development of those who
recognize their value as yet another opportunity to grow as a professional.

No, not everyone with a certification is qualified to do the job defined by
the test objectives.  You may judge the competence of a certified
individual based on your own experiences and biases for or against a
specified credential, but I would be more interested in seeing what kind of
conversation I might have with someone who has achieved the title of a
CISSP by way of comparison to a conversation with someone who has earned
the title of CCIE-Security, of CISA, or of CCP for that matter.  The point
here being that most certifications today focus on a specific aspect of
information security (yes, even the CISSP with its ten domains is focused... 
on security management, not technical security implementations).  As a 10
year veteran of information systems and security, I would never hold a
CISSP to the same level of accountability for the technical implementation
of a CiscoSecure PIX firewall that I would a CCIE-Security any more than I
would hold a CCIE-Security accountable for the development of a corporate
information security policy framework.  

The field of information security is so broad and dynamic that there is no
one way for any of us to define what does and does not 'qualify' an
individual to share with us the coveted title of information security
professional (or whatever moniker you associate with your position) . 
There must be ways to categorize levels of professionalism and competence
in a way that makes sense to those of us who rely on each other to see our
way clear to the other side of the common challenges we face.  Judge not
the certification, judge its bearer.  Not just on a single criteria, but on
a broad range of disciplines that will give you greater insight into the
true caliber of the individual.  

I for one believe that someone with the appropriate background, skills to
demonstrate, a thirst for knowledge, a desire to succeed, and a drive to
dominate would simply take the time to ante up and get certified as a
professional responsibility.  You see, I sit in the middle of the road,
somewhere between the two primary poles of opposition.  I see
certifications and individual attitudes toward them as yet one more way to
differentiate between practitioners and professionals.         

Of course that is just my opinion, I could be wrong...


P.S.  And yes, I know many practitioners that are excellent security people
without a certification and many certified people that I wouldn't let touch
my child's Playschool computer.  If your arguments to this message are
based on this or similar arguments, please reread the message. 
Certifications are A SINGLE ELEMENT of the process that defines a true
security professional.  This is simply my opinion...  yours is just as
right!       


Thank you for your time and attention,

=========================================
Brad Bemis, CISSP, CISA, CBCP
MCSE, MCP+I, CCNA, CCDA, NNCSS, Network+
Information Security Officer

-----BEGIN PGP SIGNATURE-----
Version: PGP Freeware, Ver 6.5.8CKT - Build 8
Comment: KeyID: 0x691D248A
Comment: Fingerprint: ECF3 F29A 65FD 3437 46FC  FADF 54B9 6BD1 691D 248A

iQA/AwUBPb25D1S5a9FpHSSKEQIIDQCg2+NmaA5fOYA5nOxC8yLZfm2s0LMAoJOE
aZFNCBL33alJ+H0g2rmeTWwa
=3uYB
-----END PGP SIGNATURE-----



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.