Penetration Testing mailing list archives
Re: Hacker Stories, Certs, vs Projects
From: Pete Herzog <lists () isecom org>
Date: Tue, 01 Aug 2006 14:26:31 +0200
Hi, I think it's important to realize that security did pay the huge bucks back before it became an general cert to pass, like CISSP. See, back before all that, those in security earned their big bucks by actually learning all they could in IT which at some point led them into security. We actually had no general security certs and I doubt it was even a consideration for many of us since really, it was mostly down to Microsoft or Novell at the time. But it's true that many were unix admins, engineers, and cable jockeys, teething on the foundation of systems and networking BEFORE they got into security. And that's why those guys STILL make the big bucks. Because they're learned. An industry that has been reduced to a cert means a profession with a lack of real experience and applied knowledge. If one can be a security expert without having to work for it (and here starts all the "I studied so hard for that cert" talk that I'd rather avoid because 4 months of hard reading is not the same as 4 years of banging head on a Linux box because of things like the new kernel tweaks for kerberos are not working) then that will become a profession over time with less intrinsic value. Economics: if it costs a lot in time and money to be a professional at something than those people will generally be paid more for their work (and yes, I can also think of exceptions but I'm also not making a broad rule here). I still believe in applied-knowledge certifications as a vetting process for existing security personnel. I believe in applied-knowledge certifications for recent graduates looking to prove they can hit the ground running and be resourceful which saves a company money from position training and taking time away from their more expensive veterans who will need to show them the ropes. Many people don't know but ISECOM didn't make the OPSA and OPST and become a certification authority to get into the cert business. We got hundreds, maybe thousands of requests for it before we ever did it. People on the OSSTMM project basically defined what they wanted people they hired to be able to do before they started work. It's also why we will not work with training companies because this isn't the sort of certification that training companies like (easy test, easy infrastructure, high pass rate). So we avoid them because our models differ too much to have a good relationship. We only partner with companies who are in the security business and want to teach their customers to understand their security decisions on a consultancy or they teach university students to find better job candidates or get smarter people placed in security jobs where they understand how the work needs to get done. The trainer's ulterior motive is to make a smarter customer. For them, our certifications do that. They show a customer or educate a student in just how complicated, hard, and demanding security can be because it makes them do it. The first thing I say in any OPST or OPSA class is that when you realize that there is still so much you don't know about security and you're hungry to know as much as you can than I did my training right. -pete. R. DuFresne wrote:
And I pointed out how in recent years, sec folks tend to not make the money that others trained in as my example define, admins do to this day. There was a time whence sec folks that could demonstrate real skills, real hands-on experience far beyond whosing a cert number for a passed CISSP exam made real money. These days it's far from that... Willl a cert get you past a clueless HR rep, sure, will it automatically put you into hig paying jobs, far less likely these days.
------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Re: Hacker Stories, Certs, vs Projects Pete Herzog (Aug 01)