Penetration Testing mailing list archives
Re: CISSP
From: "Michael Mooney" <wolfiroc () earthlink net>
Date: Fri, 8 Dec 2006 00:05:07 -0500
All As a graduate of both the OPSA and OPST I wholehartedly agree with Pete that hands on knowledge based training and certification is the most accurate measure of what you know. It challenges you to excel and keep up with what is happening in our ether world. I am also a CISSP and the reason is that it is becoming a requirementthat for companies gain contracts that they must have certified staff. Unfortunately, the OPST and OPSA are not on the list, but SANS GIAC is - go figure. And yes - OPSA and OPST are difficult tests - that's the point. As I tell my peers and seniors - the vulnerabilities and cyber challengers out there have no conscience, they know no politics, recognize no international boundaries, or personalities. Know your enemy, know yourself and never relax.
[Original Message] From: Pete Herzog <lists () isecom org> To: Bates, Chris <Chris.Bates () nwdc net> Cc: <pen-test () securityfocus com> Date: 12/7/2006 9:54:10 PM Subject: Re: CISSPBut I also think certification by itself means next to nothing for the most part. I have seen way to many Consultants with certifications and degrees not know their head from a hole in the ground.There are certifications and there are certifications. Knowledge certifications where one memorizes security trivia and regurgitates it on an exam has much less applicability in the real world than a formal education where case studies and experience may be introduced or an
applied
knowledge certification. But a certification should mean something. It should prove that a person can apply a particular type of knowledge, a specialty, with a measurable degree of accuracy and efficiency. If a group has convinced you that they can certify, accredit, or graduate you in a trade or specialty in a manner which requires no proof of skill then you should question your own
critical
thinking skills. Because it just doesn't work that way. Even with experience, that means nothing if what you learned is wrong from the
start.
The US Department of Education has a word for organizations who sell diplomas for experience alone and often no additional coursework: Diploma Mills (http://en.wikipedia.org/wiki/Diploma_mills). I'm saying this because at ISECOM we have been an authority for applied knowledge security certifications for nearly 5 years because the security community we work with asked for it. They asked for a security cert that didn't suck. They wanted one where people actually had to apply their knowledge of testing and analysis with accuracy and efficiency in order to pass an exam against a live network. So we built it and you know what, we still sometimes get complaints that it's too hard and too complicated. When we first rolled this out in the US, the training organization we worked with didn't see a future for it because they said they needed an easier exam, a knowledge-based one, so people can pass and take a certification back to the office which will bring in more people. Then they can also promote a high pass rate in their marketing for that training. So we stopped working with those training companies in the U.S. that wanted an easy pass to sell easily to the masses. But that's just mainly a problem in the US and most other regions have been just fine for us. In those other places the ISECOM certifications really mean something and get people employed and advanced and vetted for having them. So please don't lump all security certifications together. Some of us are working hard to help and such comments don't. Sincerely, -pete. PS: Sure I work for ISECOM so I am biased about the quality of our certifications but facts are facts and our certifications really are applied knowledge, hands-on examinations. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000 0008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: Re: CISSP, (continued)
- Re: Re: CISSP R. DuFresne (Dec 19)
- RE: Re: CISSP Mueller, Daniel (NMCI CIRT) (Dec 20)
- Re: Re: CISSP R. DuFresne (Dec 19)
- RE: CISSP Craig Wright (Dec 04)
- Re: RE: CISSP mr . nasty (Dec 04)
- RE: RE: CISSP Bates, Chris (Dec 05)
- Re: RE: CISSP Tim Shea (Dec 05)
- Re: Re: Re: CISSP mr . nasty (Dec 05)
- Re: CISSP Michael Krzeszkowski (Dec 05)
- Re: CISSP Michael Mooney (Dec 10)
- Re: Re: CISSP shyaam (Dec 20)
- Re: Re: CISSP R. DuFresne (Dec 27)