Penetration Testing mailing list archives
RE: Hacker Stories, Certs, vs Projects - the real problem?
From: "Hirsch, Adam" <Adam.Hirsch () dresdnerkleinwort com>
Date: Mon, 31 Jul 2006 15:50:16 -0400
David, I think that something along the lines of the Law Bar Exams is required. In the Bar exam there is a mix of multiple choice and essay-style questions based upon test cases. Using essay style questions requires the test taker to analyze a scenario and provide actual insight into their level of knowledge. Instead of memorizing hundreds of multiple choice questions, they will have to prove their actual knowledge by applying it to different situations. Even thought grading these are much harder, it does provide a true sense of the test taker's thought process, skill set, and understanding of the material. While I must admit that I have the CISA, CISSP, and CCSP, I do not think that any of them truly tested my actual abilities. I have 7 years of experience in Network/Security Design and none of those exams was able to tell if I know how to apply the material in a real world scenario. The Bar Exam and CPA all require one to analyze several different test cases and apply the knowledge and skills to answer them correctly. Another problem I see is the extremely high pass rate for many of these exams. I think that a 70% pass rate on any exam is way too high. I feel that a test taker's score must always be scaled and compared to previous test takers. Raising the bar for a passing grade will ensure that fewer people are able to just get bye when using a boot camp or a single study guide to pass. It will ensure that only the upper echelon of people taking the exam pass. Getting a 75% to achieve a 'Gold' status certification is ridiculous. Not to put anyone down, but anyone getting a 75% or 'c' does not deserve to qualify for something being sold as THE 'Gold' status in security. I would seriously argue that anyone getting 'C' should not be considered as having even an above average grasp of the information security. I think that these are some of the major issues (besides cost and time) why some more senior security specialists have not gone the cert route. If the certs had a little more credibility and tested actual knowledge and ability to apply it, while also enforcing a higher standard for passing, then the certs would start to hold more value across the industry. Currently, I feel that many of the people are getting certs (myself included) to help use as a marketing tool to current and future employers so they can get past HR and then let their real experience sell them to the hiring managers. -Adam If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.dresdnerkleinwort.com/disc/email/ or contact the sender. ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- RE: Hacker Stories, Certs, vs Projects - the real problem? David Cross (Jul 31)
- <Possible follow-ups>
- RE: Hacker Stories, Certs, vs Projects - the real problem? Hirsch, Adam (Jul 31)