Re: Re: Notes from CISSP class with Dr. Eric Cole

[f_kenisky () earthlink net]

My opinion on this matter...

Both of you are right.  If your experience is more valuable than the 
certification then don't bother with the certification and the other way 
around.  It's half a dozen of one and six of the the other.  Whatever 
lights your pipe.  As for myself I had several years of experience and 
felt that the certification helped me validate that experience both to 
myself and to those I work for and with.  I know it's a strange thing for 
those of us who went the extra mile it's a strange phenom when after you 
receive the certification how people tend to think now you have all the 
knowledge.  And those who think you're just full of it.

I for one find that there are those few professionals who don't know any 
more now than before they were certified nor will then know any more now 
that they are.  It's like this one player on my daughters basketball team. 
 She's about as significant as a shadow.  No matter what she does or how 
much she goes to practice she just doesn't get it.  She might as well run 
back and forth on the court cause she provides nothing to the team. 
However she has become a liability.  People (hackers) score on her all the 
time.  Of course she gets frustrated by this but doesn't do any more to 
improve her skills.  She will eventually make Varsity if she stays on the 
team.  But what does that mean?  She's got the 'Certification' but then 
will everyone on the Varsity be judged by the one who is without the 
necessary skills?

The small answer is, YES.  As human BEANS, we tend to pass judgement sort 
of like we elected a President based on propaganda politics.

As you can see I hold many of the "SECURITY" Certifications.  I've proud 
of this.  I worked hard to get these, they were not handed to me and I 
didn't just take the test and pass.  I studied for three years for all of 
them.  Does that mean I'm dumb?  To some...  But then it could also mean 
that I'm determined.  It could also mean I have a lot of money and don't 
have anything else to spend it on.  Or that someone else really likes me 
and spent the money for me.  Actually, I fall into the second category.

I had to take the exams three different times because I had the experience 
of working through problems in my practical sense.  But there is a reason 
for a theoretical methodology.  What may work in your environment doesn't 
necessarily work globally.  Therefore it pains us to think we have to 
change our view and think globally.  Locally is difficult enough, hey I'm 
just as guilty.  I took the test three times remember.  I remember my 
bitterness after flunking each exam by what, two points or even in one 
case like one point.  DAMN!  Who needs to be certified?

The funny part of this is that before I was certified I saw a problem with 
a network configuration.  I recommended that management make a change for 
security reasons.  Management just ignored what I said and brushed it off 
as a security issue too difficult to guard against.  After I became 
certified and mentioned the same problem, Management took action.  Now 
just exactly what did I do different?  I've looked into the matter many 
times and can't figure it out.  I don't work for them any more as the 
certifications help me obtain a greater salary (25g's) more than I was 
making.  Not really putting me up there with Bill Gates but then again I'm 
not riding the bus these days.

I teach for all these certifications I enjoy teaching them.  I encourage 
all the students to forget how they do things and study how the exam's 
approach is to the issue.

The certification doesn't make you a guru.  It does however give you a 
good understanding of information security on a global level.  It also (if 
you get involved with local chapters) gives you an opportunity to meet 
with others in your field.  This part is invaluable!

Frank Kenisky IV, CISSP, CISA, CISM
Information Technical Security Specialist