RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
- From: "R. DuFresne" <dufresne@xxxxxxxxxxx>
- Date: Fri, 28 Jul 2006 18:32:00 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 28 Jul 2006, David Cross wrote:
CISSP != network admin.
Never on this side was I sating these were "equal", I made a distinction in how my organization pays both sides. Please don;t try and confuse the issue with your misinterpretations.
CISSP = massive amounts of information on how security works, how to
structure security in an organization, how to manage it, how to audit
it, how to keep it compliant with laws and how to meet best practices.
This information is useful only to senior security people who intend to
CISSP is a managment track certification at best. Not a handson massive skills certification, deal with that fact.
If you want to know the details of what keeping your credential requires
go to ISC2.org and read the details yourself. I'm not going to spend my
time babysitting you through it.
And I outlined how that process has changed over time. I guess you are only familiar with current and lack the history.
Also if you actually read the response you see a cert only serves to add
credibility to what experience a person claims to have. A cert does not
magically imbue you with power from above. WHAT IT DOES DO IS PROVE YOU
KNOW ENOUGH OF WHAT YOU'RE DOING TO PASS A VERY DIFFICULT TEST AND IT
BINDS YOU TO A CODE OF ETHICS THAT REQUIRES YOU RESPONSIBLY REPORT AND
RESOLVE VULNERABILITIES. (the industry as a whole needs that)
What is does is prove you can study for and pass an exam, nothing more.
A cert, in most cases is better than none. When I hire people I ask
them about certifications. People tell me "oh, I'm a security expert"
and I ask them why they didn't spend the money to prove that they know
what they're talking about. The response is always, "I don't have the
money," or "I studied but got too busy to take the test." I've never
had a person say they didn't think it was necessary. But at this point
the burden is on me to test them. So I have to spend $99 of my own
money to set them up with an online test to test their knowledge. I
have to spend another hundred dollars to have my HR person track down
all their references and call each one and quiz them at length. I have
to spend 2 or more hours versus one hour to interview them costing a few
hundred dollars of my time to try to coax out of them all the insipid
details of their experience in all the companies they've ever worked
for. So by the time it's all done I've basically paid for them to take
the stinking test anyway.
When I've interviewed folks, I avoid asking about certs, I ask pointed questions that can outline if the person knows his stuff, or if he's tryinf to bluff his way into something over his head.
A lot of people come to me to find out how they can get certified in
computer security. Usually it someone who's been programming for 10
years and they're bummed because they want a more exciting job or a
better paying job.
And I pointed out how in recent years, sec folks tend to not make the money that others trained in as my example define, admins do to this day. There was a time whence sec folks that could demonstrate real skills, real hands-on experience far beyond whosing a cert number for a passed CISSP exam made real money. These days it's far from that...
Willl a cert get you past a clueless HR rep, sure, will it automatically put you into hig paying jobs, far less likely these days.
They say, "I have always wanted to be a security
expert. How did you get your certification?" Notice they don't ask how
to become a security expert... only how to get the piece of paper. When
I explain what it takes they cheerfully ignore the details and wander
starry-eyed back to their cube dreaming of how they will be the next big
security expert. Most of them even go buy a study book or books before
they get discouraged but there are always one or two that take it a step
further. But I've never had one come back and ask for an endorsement or
never known one to actually complete it. What I do know is that some of
them have gone on to other jobs and convinced companies to hire them as
"security experts" sans a certification. <<hey that's s pun - sans
meaning "without" and SANS being a certifying body>>
At least the SAN certs show a level of expertise, and thus perhaps have more real value to an employer, if they are seeking skilled professionals.
Granted I've known great security gurus without certifications...
fine... in my opinion if you have a very public and unassailable rep to
stand on. If you don't have an industry known rep then you'd better
have a cert or string of CVEs to tack on to your resume to get noticed.
Either way I'm happy with my investment and I earn a modest 6 figure
income netting a cool 25k more than my cert-less buddies. Plus when I
consult I can charge well above $100/hr and companies don't even blink.
So for me the investment in myself and in my test-taking ability has
paid off. If you can do as well without a cert then I concede you are a
<smile> I have lots of certs in various areas, some I had to gain at employer expense, though I seriopusly flout none, I rely upon my experience, and if need, can tap many persons for a referal that have knowledge of my skills and abilities. Those referals, pay off better then any 3-4 letter cert credits I might tack onto my .sig.
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
-----END PGP SIGNATURE-----
This List Sponsored by: Cenzic
Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@xxxxxxxxxx for details.
- Prev by Date: RE: Covert Microphone Application
- Next by Date: RE: Client-Side Caching - Windows XP
- Previous by thread: RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
- Next by thread: Re: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)