RE: Re: University Degree or CISSP



The *most* important factor that you, recruiters and everyone else who *believes* that certifications are a "requirement" -- are that accreditation firms are a *business*, and that certifications are a means for generating revenue for them -- nothing more. They could stipulate their creeds, mottos and reasons for having the credentials, but ultimately, truthfully, it still comes down to money. Given the circumstances, and if sales were down, don't you suppose that ISC(2) would make exceptions to their qualification requirements? If you make your point valid enough, do you really need the four (4) years? Maybe not.

Again, you're under the premise that simply having "alphabet soup" after your name is going to get you a job. It would help your circumstance, but again, is no guarantee. Does this mean then that because I have 2+ dozen certifications, 3 degrees and over 28 years experience in IT, that all of these credentials would make me a suitable "CSO" for a company? Based upon your logic, if you have a CISSP cert, and should have a job in security based on the fact that you have letters after your name, then I should be the "CSO" for a Fortune 100 company someplace within the United States, right? ;P

Getting a job comes down to several factors: (1) experience, (2) educational background, (3) professinoal credentials and affiliations, (4) publications (have you written anything that's been published?), (5) be at the right place at the right time, and/or sheer dumb luck (pick of the draw -- think "eenie, meenie, minee, mo"). I throw in the latter because, in some circumstances, it's either being at the right place when they decided to make a decision, or just that you were the first person that they chose. And....sometimes, you'll never know 9truly) *why* you didn't get that job. It could've been personality, someone else had 1 or 2 more certifications than you, someone else worked at a previous employer that the hiring manager formerly worked at themselves -- any of those can play into the game. And if that were the case, did that certification actually help you? Probably not.

To use the coined phrase my mother told me about getting work nowadays: "'Ya gots 'ta kiss alot 'ah frogs."

Good luck in your endeavors.

-rad

----- Original Message -----
From: "Huang, John, GCM" [mailto:John.Huang@xxxxxxxxx]
To: Bob Radvanovsky [mailto:rsradvan@xxxxxxxxxxxxx], Ken Kousky [mailto:kkousky@xxxxxxxxxx], security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Re: University Degree or CISSP


> A legitimate CISSP requires at a minimum of 4 years of industry
> experience or 3 years if you have a Masters, therefore, a CISSP is more
> desirable than a recent grad. :)
>
> -----Original Message-----
> From: Bob Radvanovsky [mailto:rsradvan@xxxxxxxxxxxxx]
> Sent: Tuesday, January 24, 2006 4:51 PM
> To: Ken Kousky; Huang, John, GCM; security-basics@xxxxxxxxxxxxxxxxx
> Subject: RE: Re: University Degree or CISSP
>
> OK, time for my $0.02 worth of commentary.
>
> Ladies, the outcome from all of this bickering is simple: you need both.
>
> I have several degrees that are both business and computer related,
> along with slightly over 2 dozen certifications. Realistically, the
> ONLY reason for having a certification is so you can: (1) either promote
> yourself better within your company to acquire or move to a higher
> paying position, or (2) move onward to another company, demonstrating
> your knowledge and skillset.
>
> This goes back to my original analogy of Dr. Suess's story of the
> "Star-Bellied Sneeches". The eventual outcome was that neither was
> better than the other, and they needed each other to band together.
> Simply having the CISSP certification does have some merit because of
> its length in the industry and how some recruiters consider it
> prestigious. That may be. However, I know people who, not only have
> the CISSP, but other security-specific certifications, and couldn't
> perform a risk assessment, penetration analysis, case study, or even a
> simple audit without consulting the "Auditing for Dummies" book (there
> isn't one that I'm aware of, but I am simply being demonstrative for
> this case).
>
> Consequently, I've known college students that got almost straight "A's"
> throughout college. And 'ya wanna know what they're doing today?
> Unemployed. Yup. And the reason why? They can't *apply* what they
> know, because they never really studied, only memorized, the material.
>
> It is a balance of having both items. If you look closely at many job
> requirements, it's something to the effect of cert plus degree, or
> degree with experience, or cert with experience. Simply having them
> both is no guarantee that you'll get the job, and consequently, having
> experience but no degree or cert won't get you the job, either.
>
> A friend of mine pointed something out to me in very simple terms.
> Recruiters are nothing more than order takers, very similar to those
> order takers from fast food restaurants, such as McDonalds. Most of
> them have very little knowledge of the industry, knowing just enough of
> the terms and buzzwords to be dangerous, but have practical knowledge in
> how to read and comprehend people. What they're good at doing is
> filling slots for companies -- nothing more. Companies give the orders
> on what they want filled, and what are the requirements. The recruiters
> try and attempt to fill the slots as best as possible. And any
> recruiter that tries and tells me that there's more to this is crazy.
> For example, we had ONE job position available here in Chicago recently.
> The next day, 24 recruiters attempted to state "unique job opportunity",
> all funneling into that ONE job position that had opened up. Also,
> these recruiters used the exact same job posting boards that you and I
> use: Monster, AllJobs, USAJobs, HotJobs, etc. So, how is that helping
> you out? They'd like to say that they have their own selective search
> database and that their service is unique and comprehensive.
> Rrrrrrr-ight. Many of them *share* data between each other. It goes
> back to filling slots and them getting their commission checks --
> nothing more. In fact, most recruiters would rather that people move
> from job to job to job more regularly, because they'd get a fatter,
> bigger bonus. I know several long-time colleagues from the IT industry
> recruitment field (about 15 years now), and they occasionally come to me
> with a job req., asking if I'd be interested. It's always the same
> thing, doing the same crap, day in, day out, and offers nothing more
> than a lateral move for me. BUT...what it does do is give me a little
> bit more insightful information as to how their recruiting process
> works. Recruiters try and get people to sign up with them for their
> *EXCLUSIVE* search database, almost stating that they'd GUARNTEE you a
> job. HINT: if you listen carefully, and have done this as long as I
> have, you'll never actually hear them "guarantee" you a job. To do that
> would be misleading, and I'm pretty sure that it might even be on the
> border of illegal, too.
>
> Here's my advise of getting a job. If you have ZERO experience, DO NOT
> expect to get that $80K/year job -- you'll have to stand in line for
> guys like me who'll want it. Companies want EXPERIENCED people these
> days, and folks who have intelligence, ambition and ideas are good, but
> won't give or offer those lead positions. Start small and work your way
> up. Sooner or later, you'll get noticed by someone and get that job
> that you wanted. Chances are, that job wasn't what you wanted, anyways.
> And...many lead roles have some risk to them. If you f*** up, you might
> get fired -- as the chances are for those who work in the financial
> sectors (banking, trading, funds, etc.) or the healthcare sector.
>
> If you have SOME experience, and have an A.S. degree, finish getting you
> B.S. degree, but settle for that job doing PC repair. Build up some
> experience some more, and learn people skills, communication skills, and
> techniques, and polish them for when you graduate with the B.S. Chances
> are, you'll get a better job than you've realized after you've received
> your B.S.
>
> If you have ALOT of experience, get a few certs -- it can't hurt.
> CompTIA is good one for starters. Once taken, they're good -- FOR LIFE.
> They're NOT senior or lead level certs, but they show that you have a
> rudimentary understanding in whatever field of interest you want. Their
> SECURITY+ is OK, but combined with a NETWORK+ and an A+, shows that you
> have basic knowledge in IT networking, hardware support, and know how to
> spell and say "security". Some certs to be wary of: CISSP. It is aimed
> for the "average manager" who know very little of security, and has been
> thrown into the role of security. It is VERY broad-based, and covers
> mostly management concepts in security. A comparable cert to the CISSP
> that's gaining attention is the CISM from ISACA. It focuses more on the
> auditing and forensics aspects of security, which are the up-n-coming
> areas of interest within the security industries.
>
> Other certs that you'd want to pay more attention to, are more
> specialized, and in most cases, much, much more technical. Those would
> be the Cisco CCNA (don't waste yer time with the CCNP, get the CCNA, but
> be prepared for ALOT of studying about routers and the routing protocols
> -- also their tests are brutal and require ALOT of practical over
> memorization of concepts; Cisco WANTS to make sure that you KNOW
> "networking"), the SANS GIAC (I liked their certs pertaining to
> firewalls, IDS, general network security, and the one on policy
> management), CIW (if you're a web designer, you should have this one),
> CIFI (an IT forencs management cert, esp. if you're a police officer or
> involved with law enforcement, this is a good one to have), CIPS (a new
> certification pertaining to "Critical Infrastructure Protection",
> offered by the Office of Infrastructure Preparedness, and deals with
> emergency management, disaster recovery and planning, and homeland
> security -- all very good if you work for a critical instructure
> company), and perhaps the CISA (also by ISACA), which focuses entirely
> on IT auditing. Also, consider getting a few other specialty O/S certs:
> IBM, HP, Sun, Red Hat, Microsoft, Novell -- all offer comprehensive
> operating system certs for their O/S's.
>
> In closing, a degree demonstrates that you "know where to look for
> information", and a cert demonstrates that you "know how to look for
> information". Neither one, in my opinion, demonstrates the "what" or
> "why" clearly. That, to me, comes from experience. So, if experience
> is the third factor, you'll need 3 factors: a degree, 3-6 certifications
> (have a vast richness in certs, say a CCNA, CISSP, maybe a CISA, a
> NETWORK+, a LINUX+, and perhaps a forensics or CIPS cert), and 3-5 years
> experience.
>
> -rad
>
> ----- Original Message -----
> From: Ken Kousky [mailto:kkousky@xxxxxxxxxx]
> To: "'Huang, John, GCM'" [mailto:John.Huang@xxxxxxxxx],
> security-basics@xxxxxxxxxxxxxxxxx
> Subject: RE: Re: University Degree or CISSP
>
>
> > This is the craziest conversation I ever heard of - there is NO
> > comparison between a REAL degree and CISSP. CISSP is great, valuable
> > and vital but it isn't in any way comparable.
> >
> > Simply put, if you don't have a degree - get one and get the best one
> > you can.
> >
> > -----Original Message-----
> > From: Huang, John, GCM [mailto:John.Huang@xxxxxxxxx]
> > Sent: Monday, January 23, 2006 1:41 PM
> > To: security-basics@xxxxxxxxxxxxxxxxx
> > Subject: RE: Re: University Degree or CISSP
> >
> > Degree or CISSP? It depends on where you are in life. A degree helps
> > you in the door and advancement into a management position usually
> > require a college degree. But if you're already in the field and don't
>
> > have a college degree, a CISSP cert is easier to obtain in a shorter
> > amount of time, and provide more immediate benefit since you can put
> > the things you learn into use.
> >
> > -----Original Message-----
> > From: shyaam@xxxxxxxxx [mailto:shyaam@xxxxxxxxx]
> > Sent: Friday, January 20, 2006 10:25 PM
> > To: security-basics@xxxxxxxxxxxxxxxxx
> > Subject: Re: Re: University Degree or CISSP
> >
> > Yes,
> > Very true. Nothing counts equivalent to experience, but experience
> > comes only when someone starts somewhere. I have seen one big thing
> > happening around. People in the industries shifted from technology to
> > business, that is the point when they lost the security and created
> > more loopholes in their own products as they reduced the time needed,
> > reduced budgets and spent more on advertisements and marketing.
> > How does that reflect on people. They need people already with
> > experience. But how is that possible. Everybody needs to start
> > somewhere. So experience does count, but I would say some foundation,
> > some added qualification and some experience is good for a cool job.
> > For a startup job, some degree and some cert is essential.
> >
> > PS: This is my opinion, I am not pointing out any company or any
> > private organization.
> >
> > -S-
> >
> > ----------------------------------------------------------------------
> > --
> > ---
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
>
> > University program offers unparalleled Infosec management education
> > and the case study affords you unmatched consulting experience.
> > Tailor your education to your own professional goals with degree
> > customizations including Emergency Management, Business Continuity
> > Planning, Computer Emergency Response Teams, and Digital
> Investigations.
> >
> >
> > http://www.msia.norwich.edu/secfocus
> > ----------------------------------------------------------------------
> > --
> > -----------------------
> > ********************************************************************
> >
> > This e-mail is intended only for the addressee named above.
> > As this e-mail may contain confidential or privileged information, if
> > you are not the named addressee, you are not authorized to retain,
> > read, copy or disseminate this message or any part of it.
> >
> > ********************************************************************
> >
> >
> > ----------------------------------------------------------------------
> > ----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The
> > Norwich University program offers unparalleled Infosec management
> > education and the case study affords you unmatched consulting
> experience.
> > Tailor your education to your own professional goals with degree
> > customizations including Emergency Management, Business Continuity
> > Planning,
> >
> > Computer Emergency Response Teams, and Digital Investigations.
> >
> > http://www.msia.norwich.edu/secfocus
> > ----------------------------------------------------------------------
> > -----
> >
> >
> > ----------------------------------------------------------------------
> > ----- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The
> > Norwich University program offers unparalleled Infosec management
> > education and the case study affords you unmatched consulting
> experience.
> > Tailor your education to your own professional goals with degree
> > customizations including Emergency Management, Business Continuity
> > Planning,
> >
> > Computer Emergency Response Teams, and Digital Investigations.
> >
> > http://www.msia.norwich.edu/secfocus
> > ----------------------------------------------------------------------
> > -----
> >
> >
>
>

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • RE: Re: University Degree or CISSP
    ... A legitimate CISSP requires at a minimum of 4 years of industry ... degree with experience, or cert with experience. ... SECURITY+ is OK, but combined with a NETWORK+ and an A+, shows that you ... mostly management concepts in security. ...
    (Security-Basics)
  • RE: CISSP-ISSMP
    ... So having the cert doesn't make you good, ... I recently got my CISSP. ... FREE whitepaper on how a managed service can help you: ... penetration testing and vulnerability management needs. ...
    (Pen-Test)
  • RE: [inbox] Re: [Full-Disclosure] Training & Certifications
    ... > With that said, the most notable Security ... >> cert would have to be CISSP. ... but it's really more of a management level ...
    (Full-Disclosure)
  • Re: [Full-disclosure] CISSP Test
    ... The CISSP cert is a great cert to have if you want to get your foot in the ... CISSP is basically a 50,000 foot view of IT security as ... all I care, I could care less if they have yet another class coming up in my ...
    (Full-Disclosure)
  • RE: Value of certifications
    ... Do some research before spouting more CISSP non-sense please. ... experience in computer security and didn't need them. ... I've worked with just as many idiots who were college grads as cert ... ISACA does have a standard that is used in many places. ...
    (Security-Basics)