Re: Getting worried about the CISSP

From: Ford Prefect (restaurant_at_end.universe)
Date: 03/27/04 

Date: Sat, 27 Mar 2004 18:38:24 GMT

zenner
> To a point, your comment are valid...but lets go back to dinosaur days. Even
> then to really work as a system Admin. you needed to train on vendor
> specific hardware and software. IBM, Amdahl, Stratus, Compaq, Tandem...all
> required specific knowledge, you had to take training in their courses if
> you really wanted to get the best from the system.

No such training was offered other than to their own customer
engineers and system engineers, or to those who were already clients.
For example, one could not get training in IBM mainframe maintanence
without being an employee of IBM. That later changed when the service
bureaus, such as EDS and others, came into being, beut even those were
only offered to employees of a frim, ot to the public in general.

> Now the server of choice is PC based (not to discount the proprietary chip
> sets, but they are a very small part of the market). There are no in-house
> training programs anymore, software is divorced from the platform,

Software has always been divorced from the platform.... that was the
concept behind high level languages. But OS' have always been until
the last decade (and even then, there were dependencies on the
platform, but the average user never saw these).

> you can
> run anything on anything, in general. However, since the major software
> (OS) players are MS, Solaris, various Unix flavors and Unix you still need
> specific knowledge of the more advanced features of each, as well as the
> applications that run on them.

Which completely belies the platform independence. In fact today's
software, in some respects, is more platform dependdent than those of
days gone by.

> Certifications were and are a way for a beginning IT worker to understand
> the OS.

Disagree. COURSES are the way to learn, coupled with hands on and
learning from co-workers. CERTIFICATION is an entirely different animal.

> How that became bastardized is partly the fault of the employer as
> well as the test prep source. IF you start to require an MCSE for desk top
> support, which is obviously way too high a standard for the average duties
> of desktop support, the candidate knows that, you know that and the test
> center knows it. So to get the entry level job the candidate knows that all
> he has to do is jump that little hurdle, then he can learn the real stuff on
> the job. So, you get book smart MCSE's. Why? Because the job required it.

I think you are missing one of the points... requiring someone to come
in with a certification in hand means I don't have to train them...
and in the early days of certs, this was a good indication of the
skill set and it saved me, as the employer, the costs of training
someone and the lead time of getting them up to speed in my environment.

The cert-farms are where I place the much of the blame... they saw a
chance for lots of fast money and started cranking out the certs,
telling everyone that if they paid thousands of $$$ for their cert
course they'd be a shoe-in for any job. But the only way to meet
demand was to lower the standards...

> Reminds me of the late night re-runs of M.A.S.H....they have a character,
> Frank Burns, totally incompetent Dr., who out ranks the main characters.
> Why, because the army wanted Dr. with "X" certifications. The issue wasn't
> whether he was qualified to "do" anything, just that he had the correct
> piece of paper.>

Good example! I agree with you here... the blame then does come back
to the employers for not insisting on a high standrad among the certs
holders, etc. One of the problems I've encountered in this regard is
that most pre-screening is done via an HR type person who tends to get
enamoured with certs, etc., and are easily fooled wit a little
techno-babble... as ae too many managers....

> When you look for "X", the market will supply it. If hiring managers took
> the time to interview candidates properly, not inflate requirements and used
> a little more discretion in just minimal evaluations, we would not be having
> this discussion. Put too many rats in a cage, turn up the heat and they will
> kill each other, not because the other rats are the cause of the problem,
> but because they don't know what else to do, can't see the real problem and
> start looking for someone, anyone to take out their frustrations on.

Well put. But here I would put the blame on the vendors and
cert-farms... they cannot afford to make their certs too difficult to
achive because that would not take advantage of the "trendiness" and
would cost them students. Tightening the qualifications for a cert
tends to drive away revenue... as most people going after the certs
today are doing so to FIND a job, they will not invest in the certs
that stringently test qualifications and experience... the MCSE became
very popular because it was a regurgitation exam.. as long as you
memorized what was in the study guides, you could pass... but make it
a comprhensive exam requiring proven ability and applying concepts to
areas outside the box, and it will fall off quickly...

> If MS didn't offer certifications, if Cisco didn't offer certifications or
> Sun, etc. What would you do, where would you go and how would you test your
> ability or lack of same against other candidates? There are flaws in any
> testing regimen, so lets get rid of them all, No more colleges,
> Universities, trade schools, Bar exams, Medical internships...lets go back
> to Guilds, hereditary occupations, apprenticeship programs. They were much
> more fair and never let any unqualified students through...right?

Don't confuse courses with certifications. MS et al could offer
courses with high standards for pass rates, but they don't. The
quality of courses for cert preparation varies widely and wildly...
yet cert-farms are able to offer guaranttes that if you ake their
course you will pass... that should tell you something about the level
of quality of the final certification....

Managers were well capable of hiring qualified IT long before
Microsoft or Cisco came on the scene -- there were interviews,
resumes, reference checks, and even specific skill tests -- along with
probabtion periods once one was hired....

I disagree with your comments relating to bar exams, etc. First off,
the certifcation authorities in these cases are independent of the
course providers, and each candidate is individual reviewed / examined
/ quized / tsested / interviewed... a very big difference from the IT
vendor cert process. And no reputable university, college provides
such assurance that you will get a certain degree simply by taking
their courses... they would be foolish to do so, as it would undermine
the value of the degrees and courses they offered, and the certifying
authroities (legal bar, medical boards, etc.) would deem such
insitutions as unaccredited and require addition course of any
potentiail candidates from tose particular institutions... quite
different from what is happening in the IT cert-farm circus...

> "Ford Prefect" <restaurant@end.universe> wrote in message
> news:4063B281.3050109@end.universe...
>
>>
>>Rowdy Yates wrote:
>>
>>>"..." <none@none.com> wrote in
>>>news:Xns94B7C621FF9FErowdyyates2lycoscom@66.185.95.104:
>>>
>>>
>>>>Colonel Flagg <colonel_flagg@NOSOUPFORJ00internetwarzone.org> wrote in
>>>>news:MPG.1acc7723d255bcc3989d35@news.charter.net:
>>>>
>>>>
>>>>>that's about the way it's been with all certs for years.
>>>>>
>>>>>you're just now seeing it this way, as many have already come to
>>>>>realize and others that don't believe you/me and the rest of "us",
>>>>>will argue the opposite, until they realize it too :-)
>>>>>
>>>>
>>>>
>>>>yes. i guess I just thought things were a little different with ISC(2)
>>>>and the CISSP. maybe they will put more effort into job history
>>>>auditing of present and future members to help keep the cert's value
>>>>high in the eyes of the rest on the industry.
>>>>
>>>
>>>i have been trying to get out of sys admin work and into the information
>>>security sector for a while now. here is my honest to god opinion.
>>>
>>>i would not spend money out of my own pocket on the CISSP. if work paid
>>>for it, then yes i would study for it and take the exam. but not on my
>>>own money.
>>>
>>>i think you are much better off spending your money on training and
>>>certification on a vendor specific product. like checkpoint, symantec,
>>>cisco, rsa, or what ever you like. and keep your fingers crossed that
>>
> the
>
>>>company you are applying to has heard or uses the product you got
>>>certified in. it's money you spent on aquiring skills that you can apply
>>>towards a real tangible functioning role in a security environment
>>>and/or department.
>>>
>>
>>I love how people ae so easily suckered into the vendor certifications
>>without realizing that they have been duped....
>>
>>...the vendor certification is a massive practical joke on the IT
>>community... vendors used to have to employ and train their own
>>support staff, and thus also received direct feedback on product value
>>and problems... ...then some marketing hotsohot came up with the
>>"vendor certificate" approach... so now the vendors don't have to
>>hire, train and retain their own support staff.. ...they've duped you
>>into paying out thousands of dollars to do their work for them, and in
>>the meantime have harvested a massive marketing team... of you are XYZ
>>certified" you ware more likely to only recommend XYZ as a solution to
>>your boss or client... so now the vendors have recruited you as a
>>front-line marketer for their products....
>>
>>..and the big joke is that YOU paid for the training, not them... and
>>they don't have to pay you to do the marketing for them...
>>
>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.624 / Virus Database: 401 - Release Date: 3/15/2004
>
>