Re: Getting worried about the CISSP

From: zenner (nospam)
Date: 03/27/04 

Date: Sat, 27 Mar 2004 20:01:31 GMT

Yes, there were classes that were restricted to vendor employees, just as
today there are techniques and utilities (MS for example) that only in-house
employees are aware of and/or trained to use. Reason being, they are
dangerous in the wrong hands. The concept of Security by fostering ignorance
is still alive and well in the 21st century. However, in the remaining main
frame vendors and solution providers, it is possible for contractors are
allowed to attend classes either at the company or taught at the location
provided by the client, on their own dime without having an installed
system. Education is just as much of a commodity as software, OS's, or
applications. There is a difference in price for internal, external and self
pay external clients.
By the way, I doubt if any legitimate, authorized ATC will advertise
"guaranteed" pass. There are unauthorized outfits, some very large, that
offer training, but again they are not sanctioned. I can offer to repair
your Porsche in my backyard, that doesn't make me an authorized Porsche
mechanic. I can teach any and everybody a course on Checkpoint, various MS
coursed, from any number of books, manuals or personal experience...doesn't
mean I am representing MS or CP.

I have no desire or see any need to detail, clarify each and every point.
The issue isn't the detail of semantics, class, course or certification. The
issue is whether or not there is value in certification. I believe there is
and that value transcends all the supposed negatives. The negatives are
merely reflections of the ends which people will go to achieve un-earned
recognition or attempt to bypass them. Unless you have a better solution
that will supply the needed quantity of knowledgeable workers that
client/server installations require and can find a way to improve the
training process, what are we really talking...nothing more than the
assumption that those that got their certification "in the good old days"
are superior to those that are seeking achieving their certifications today.
I see that as wrong and elitist. There are many very good Techs coming up
today, yet all are being branded with label of "Paper this or Paper
that"...it has to stop. The OS's are becoming simplified, meaning on the
presentation level, you can easily install most Os or applications. There
(developers) are doing a much better job of producing self installing code.
What this means, is when it does break down, or you need to make a non
standard accommodation...the configuration is probably obscured by 5 or 10
layers of GUI. If you don't know where to look, you will not be able to
stumble around and find it, like was possible in NT, you need specific
knowledge that is best learned from organized classes. As much as the
culture of Linux and Unix touts the superiority of their chosen addiction,
the lack of standards makes it unlikely that a ubiquitous level of
competence can be achieved as easily with either OS as can be done with MS
products.

Do not misinterpret my acceptance of Certification as blanket advocacy.
Re-read my points and you will see that I fully expect the candidates to be
prepared for the job they are seeking. I also expect the employer to be
willing to pay a reasonable wage for a well trained employee, this culture
of lowest bidder gets the job...well you get what you pay for.

even in this forum, some of the request for assistance...well you read them
too. Some show a lack of professionalism and reveal a large deficit in
training. What it says is not that training is bad, it says that hiring is
bad. There are a lot of very good people out of work, because they can't
survive on current wage levels and still keep their skills up. Some are
leaving the industry the lucky ones are tapping their resources or going
back to school, getting the degrees they postponed during the time when you
were hired on ability instead of some artificial standard. Final point, when
you hire based on any degree or certification and lowest salary,
exclusively, you will end up paying for it in down time, lost productivity.

"Ford Prefect" <restaurant@end.universe> wrote in message
news:4065CA2F.907@end.universe...
> zenner
> > To a point, your comment are valid...but lets go back to dinosaur days.
Even
> > then to really work as a system Admin. you needed to train on vendor
> > specific hardware and software. IBM, Amdahl, Stratus, Compaq,
Tandem...all
> > required specific knowledge, you had to take training in their courses
if
> > you really wanted to get the best from the system.
>
> No such training was offered other than to their own customer
> engineers and system engineers, or to those who were already clients.
> For example, one could not get training in IBM mainframe maintanence
> without being an employee of IBM. That later changed when the service
> bureaus, such as EDS and others, came into being, beut even those were
> only offered to employees of a frim, ot to the public in general.
>
> > Now the server of choice is PC based (not to discount the proprietary
chip
> > sets, but they are a very small part of the market). There are no
in-house
> > training programs anymore, software is divorced from the platform,
>
> Software has always been divorced from the platform.... that was the
> concept behind high level languages. But OS' have always been until
> the last decade (and even then, there were dependencies on the
> platform, but the average user never saw these).
>
> > you can
> > run anything on anything, in general. However, since the major software
> > (OS) players are MS, Solaris, various Unix flavors and Unix you still
need
> > specific knowledge of the more advanced features of each, as well as the
> > applications that run on them.
>
> Which completely belies the platform independence. In fact today's
> software, in some respects, is more platform dependdent than those of
> days gone by.
>
> > Certifications were and are a way for a beginning IT worker to
understand
> > the OS.
>
> Disagree. COURSES are the way to learn, coupled with hands on and
> learning from co-workers. CERTIFICATION is an entirely different animal.
>
> > How that became bastardized is partly the fault of the employer as
> > well as the test prep source. IF you start to require an MCSE for desk
top
> > support, which is obviously way too high a standard for the average
duties
> > of desktop support, the candidate knows that, you know that and the test
> > center knows it. So to get the entry level job the candidate knows that
all
> > he has to do is jump that little hurdle, then he can learn the real
stuff on
> > the job. So, you get book smart MCSE's. Why? Because the job required
it.
>
> I think you are missing one of the points... requiring someone to come
> in with a certification in hand means I don't have to train them...
> and in the early days of certs, this was a good indication of the
> skill set and it saved me, as the employer, the costs of training
> someone and the lead time of getting them up to speed in my environment.
>
> The cert-farms are where I place the much of the blame... they saw a
> chance for lots of fast money and started cranking out the certs,
> telling everyone that if they paid thousands of $$$ for their cert
> course they'd be a shoe-in for any job. But the only way to meet
> demand was to lower the standards...
>
> > Reminds me of the late night re-runs of M.A.S.H....they have a
character,
> > Frank Burns, totally incompetent Dr., who out ranks the main characters.
> > Why, because the army wanted Dr. with "X" certifications. The issue
wasn't
> > whether he was qualified to "do" anything, just that he had the correct
> > piece of paper.>
>
> Good example! I agree with you here... the blame then does come back
> to the employers for not insisting on a high standrad among the certs
> holders, etc. One of the problems I've encountered in this regard is
> that most pre-screening is done via an HR type person who tends to get
> enamoured with certs, etc., and are easily fooled wit a little
> techno-babble... as ae too many managers....
>
> > When you look for "X", the market will supply it. If hiring managers
took
> > the time to interview candidates properly, not inflate requirements and
used
> > a little more discretion in just minimal evaluations, we would not be
having
> > this discussion. Put too many rats in a cage, turn up the heat and they
will
> > kill each other, not because the other rats are the cause of the
problem,
> > but because they don't know what else to do, can't see the real problem
and
> > start looking for someone, anyone to take out their frustrations on.
>
> Well put. But here I would put the blame on the vendors and
> cert-farms... they cannot afford to make their certs too difficult to
> achive because that would not take advantage of the "trendiness" and
> would cost them students. Tightening the qualifications for a cert
> tends to drive away revenue... as most people going after the certs
> today are doing so to FIND a job, they will not invest in the certs
> that stringently test qualifications and experience... the MCSE became
> very popular because it was a regurgitation exam.. as long as you
> memorized what was in the study guides, you could pass... but make it
> a comprhensive exam requiring proven ability and applying concepts to
> areas outside the box, and it will fall off quickly...
>
> > If MS didn't offer certifications, if Cisco didn't offer certifications
or
> > Sun, etc. What would you do, where would you go and how would you test
your
> > ability or lack of same against other candidates? There are flaws in any
> > testing regimen, so lets get rid of them all, No more colleges,
> > Universities, trade schools, Bar exams, Medical internships...lets go
back
> > to Guilds, hereditary occupations, apprenticeship programs. They were
much
> > more fair and never let any unqualified students through...right?
>
> Don't confuse courses with certifications. MS et al could offer
> courses with high standards for pass rates, but they don't. The
> quality of courses for cert preparation varies widely and wildly...
> yet cert-farms are able to offer guaranttes that if you ake their
> course you will pass... that should tell you something about the level
> of quality of the final certification....
>
> Managers were well capable of hiring qualified IT long before
> Microsoft or Cisco came on the scene -- there were interviews,
> resumes, reference checks, and even specific skill tests -- along with
> probabtion periods once one was hired....
>
> I disagree with your comments relating to bar exams, etc. First off,
> the certifcation authorities in these cases are independent of the
> course providers, and each candidate is individual reviewed / examined
> / quized / tsested / interviewed... a very big difference from the IT
> vendor cert process. And no reputable university, college provides
> such assurance that you will get a certain degree simply by taking
> their courses... they would be foolish to do so, as it would undermine
> the value of the degrees and courses they offered, and the certifying
> authroities (legal bar, medical boards, etc.) would deem such
> insitutions as unaccredited and require addition course of any
> potentiail candidates from tose particular institutions... quite
> different from what is happening in the IT cert-farm circus...
>
> > "Ford Prefect" <restaurant@end.universe> wrote in message
> > news:4063B281.3050109@end.universe...
> >
> >>
> >>Rowdy Yates wrote:
> >>
> >>>"..." <none@none.com> wrote in
> >>>news:Xns94B7C621FF9FErowdyyates2lycoscom@66.185.95.104:
> >>>
> >>>
> >>>>Colonel Flagg <colonel_flagg@NOSOUPFORJ00internetwarzone.org> wrote in
> >>>>news:MPG.1acc7723d255bcc3989d35@news.charter.net:
> >>>>
> >>>>
> >>>>>that's about the way it's been with all certs for years.
> >>>>>
> >>>>>you're just now seeing it this way, as many have already come to
> >>>>>realize and others that don't believe you/me and the rest of "us",
> >>>>>will argue the opposite, until they realize it too :-)
> >>>>>
> >>>>
> >>>>
> >>>>yes. i guess I just thought things were a little different with ISC(2)
> >>>>and the CISSP. maybe they will put more effort into job history
> >>>>auditing of present and future members to help keep the cert's value
> >>>>high in the eyes of the rest on the industry.
> >>>>
> >>>
> >>>i have been trying to get out of sys admin work and into the
information
> >>>security sector for a while now. here is my honest to god opinion.
> >>>
> >>>i would not spend money out of my own pocket on the CISSP. if work paid
> >>>for it, then yes i would study for it and take the exam. but not on my
> >>>own money.
> >>>
> >>>i think you are much better off spending your money on training and
> >>>certification on a vendor specific product. like checkpoint, symantec,
> >>>cisco, rsa, or what ever you like. and keep your fingers crossed that
> >>
> > the
> >
> >>>company you are applying to has heard or uses the product you got
> >>>certified in. it's money you spent on aquiring skills that you can
apply
> >>>towards a real tangible functioning role in a security environment
> >>>and/or department.
> >>>
> >>
> >>I love how people ae so easily suckered into the vendor certifications
> >>without realizing that they have been duped....
> >>
> >>...the vendor certification is a massive practical joke on the IT
> >>community... vendors used to have to employ and train their own
> >>support staff, and thus also received direct feedback on product value
> >>and problems... ...then some marketing hotsohot came up with the
> >>"vendor certificate" approach... so now the vendors don't have to
> >>hire, train and retain their own support staff.. ...they've duped you
> >>into paying out thousands of dollars to do their work for them, and in
> >>the meantime have harvested a massive marketing team... of you are XYZ
> >>certified" you ware more likely to only recommend XYZ as a solution to
> >>your boss or client... so now the vendors have recruited you as a
> >>front-line marketer for their products....
> >>
> >>..and the big joke is that YOU paid for the training, not them... and
> >>they don't have to pay you to do the marketing for them...
> >>
> >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.624 / Virus Database: 401 - Release Date: 3/15/2004
> >
> >
> 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.624 / Virus Database: 401 - Release Date: 3/15/2004