October 12th, 2003 12:59 AM
Using a certification as your sole means of judging someone is a poor way of assessing candidates. I think most good HR people know that now. There were way to many people who had MCSE's that couldn't do the job. I have done quit a bit of interviewing, from the hiring side, and I was constantly amazed at the people we would see applying for a high level admin job. If you notice, people that are hiring now do not push so hard for MCSE's anymore. I think more than anything, the people who like it are sales people for VAR type businesses. They basically get to say, look at the certs that our consultants have, blah blah blah... Getting certified can be a very very good thing. But if you think you know something just because you have a cert, with 0 experience. You should think again. That's not directed at anybody in particular, just that if you are new to the IT game, and you think a cert will be the answer to everything, you are mistaken.
Also. From what research I have done into CISSP, it is mostly about definitions and technology, with a lot of encryption. It doesn't get into the nitty gritty of vulnerability testing, or the how-to when configuring routers or firewalls. It is just more of know that a firewall does this function. An IDS does this function.
I strongly believe that the most useful and most accurate certification available know is the Cisco CIE.
October 12th, 2003 03:32 AM
MsMittens > I think you should look more into the GCIA (Intrusion Analyst) and GCIH (Incident Handler) for what you like. The GSEC itself is their basic intro cert that also includes the cissp cbk. Tho it touches on Intrusion Detection and packet sniffing it doesn't get too much depth. The GCIA training however gets down and dirty with what you love most with the most basic tools to make sure you know what you're doing before you get a pretty user interfaced tool that does most of the work for you.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
October 12th, 2003 04:24 AM
Yes, well, cringe away. I just finished six+ months of generating security policy, standards and guidelines (which, it turns out, I'm not authorized to write-but that's another story) for our first-ever audit. My primary references were the CISSP texts. It ain't easy to write this stuff for a state agency that hasn't been in business very long, no organizational history or documentation to draw on.
corporate IT security officer
Whoa, I cringed when I read that phrase....
Comments on HR: Yeah, I have to agree with those who feel that HR still doesn't have a clue. We have moved so far beyond what HR can understand. Everything they know about technology or security they get from their HR cronie meetings. Ask them to trust their local techs or IT experts? Yer dreamin'!
Juridian is right, the CISSP does cover a broad sweep, and not too technically deep. I think that was the intent. As a sys admin, I don't want a corporate sec off messing with my systems. But, a CSO, needs to take a larger view of the issues, provide policy, guidance and direction--and be able to bring the physical plant, HR and administrative into step for IT security.
As for hiring, our IT has a defining role in the defining and selection of new full-time staff. I lead the committees that hired my boss, and one of my co-workers. That is about the only way to make it work. You cannot afford to turn that over to HR alone.
BTW, on our security audit -- we only had one exception and are "in compliance!" Woohoo!
Thanks, also, for the information on the GCIA certs. I've bookmarked their web site and will study these carefully.
All these new things ... no time to play with 'em all!
October 12th, 2003 04:33 AM
Certifications serve only as a "measuring stick" to HR and non technical managers/employers when hiring employees.....
It in no way measures,,,,in my opinion,,,,a person's true technical abilities or lack of....
When deciding to aquire a particular certification, base it purely on popularity level or what the current "defacto standard is" among employers/HR/etc.....it translates basically to $$$$$
With that said,,,,the CISSP has been for the last 5 yrs and still is a very popular certification to have.....
Just my opinion
I strongly recommend for anyone looking for a career as a security professional to find a way if possible to get a "security clearance",,,,,it is going to be in my opinion one of the major factors that is going to separate you from the so many others entering the security industry.
( need company to sponsor you,,,not an easy process....not any company can sponsor,,,)
June 3rd, 2004 03:40 PM
I was told by someone i should go for my cissp and giac exam.How hard are the exam?
June 3rd, 2004 09:43 PM
i think its great this is finally starting to come back and bite most companies. hiring someone who only knows what a network is by a microsoft diagram is just begging to get your ass handed to you. if a piece of equipment doesn't cost $500 in licencing, then how can it possible be good?
Companies are finally understanding the necessity of security.
i recently went through a mcse bootcamp to get my mcse. there were 11 of us in the class, 2 people had their mcse under nt. neither of them successfully obtained the newer cert, and both of them were confused by anything that wasn't made by ms (what is a router? cat5?) it was very sad, actually.
U suk at teh intuhnet1!!1!1one
June 4th, 2004 12:34 AM
I remember when the explosion of the A+, MCSE, and others occured. Every HR department in town fielded resumes strictly based on what certifications were on any given one. Forget the experience, forget what they have put down as fields of knowledge, all that was out the door. I can't tell you how many good people were tossed by the wayside because they didn't have the glorious MCSE stamped on their resume and how some straight-out-of-college MCSE-wearing guy got the job making 60k a year with no experience. Saw a lot of that during the internet boom as well. Then things went straight to #*@! when they couldn't get a server back up or troubleshoot network problems, etc...because it wasn't taught in their 2 week crash course.
Certifications, while a nice thing to have, really don't apply IMHO. I'm a unix administrator and I was going for my HPUX 11i certification. Got through the first two classes (at $2500 apiece) and was about to start my third so I could take the $300 test when I realized something. After taking the test, I'd have to pay a yearly fee to maintain the certification. Not a problem there, but what if I moved jobs and I wasn't in an HP shop? Hence, I never got it.
Good to have, pretty on a wall, but I'll take experience anyday. Nowadays, any good IT professional who has 5 years or more of solid experience has all-around "jack of all trades" experience and combined with a few more like that, any problem can be solved.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
June 4th, 2004 04:52 PM
At the moment I am going to school and have done and er working on the following certs.
A+ (hardware done, software exam very shortly)
MS course 2152C (implementing 2000 server and pro)
CCNA (first semester done. Got it like a week ago it still on my desk )
CCNA is great if you ask me. I like it the most of what i'm doing. Going through this really learns you something.
A+ was boring. I don't like cramming my brain full of tables like what IRQ belongs to what device. I don't think that it's useless but i won't be using it a lot.
MCSA sucks. Don't know whats so good about it, it guides you throug menu's and wizards but it doesnt really build knolidge about what you are doing yust how to do it.
I think(don't have any RL experience though) that some certs are more usfull then others. And that they CAN give you some information on an applicants possibilyties when backed up with experience.
Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?
June 4th, 2004 05:25 PM
CERTS help to keep your resume or proposal in the review pile instead of the trash.
I have seen it over and over again.
I think a few have hit on what I feel is a very important aspect of holding certifications.
I feel they hold great value with respect to answering Government RFPs in particular.
Most certs are virtually worthless standing on thier own, but when used in conjunction with personal experience or the combined experience of a group, they hold much greater value.
Also, the CERT market charges what the collective we are seemingly willing to pay.
Almost everyone I interview for a position with us will admit when pressed if they got a particular cert hoping to avold the low paying start at the bottom work that builds RL experiance in the first place.
Many seem to have forgotten balance...