Results 1 to 10 of 10

Thread: Certification Article

  1. #1
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347

    Certification Article

    I just received this a few minutes ago,

    Since we were talking about BrainBench, and certifications that employers look at, this might come in handy.
    http://www.securityfocus.com/columnists/311
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  2. #2
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Good Read! It's got my blessing!
    -Simon \"SDK\"

  3. #3
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Wow! A terrific, and terrificly sobering article. I too was dismayed by the GIAC requirement change. At first I was happy that I could stop worrying about writing white papers...then the truth sunk in about it's potential to become a paper-cert (especially considering SANS training business).

    CISSP is indeed a management level cert. but, as we've seen all along, every door knob and idiot HR person thinks it is essential for ANY security position.

    More directly, I would say the undervalued Security+ is perfect for this role...new team members, practioners/admins/operators in the NOC/SOC, etc. CISSP is for the team leads, engineers, managers, etc.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  4. #4
    Banned
    Join Date
    May 2003
    Posts
    1,004
    CISSP is not a management level cert at all. It merely states that you have a basic knowledge of more or less all areas of information security, with virtually no focus on management issues. In fact you could miss every management question on the test and still pass easily.

    CISM is the security management cert, and you will notice that it specifically address information security management issues, and in far greater depth than the CISSP.

    Another information security certification that is very valuable and frequently overlooked is the CISA.,

    catch

    cheers

  5. #5
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by catch
    CISSP is not a management level cert at all. It merely states that you have a basic knowledge of more or less all areas of information security, with virtually no focus on management issues. In fact you could miss every management question on the test and still pass easily.

    CISM is the security management cert, and you will notice that it specifically address information security management issues, and in far greater depth than the CISSP.

    Another information security certification that is very valuable and frequently overlooked is the CISA.,

    catch

    cheers
    Source = https://www.isc2.org/cgi-bin/content.cgi?category=97
    The CISSP credential is ideal for mid- and senior-level managers who are working toward or have already attained positions as CISOs, CSOs or Senior Security Engineers.
    You may not think it is a management cert, but those who issue it and evangelize it (for personal or professional reasons) pretty much disagree.

    I'd wager that the reason so many folks call it a manager type cert is that the level of knowledge in the number of domains required makes the typical holder of this sort to be highly knowledgeable in Security...and thus more likely to be in a management, leadership, influential, or decision making role. This by no means makes the person a manager type (hell, many of my former 'Managers' aren't "manager types").

    But you're right catch, it's not Management in the sense of an MBA or BA...it's management in the sense that someone who holds one probably is a good candidate to be an officer of a company with regards to making security decisions, statements of official position, or recommendations. Two types of 'manager' there...because many of the CISSPs I know have NO BUSINESS being in charge of PEOPLE.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  6. #6
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I have no doubts they advertise it as a management cert. Heck, Mitsubishi advertises the Eclipse as a sports car.

    I personally expect that a CISSP be the minimum requirement for all non-Jr level security people that my company hires. Why? for most people it at least shows they have the experience, since many of them just take those CISSP courses.

    I am frequently remarked at how ignorant many CISSPs are of the CISSP course material. For example, if you passed the CISSP exam, you should know how to calculate risk. You should know why OpenBSDs security claims are a joke. You should know why NT is more secure than Linux. You should know the legal implications of a login message. You should know why blind penetration tests are moronic. etc, etc... it's all covered in the exam and study materials.

    I don't know if these "CISSPs" are lying about being certified (never cared enough to look one up) or if they are just checking "C" all the way down.

    Either way, I think companies are valid in requiring CISSP for less than management positions.

    cheers,

    catch

  7. #7
    Originally posted here by catch
    For example, if you passed the CISSP exam, you should know how to calculate risk. You should know why OpenBSDs security claims are a joke. You should know why NT is more secure than Linux. You should know the legal implications of a login message. You should know why blind penetration tests are moronic. etc, etc... it's all covered in the exam and study materials.
    heh, Talk about simple questions with clear-cut answers. I know most of those things simply from painstakingly reading most of the pdf's in the Rainbow Series Library and some other related material that you so kindly provided in the past.
    I'm not even in the security field.

  8. #8
    While I studied hard for some time to prepare for the CISSP exam, and took an (ISC)2 seminar, and I have many years of experience working with computers, networking and security issues, I can't guarantee that I can bring to my forebrain at a moments notice a specific technical point. I usually ask for some time to look into it.

    That doesn't mean that the CISSPs you know aren't technically savvy, just that CISSP covers a lot of ground in the ten domains. Heck, an IT auditor with a CISSP for one of the big four probably couldn't install a server or perform much of a penetration test. But he/she probably has a CPA, is a hell-of-a-beancounter and strikes fear in the hearts of all when they walk in the door of your company.

    CISSP a management cert? No. Not for management, but for managers. If the person has the creds to get the cert, don't waste the talent on scanning IDS logs.

  9. #9
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Alright, I think catch and I crossed semantical lines...yes, not a management cert. Managers in certain positions need it, yes. Non-jr. employees in security functions need it...well...I would agree, but with several caveats. I don't think you can justify a statement like that for any and all organizations. For some financial service providers, absolutely.

    But some companies or organizations don't have the resources or, really, the need to have multiple CISSPs on staff. I would think (hope?) that anyone who legitimately earns a CISSP should be able to manage IT Security Operation for an average company. (Yeah, I know...average is defined as 'what'?) I guess that's where I key into the word 'manage'.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  10. #10
    I'm willing to bet money on catch working for a fortune 1000 company? Just a wild guess.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •