Risky Business #103 -- Certified or certifiable?
This week's show is sponsored by Sophos, and hosted, as always, by Vigabyte Virtual Hosting.
In this week's feature interview we'll be hearing from former Network Solutions CSO Richard Forno.
He's joining us to discuss a proposed bill in the USA that would require all information security professionals working on government systems to hold some sort of certification. It's an interesting idea, but Forno hates it.
Is the new government certification program going to be a part of the DOD8570 directive?
I may work on government systems in the future so I guess it's time to hit the braindumps... ('sarcasm; another reason certifications may not hold value)
On another note: I have been unable to find actual Ghostnet/rat paper, anyone have a link?
The talk about certification for working on government systems applies for certifications in general and was really interesting. I think it was spot on, you can't test to see if someone truly understands something and then if they do what that person is like. This is a problem for all certifications not just security ones in my opinion. IT and especially security is rapidly changing and it's part of the job to keep up. Passing some cert doesn't mean you can or will keep up with the industry.
If you were to ask someone who is certified "are we safe from conficker?" and they say they aren't but don't worry they are certified I wouldn't be surprised.
Certifications have their place, but are only part of the mix really. I have three MCSE's an MCDBA a CCNA and am partially through my CCNP. It proves nothing about me.
Besides, I have always found that the experience required to do the job properly came after obtaining the cert. Not as part of getting the cert. The cert just gets you a foot in the door.
It’s funny when I see the penny drop for a newbie MCSE when they make the connection between the braindump question they memorized and how it relates to what they do in the real world. It’s funny because I’ve been there.
Quoting Fred Cohen http://all.net/ on SecurityMetrics list debating certification topic.
"OK - this I will strongly disagree with - and it goes back to the 5,000 year thing. In truth almost nothing of the knowledge required to understand the issues of information protection has changed significantly in the last 15 years, and real changes in the required knowledge base don't come very often. This is the difference between knowledge and training. If you were trained 6 months ago, you would likely need retraining today to deal with the changes. But if you have the knowledge of the last 5,000 years, you are unlikely to need new knowledge more than every 10-20 years - at least that's the history of this field - and the difference between knowledge, which is what the university is supposed to help build and provide - and information, training, involvement, etc., which is what the up to date certifications are about."
Quoting Christophe Veltsos:
"The irony is that folks on the security metrics mailing list can't agree on a common measure of a person's grasp information security. Yet, we likely agree on the difficulty of trying to evaluate someone's depth of security knowledge (or training) using a multiple-choice exam. We need better measures & tools; this may just be the infosec maturity equivalent of measuring productivity using Lines of Code."
RT @hdmoore the best cert for infosec
pros: http://www.asscert.com/ (a must-have for scanless PCI providers)
IMHO, I don’t think the point of obtaining certs is for people to say they are better than others, and it most definitely does it prove anything (other then you are willing to spend some time and money studying and sitting the exams). I have several certs CISSP, CISM, 27001 Auditor. The primary reason for obtaining them is to 1. Help with employment (like it or not, hiring mangers like to see them on a CV, why? I think it has to do with being able to make a short list quickly) 2. It provides a tiny, tiny piece of cred before opening my mouth to a new client (if in consulting).
I have yet to meet a person who would say ..” I know more about because I have a cert” I think if you actually think someone would say this, then you just can’t be bothered sitting the exams ;)
Just to touch on another point. Grads or in-experienced people can't just sit the exams and obtain the Info Security certs (CISSP, CISM). You have to provide 5years+ of demonstrated experience through an authorisation process and submitting your CV, not saying you can’t find a loop hole.. but you can’t obtain the certs without actually knowing something.
I don’t think you will have much luck finding any current brain dumps on CISSP or CISM (I and many others have tried).. you will find heaps of practice questions and exam guides, CBT, maybe even old questions.. but the format is nothing like the typical 'vendor' certs. The only reason the authoritative bodies exist (ISC2 in particular) is to protect exam content.
You may however find GIAC stuff, I am not sure how 'tight' they are.
as a recent grad I can attest to jonesdog, it's actually quite a pain to get certified in some security field, it's very much a catch-22.
10 you need experience to get security certification.
20 you need a security certification to get a security job.
30 goto 10
Also university certification isn't much better either: I now have a Bachelors in Engineering (computer systems) and a Bachelors in Applied Science (computer science) but that doesn't seem to really affect any of prospects, except maybe bumping me a slot higher in the HR shortlist.
What do people recommend for Australian grads wanting to get more security focused roles?
@Pixelicious.....Taking aside things like QSA (and they're few and far between at the moment and needed for certain roles), if a certification is going to make or break someone's opportunity for a role then you're probably better off not in that role. It's only showing that the person/company hiring you cannot compare apples with apples (you vs. other applicants) based upon expertise and experience and relying upon something like CISSP for eg. that they've no idea what it is anyway ---> leading into you being in a role that has no management support/awareness/care factor (in most cases)....role that is another dead end crap security position. (Many out there).
Timing Pat? Can I plug my ad here as an example (read last few lines)...just coincidence mate...serious:
you're killing me, I just moved from Melbourne to Sydney, but that job sounds awesome :S
Life is never simple ;)
A chat with Bromium co-founder and CTO Simon Crosby...2 days 14 hours ago
What does one do with USD$100m in stolen Bitcoins?2 days 14 hours ago
$600 million buys you a lot of fail, apparently...1 week 2 days ago
Get your fill of the week's news!1 week 2 days ago
The Grugq spitballs some secure IM ideas...2 weeks 2 days ago