[Dshield] SANS going to proctored exams?

Clement Dupuis cdupuis at cccure.org
Fri Dec 7 22:06:09 GMT 2007 

Every single certification has their share of people who are great at taking
tests but that does not prove they can do the job.  It is the responsibility
of the certification body to see how they can maintain the certification
valid over time and also testing one key skills and knowledge.

Certification today have changed a whole lot from certifications 10 years
ago.  10 years ago only people who had a long track record of practical
experience would attempt a certification exam and pass it.  It was not a
learning tool, it was a confirmation of what you knew already.   Today
people uses a certification to learn a new area of expertise.  The world is
upside down.  So you can expect that lots of people with certs will have
basic experience, more specifically if there is no pre-requisite to sit the
exam and it is in demand.

On another side,  most people today are a lot more clued in than 10 years
ago as far as security is concern.  So what was regarded as a challenge at
that time might be simply the minimum expected today.

Today certification such as the CISSP are definitively NOT meant to indicate
that you are an expert in all of the 10 domains.  There is no way that one
could be.  It simply allow you to interact better with your peers such as
developers, penetration testing, policy developers, and it allow you to
better appreciate security overall.  It makes you understand that people,
process, and technology are all needed.  Stacking black box no longer cuts
it.

Anyone who require a Firewall Admin to be CISSP does not understand what it
is about.  The person would get a lot more benefit from a GCFW class.  Human
resource people would need to take a class on what the different
certification really means and which one are applicable to specific
employment or tasks.  Unfortunately they go with the common buzzword and
they do not do their homework.

People have the same approach with security as they have with their
healthcare.  They do not want to live an healthy life because it would
require getting off their behind and do some serious training and change
their feeding habits as well.  People just want the pill that will lower
their cholesterol and blood pressure.   A few years ago people would get
certified to show their mastery in a specific field, now days they only want
4 more letters after their name.  They want to get more money.  They want to
work from 8 to 4.  It is no longer a passion.

Hopefully this will readjust itself and we will start seeing more
certifications that includes supervised hands on component where one can
really demonstrate their knowledge.  Something like the GSE is definitively
not doable by any wannabe.  You have to know your stuff in and out.

A great week end to all

Take care

Clement


> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-
> bounces at lists.dshield.org] On Behalf Of Joel Esler
> Sent: Friday, December 07, 2007 11:34 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] SANS going to proctored exams?
> 
> You also have to remember that Certs on a resume gets you either put in
> the "interview pile" or gets you past HR.  it's also used for salary
> negotiation.
> 
> It very much depends on the type of organization you are trying to get
> hired to.  I've worked for companies that really really care about
> certs, and I've worked for companies who really didn't care.
> 
> Because it's not about if you have the certs.  It's "can you do the
> job".  That's what matters.  I know of people that have the CISSP that
> can't get out of a wet paper bag.  Alot of them actually.
> 
> But for that matter, I know people that have masters degrees in
> Computer
> Science that have no idea what a 'packet' is.
> 
> 
> --
> Joel Esler
> http://www.joelesler.net
> 
> 
> 
> jeffrey.stebelton at citi.com wrote:
> > Hmm. let me restate that. Good points. Unfortunately almost every job
> > listing I see that has anything to do with information security
> usually
> > requires or at least strongly prefers a CISSP certified candidate. So
> > perhaps I should have said if we want our GIAC certs as highly
> desired and
> > required, rather than respected....
> >
> > Jeff Stebelton, GCFW GCIA GCIH CEH ESSE
> >
> >
> >
> > Disclaimer: The information contained in this message is confidential
> and intended only for the use of the individual or entity identified.
> If the reader of this message is not the intended recipient, any
> dissemination distribution or copying of the information contained in
> this message is strictly prohibited. If you received this message in
> error, please notify the sender immediately and destroy any copies you
> may have. Citi, Inc and its affiliates assume no liability for data
> tampering or loss of confidentiality, which occur outside its direct
> control as a result of the use of unencrypted communications methods.
> >
> > _________________________________________
> > SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> > SANS top instructors.  http://www.sans.org/info/9346
> >
> _________________________________________
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> SANS top instructors.  http://www.sans.org/info/9346

More information about the list mailing list