Even so a heart surgeon would not be coming out of med school. This is what their residency is for. To train under a qualified and experienced surgeon until they are considered experienced enough to lead the operation on their own. Perhaps something similar should be required of our industry. Not very easy to do in our industry I know. But internships are always available.
I also fail to see how the term CEH or a similar term is a "needed concept in computer security". Pen testing and vulnerability assessments are not new concepts.
This is not implying that there is no need for certifications. I am stating that I don't see the value of a term
such as "Certified Ethical Hacker". It does little to encourage me from the perspective of a person looking to hire a pen tester. As you stated dealing with corporations can be difficult due to their mindset and requires as much management ability as technical ability.
I agree that a cert does have a lot of value and does provide a certain level of assurance to a corporation. It helps open doors for the cert holder too.
Does it certify a level of skill? Yes, but not to the level most people assume or expect. I have certs in various disciplines and I teach classes for these same certs. One of the first things I do explain that a cert is a stepping stone to broadening their knowledge. This, based on postings and conversations I have seen, does not appear to be the understanding of a lot of recently certified individuals. I am not talking about people that have earned the cert for reasons such as client confidence, etc... or have years of experience behind them, but people that are now wanting to enter the security field and figure that a cert is the way to go or all that they need.
I have interviewed so called pen testers/ethical hackers that are unable to explain how a simple ftp connection is established using the OSI model as a reference for their explaination. This disturbs me as on paper they look qualified for the position yet don't have even basic knowledge.
I see the CEH as a flawed beginning, but I am hoping it will continue to improve.
I agree with you here. Name of cert aside, it, and others like it, are a good beginning but still have a far way to go from teaching the tools to explaining how and why those tools work or don't work.
While it does sound as though I am dismissing the CEH as a valid cert, I'm not. I'm simply saying that the perception of these certs needs to change. I know many people with the CEH that are incredibly talented people and very, very good at what they do. But the cert is not where they gained these skills.
OK, time to step off my soapbox