.

Harsh Words for Professional Infosec Certification

<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Wed Jul 21, 2010 6:38 pm

Harsh Words for Professional Infosec Certification

The report cites the following reasons for its tough-love approach to certification:

    * Individuals and employers spend scarce resources on credentials that do not demonstrably improve their ability to address security-related risks; and

    * Credentials, as currently available, focus on demonstrating expertise in documenting compliance with policy and statutes rather than expertise in actually reducing risk through identification, prevention and intervention.


http://blogs.govinfosecurity.com/posts.php?postID=627
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Jul 21, 2010 8:39 pm

Re: Harsh Words for Professional Infosec Certification

I wish I could disagree. I've put more time and money into popular certifications that are garbage when it comes to real-world applicability than I would like to admit...
The day you stop learning is the day you start becoming obsolete.
<<

sultanmg

Newbie
Newbie

Posts: 5

Joined: Wed Sep 08, 2010 5:26 am

Post Tue Sep 14, 2010 7:55 pm

Re: Harsh Words for Professional Infosec Certification

Now that is what I would call harsh. Anyway, I wish I could say something about it as Dynamik have clearly stated it. I just cannot disagree on this one simply because everything that is being said here is absolutely correct andlogical despite being very harsh and rude. I guess sooner or later, it is the health of professional InfoSec certification that is going to degrade if they do not act upon it, in my opinion
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Sep 14, 2010 8:39 pm

Re: Harsh Words for Professional Infosec Certification

From the article:
And, since most of us are not able to assess the qualifications of a practitioner when a need arises, we now have an education system with accreditation standards and professional certifications by specialty.


This is also true!

I am working very, very hard not to be the next security guy who knows more than everybody else at work, but still knows a lot less than the expert working across the street. What I mean is it isn't difficult to look like you "know it all" in front of people who has never work in IT security. It is a different thing to be considered an expert among your peers...

On the other hand, if we look at ourselves, we all know we lack experience in this and that domaine. The fact that there is so much to learn forces us to become specialists. But we are required to work in many different fields, so we are stuck...

If we look at people on this forum, who are very, very good at doing a pentest for example? You can count them on one hand... BUT, I believe we all make a huge difference where we work. Without us, the "average" IT Security guys, the "experts" would be overwhelm!  ;D

Finally, it is the same with all types of work. We want the best car mechanic, the best doctor, the best accountant, etc. But hey, we all have to start somewhere... ;)

So again and again, like almost everyone thinks on this forum, certs are part of the equation. They aren't perfect and they aren't everything, but they have their use and their place.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Tue Sep 14, 2010 11:01 pm

Re: Harsh Words for Professional Infosec Certification

I agree with H1t M0nk3y, the exp is the must dificult part and because there is to much to learn we need to become specialist but the employer want you to know everything.

I know a little bit Cisco but in my new job over night I had to migrate one Pix to ASA to new ISP provider with 7 vpn without knowing the password and one guy hiding some information. Come on that was a job for a CCNP or CCSP and not for a CCNA in that moment but I did with some help.

Now I am learning more about pen test and I think "Would I have the same situation with some pen test? Would my employer require far beayond my skills? Who knows!!!!
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

partek

Newbie
Newbie

Posts: 27

Joined: Thu Feb 28, 2008 6:15 pm

Post Sun Sep 19, 2010 10:44 am

Re: Harsh Words for Professional Infosec Certification

Most of the problem with certification is that the tests primarily consist of multiple-choice tests that merely test your book knowledge or very basic reasoning skills. For example one could likely pass the CISSP or CEH with very little technical knowledge by simply reading the materials and perhaps participating in lab exercises. There of course is a bit of test-taking skill and strategy that comes into play as well.

Understanding theory in IT security(or any science for that matter) is only half of it. I think that more lab-based tests need to become part of the common testing framework. A good example is the OSCP, which is one hard-core technical test.

I've taken the CISSP, CEH, CISA, CCNA, and OSCP. OSCP being a completely practical test is definitely the only one that I feel truly tested skills versus "book smarts". If I'm ever in a hiring situation and I see the OSCP on someones resume they're going to be the first person I bring in for an interview.
CISSP, CISM, CISA, CCNA Security, OSCP, CEH
<<

kennut

User avatar

Newbie
Newbie

Posts: 46

Joined: Thu Apr 16, 2009 10:41 pm

Post Tue Sep 21, 2010 3:50 am

Re: Harsh Words for Professional Infosec Certification

to be frank, it depends on what field you're doing, let's say if you passed CISA, and got certified, at the end game, the result of the audit / report will then know if you are really an IT Auditor or not (IT audit can have financial auditors / or techies auditor). I have an ex supervisor who is CISSP, CISM, CISA, etc, long until name card cannot fit in, but when comes to "real work", he can't perform or even write a good report. end up was ask to leave by my director.

so, no certification is bullet proof, it only gets you pass HR filtering, but the end game is, where you can do the work or not. No one is really a specialised "know it all dude", otherwise we'll end up being a DBA who's only doing DBA work only.  ;)
Done all 3 certs, now going for CISSP.....
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Wed Sep 22, 2010 8:13 pm

Re: Harsh Words for Professional Infosec Certification

I agree with partek.  Demonstration based exams are worth more than knowledge based exams.  OCSP is a good measure of practical ability needed to perform in a pentest environment and does provide a good benchmark for what you can expect from a certification holder.

The problem with demonstration based exams is that they are expensive.  They have to be.  It is much more difficult to test someone's ability to demonstrate concepts than to answer questions about the same concepts.  Employers don't like to pay for certs, especially not high priced certs, because people use them to pad the resume for the next job (at least this has been my experience).  Anyway, there's no perfect cert (as this thread demonstrates), but I agree with partek that those with demonstration based certs are going to get the first calls for an interview (all other things being equal).
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk

Return to General Certification

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software