I agree 100%.
We should all remember that humans are different, and can't always be
measured like pharmaceuticals which have a predictable result. The
challenge is always how to apply a given talent to the appropriate
problem.
People need to lighten up a bit. When you don't want to play by the
rules, you can always get out of the game.
Ted Butler
-----Original Message-----
From: Omar A. Herrera [mailto:omar.herrera@oissg.org]
Sent: Friday, May 12, 2006 3:51 PM
To: pen-test@securityfocus.com
Subject: RE: CISSP-ISSMP
Now this at least makes some sense. Thanks Serge :-).
-----Original Message-----
From: Serge Vondandamo [mailto:serge.vondandamo@wanadoo.fr]
The opposite seems to be the case on this thread.
IT LOOKS LIKE WHOEVER IS NOT CERTIFIED ARE GENIUS AND CERTIFIED ONES
ARE
DUMBOOS. :-)
I will suggest the following cooking recipe:
1. Help the non-certified ones understand the value of the
certification
process (not the paper) and get them certified. This awareness should
come
from the certificate holders.
2. Help the certified ones with limited knowledge to fill the gap.
This
can
be achieved by writing papers, organising webcasts, offering tips and
free
tutorials. This should come from the most experienced ones.
Every time this topic about the value of
certifications/training/whatever
appears on the lists we end in never ending discussions with little or
no
value at all.
Let's face it, we all know some certified people that are brilliant and
very
capable and some that are well below of what most would consider as
professional standards. The same can be said about non-certified people.
Although we all know that certifications are not a panacea, none of us
have
a clue of their real value.
If we are going to do such generalizations as: Certification X is
totally
worthless and therefore all people with certification X cannot provide
any
added value, or any similar statement involving non-certified people for
that matter, we better have proof of it.
If someone really wants to go that way then get a reasonable, objective
and
reproducible way of measuring and comparing the results of both groups
(controlled environment), an adequate amount of data (results), an
appropriate method to select and involve participants (e.g. randomly
selection of certified and non-certified people with same years/areas of
experience), and apply the corresponding statistical analysis.
For a controlled environment I would of course not suggest another test,
but
some hands-on real cases to work with (e.g. pentest scenarios in the
case of
certifications related to this subject) whose outcome would be to be
assessed against that of the most recognized professionals in the area.
That should give sustainable proof that getting a certain certification
does
or does not add any value to the profession (and even how much value if
any)
for once and for all, much the same way like pharmaceutical companies
prove
how "on average" a certain drug is effective and not a mere placebo
before
it is accepted for distribution.
But since it seems that so far nobody has done this (not in a rigorous
form
at least) and that the information to do it does not yet exist, let us
at
least be sensible enough and recognize that we just can't asses the
general
value of any certification based only on our personal perceptions.
That is my personal perception of this issue ;-)
Regards,
Omar Herrera
------------------------------------------------------------------------
------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic
has the
most comprehensive solutions to meet your application security
penetration
testing and vulnerability management needs. You have an option to go
with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your
results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------
------
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
