Since you believe that a CISSP can be passed with no experience
certainly you would also be aware that it has a practical experience
requirement of 6 years of security work prior to being eligible for the
test. It also requires that another CISSP vouch for your experience.
It also requires that you show proof (yes actual proof) of industry
experience for every year after you pass the test to the tune of several
hundred hours of training and volunteer work (assuming you can pass the
test it with a score greater than 70% of the applicants scores). It
requires an ongoing credit-based system where you have to have served on
industry boards, done volunteer work, written articles, published books
and a number of other things. If you are lucky enough to pass all these
requirements and when audit time rolls around and it's discovered that
you didn't have the 6 years experience or you didn't really do all you
said you did then you lose your credential and can never re-apply.
Sure maybe you know someone who's taken a course and gone and passed the
test but I bet you didn't know that many of them have not received their
credential due to the lack of a credentialed CISSP to vouch for them or
due to lack of actual ongoing experience to add to their credential
after the fact.
The CISSP credential is not a networking credential. It is a general
security credential showing mastery of all aspects of security, not an
in-depth knowledge of one. A CISSP would be expected to serve in an
advisory or audit capacity and not in a network engineer capacity. The
CISSP program also has specific knowledge area credential programs
specific to application security among other things which apply to
specific jobs.
If a CISSP with no experience is applying for a networking job then
shame on them. If you hire a CISSP for a networking job when they have
no specific networking experience then shame on you.
Credentials can only be looked at to strengthen the credibility of a
person's resume, not to create credibility where this is no experience.
Either way if you are going to criticize things in public you should
know what you are talking about or you will just point out to everyone
that you don't know the industry as well as you think.
David
-----Original Message-----
From: Robert E. Lee [mailto:robert@dyadsecurity.com]
Sent: Thursday, July 27, 2006 4:40 AM
To: shreyas@technitium.com
Cc: shreyasonline@yahoo.com; slamboy@gmail.com;
pen-test@securityfocus.com
Subject: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC
Address Changer v3.1 (FREEWARE)
The "practical application" portion of the CISCO CCIE certification is
why organizations can trust the CCIE job applicant can serve a useful
cisco networking function in their organization. Any certification that
fails to measure the candidates actual ability to perform a useful
function in the subject of the certification is useless (ala CEH, CISSP,
CISA, CISM, which can all be passed with 0 years of experience). To the
best of my knowledge about the current infosec certs, ISECOM's OPST
(www.opst.org) and OPSA (www.opsa.org) come the closest to fulfilling
the the practical measurement requirement. For what it's worth, we would
not consider hiring a candidate who advertised that they have a CEH
certification.
If you want to stand out in an interview, perform a useful function that
your peers respect you for. Presenting your ideas at conferences or
contributing to computer security research papers and projects will get
you a lot more credibility in a job interview than "hacking stories" or
"hacker certifications". There are a lot of projects to choose from.
If none of them excite you, start your own. ;)
Robert
--
Robert E. Lee
Chief Information Officer
http://www.dyadsecurity.com
phone: (949) 394-2033
fax : (949) 486-6601
email: robert@dyadsecurity.com
------------------------------------------------------------------------
------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications continue to
rise,
you need to proactively protect your applications from hackers. Cenzic
has the
most comprehensive solutions to meet your application security
penetration
testing and vulnerability management needs. You have an option to go
with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your
results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------
------
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
