And the sad part is that "people outside the security community (e.g.
executive, human resource)" seem to be the ones that make the decisions
and pay the bills. And because of their elevated position, they rarely
stoop down to get to know the people that really know what's going on so
their only option is to make choices based on certifications.
On the other hand, security people should try to express things in terms
that will resonate with those decision makers. Maybe we shouldn't look
at them as complete idiots (sometimes that's hard;) and attempt to
explain things in "English".
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Danny Fullerton
Sent: Thursday, October 18, 2007 7:33 PM
Cc: pen-test@securityfocus.com
Subject: Re: CREST or TIGER?
Hi,
from my point of view, among security professional, xyz certification
won't mean anything and so does university degree. I've been working
with CISSP, computer science PhD, CEH, CISM, GIAC and others guys and
found that my opinion about there competency in computer security cannot
be based on those. The only common denominator I found among the best
was passion.
If you think you need some sort of certification to be taken more
seriously, you should consider questioning the way you work/collaborate
or introduce yourself.
I cannot speak for everyone but personally, for the time I've been
working in computer security, the little letters following names have
lots all credibility. The only time it looks quite important and finally
worth something is with people outside the security community (e.g.
executive, human resource).
This is only my opinion, no offense.
---
Danny Fullerton, xyz
Founder
Mantor Organization
EH wrote:
All, I would value your opinion. I am trying to make a comparison
between the 'new kids on the block' in terms of pen tester
accreditation here in the UK, CREST and TIGERScheme, for my
organisation. So far I've come up with the following information.
CREST TIGER
An existing examination No Yes
Independent of suppliers No Yes
End user driven No Yes
Not for profit Yes? Yes
Applicable to Individuals Yes? Yes
Company standards Yes Yes (CCTM)
Career path Yes? Yes
University standard No Yes
It seems that the TIGER Scheme www.tigerscheme.org is fully up and
running and accrediting individuals already plus it is a University
based examination which CREST www.crest-approved.org is not.
I see from the CREST website that they are in support of the often
maligned multiple guess CEH examination and will 'grandfather'
individuals into the 'CREST approved' scheme if they have CEH. Now I
am a CEH [amongst other things I hasten to add] and I sat the exam in
early 2003. It was taken reasonably seriously then but it seems that
the pen test communities opinion of the cert has deprecated somewhat
over time ... so is CREST a re-branded EC-COUNCIL? If so will they go
the same way?
To grandfather into TIGER at the lowest level of certification you
need an approved MSc in Computer Security. Basically any certs I
recommend for my organisation I want to be taken seriously now and in
future. I am heavily leaning towards TIGER.
Your thoughts?
Thanks in advance.
EH
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use
of the individual or entity to which they are addressed and may contain
information that is privileged, proprietary and confidential. If you are not
the intended recipient, you may not use, copy or disclose to anyone the message
or any information contained in the message. If you have received this
communication in error, please notify the sender and delete this e-mail
message. The contents do not represent the opinion of D&E except to the extent
that it relates to their official business.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
