Hi Danny et. al.,
One of the main points that I am trying to convey is that we should not be
distinguishing and/or classifying ourselves quite so readily. In your post you
are effectively making a clear distinction between them and us. ?Them?, being
HR, business groups and non-IT people in general. The ?us? being a cadre of IT
specialists.
You talk of an effective measuring system. This is achievable for an individual
task. The issue however is that each organisation will vary both in its risk
appetite, its competency and its focus. The difficulty is in finding which
metric would then suit which organisation. This would be compounded further as
technology changes, the company changes in the systems and processes change.
More importantly, it only covers one leg of the three apexes of security. The
commonly overlooked areas of people and processes come second in this view. It
leads to a projection that information security technical people are solely
responsible and capable in mitigating information risk. The difficulty on this
point is that many technically adept penetration testers fail to understand
business rules. The result is that they concentrate on system vulnerabilities
and technical failures to the exclusion of what is often much simpler to bypass.
As for my own, all I have completed still fails as proof. To give an example, I
am now a pointy haired manager, Corp, suit or any other term that you may wish
to apply. As a consequence, many people will not take what I say seriously.
There are those who believe that external factors (such as wearing a T-shirt)
add to credibility.
Actions speak louder than words. What certification will do is give you an
opportunity to prove yourself. This is when your actions have to speak. After
you get past HR, when the client has selected you for the job or whatever other
initial gate has been passed as a result of the certification then comes to
your actions. So the certification can be an enabler. I do agree that they
don?t prove skills in many cases, but if you can get through the first gate you
don?t get to prove anything.
Regards,
Craig
_____ In Reply to ____
Hi Craig,
look like you misinterpreted most of what I said or somehow, I did not
explain myself enough clearly. So let me rephrase.
"penetration1_googlemail.com" talked about being taken seriously and I
was arguing that certification and studies was not what I use to make an
opinion on competency level among security professional. I never said it
was crap. My own experiences prove certifications/studies were
absolutely not a perfect match with people competency. In your case, the
hole thing (publications, books, certifications, etc) would prove to
anyone you have large and proven competency. Your case is quite
different from the one who only did one or two certs and nothing else
really related to security.
As I said, I found certifications and studies really useful when dealing
with external people. It's not a perfect and/or always fare system but
it do help external people unable to measure themselves security
professional competency (clients, RH, etc). I guess a better system
would have to be free and complex while covering every aspect of
security professional abilities in order to be a really effective
measurement program. But I doubt this could ever be done.
Everything I said was without any pretension and signed has being my own
opinion. Still, for all those reason, my opinion does not change. My
only hope is to make the latest understood correctly.
---
Danny Fullerton
Founder
Mantor Organization
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
