RE: Value of certifications

Hi,
I am a nerd and have never been out of university(1). I finish one course and 
than start another. Basically distance ed and work at the same time. I am also 
on the Faculty Board of one Uni. So having 19 years in 5 uni's I have some 
knowledge of them. So I have to ask where the idea that Universities are not 
economically driven came from? In my experiance there is a lot of economic 
focus on underpreforming courses these days.
 
If you want to make certifications more cost effective, than you have to offer 
something that will add a greater utility value than the existing offering. As 
they currently stand, people see value. The percieved va;ue is due to the 
story/myth of the person who does a few courses and gets a 6 figure job. The 
reality is that this person would have been in the industry a long time and 
also have other skills/training, but this is a perception issue.
 
Next, employers do not wish to discover everything to do with IT and security. 
This is likely why they are hiring. A certification is something to match 
people. Most people going for a job who are currently employed do not use their 
existing employer as a reference. Thus you have to base the decision on 
something.
 
James, there is as a result a simple answer to this issue. Start your own. Make 
it more effective and add more value. I have stated this to be an economic 
issue in a prior post. The solution is an economic one. If you feel that there 
is a solution to this that will offer more value - do it.
 
What I would suggest:
1. Setup a training and education program that could be tied to a professional 
association (eg as accountants, engineers and lawyers have). 
2. Make at least a national framework and add enough utility/value such that 
you have the majority or people in the industry who have skills join.
3. Convince government of the value and have them implement a compulsary 
requirement to be a member (ei bar exams for lawyers, CA/CPA exams etc). Draft 
legistlation. Add PI insurance etc.
4. Make this entire process economically cost effective. 
 
Number 4 is maybe the most difficult. You feel that certifications are 
expensive, try looking at the real cost of a CA/CPA exam or the costs in 
becoming a solicitor/bassing the bar. I would for a Chartered Accountancy and 
am finishing my LLM this year. I can tell you that the CISSP and CISA and CISM 
...and about who knows how many other certs I have all together cost less than 
the law degree and they cost way less than a CA and I would assume less than a 
CPA.
 
Are you looking to make IT a profession like law or accountancy? Will the 
majority or people work for professional services firms? I work with one now, 
but I do not believe that most IT people should be employed this way. Having 
people with IT security skills in commercial firms is a good thing.
 
It is easy to focus on the negative, it is difficult to do something. CA's have 
been arround for several hundred years (sorry I have no idea about CPA's). 
Laywers have been charters since the 11th C. So maybe the time means something, 
but look at their mistakes and evolution and found an equivilant organisation 
for IT. Unfortunately this is not as easy as it seems and I would also venture 
not what most IT people want.
 
Regards,
Craig
(1) Physically out yes, but enrolled. I am also not counting vacations.



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright@bdo.com.au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO Box 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation 
in respect of matters arising within those States and Territories of Australia 
where such legislation exists.

The information in this email and any attachments is confidential.  If you are 
not the named addressee you must not read, print, copy, distribute, or use in 
any way this transmission or any information it contains.  If you have received 
this message in error, please notify the sender by return email, destroy all 
copies and delete it from your system. 

Any views expressed in this message are those of the individual sender and not 
necessarily endorsed by BDO Kendalls.  You may not rely on this message as 
advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication 
and any files attached for computer viruses and other defects.  BDO Kendalls 
does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the 
BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO 
Kendalls website at http://www.bdo.com.au or by emailing 
administrator@bdo.com.au.

BDO Kendalls is a national association of separate partnerships and entities.

________________________________


From: listbounce@securityfocus.com on behalf of Yousef Syed
Sent: Sat 28/04/2007 2:41 AM
To: Simmons, James
Cc: security-basics@securityfocus.com
Subject: Re: Value of certifications



James,
On the matter of Vendor certs I would definitely have to disagree.

I've met plenty of MCSE people that just happened to study hard for
the exam and passed it, but haven't the first clue about setting up an
enterprise Windows system.

For a previous consultancy that I worked at, I was forced to take the
Sun Java Certification (despite the fact that I already had 8years
Java/J2EE real world experience). It is the the most worthless
certification that I've ever come accross and it actually teaches you
things that you'll NEVER do in the real world! I'd gone so long in my
career without it, in-part, due to the fact that so many
"Java-Certified" types that I'd meet, were useless developers.

The vendors care just as little about the student's knowledge as
anyone else - they are also in it for the money. Anytime they change
the OS, you need a new Cert. Anytime a new version of Java comes out,
they want a new Cert... KER-CHING!

What I like about the CISSP is that you are expected to have atleast 4
years prior experience before you take the exam. It covers ten
different security domains. It isn't a technical paper where you
memories a bunch or procedures; rather, you really have to know what
you are security, why it needs security. It isn't at such a high-level
to make it irrelevant, and nor is it at such a low-level as to make it
too technically demanding for people that might never have used a
firewall before.

Are you going to get Fakers picking a CISSP; ofcourse you are (just as
is the case with any qualification); but such persons will be weeded
out swiftly once they are in the workforce and can't produce.

Is it a substitute for experience, no. But it does complement your
experience and if all your experience is only in one particular
security domain, it shows you that there are other security domains
and they all need to be considired together.

Yes, I would prefer to have externally audited orgs performing such
certifications that aren't profit driven; but outside of Universities,
they don't exist - and accademic knowledge and real world knowledge
are two very different things.

ys

On 26/04/07, Simmons, James <jsimmons@eds.com> wrote:
> Yes, I agree about determining the pecking order, but what is a better
> way of proving that you know something? Actually going out there and
> demonstrating that you know it. Or taking some cheaply made test, that
> no one knows how it was formed, as your validation?
> I am not saying that certifications do not serve a purpose, but I have
> found very few that are actually good enough to live up to that purpose.
> My example differs between vendor certs (CCNA, MCSE, etc.) and general
> knowledge certs (CISSP, security+, etc.)  The vendor certs are by far
> superior (though expensive for no reason) because who would know the
> subject matter better then vendor.  The general knowledge certs are a
> joke. What designates these people as experts? Both in the field that
> the cert is focusing on, and in creating a meaningful cert?
> In my rant off my link I make reference to the ASE certs for Automotive
> technicians. ASE was formed by the major automakers of the day to
> maintain a acceptable skill level. They employed psychologists,
> professors, and other education experts to research and ensure that
> their testing methods give an accurate portrayal of the skill level of
> the individual. Do you honestly think that any of these companies have
> put that much time and effort into their tests? These are start-up
> companies that believe they can make some money off of trying to
> sudo-train individuals to do a complicated job. And companies are
> trusting these "certified" professionals to protect them and conduct
> business critical work on their systems.
> And I am not saying that this is the case for everyone. Some very
> intelligent, and capable individuals are getting the certs because that
> is what will attract customers. They are not getting the certs to learn
> anything new. They are getting them to prove that they know. And at that
> point I question why these certs have to cost so much?
> While every other question I see in this forum about certs is "I want to
> learn about security, what is the cert I should go after?".
> It is just a messed up system that really needs an overhaul.
>
> Regards,
>
> Simmons



--
Yousef Syed
"To ask a question is to show ignorance; not to ask a question, means
you remain ignorant" - Japanese Proverb