Richard Forno, 2002-10-23
As security certifications become more plentiful, they are losing their real value.
Colapse all |
Post comment
Certifiably Certified
2002-10-23
Anonymous
Your comments are dead on...ISC^2's passing is more
like 70%, or was when I passed in '99. You're going
to get comments about ISC^2 allowing for activities
that earn points, so that individuals don't have to
retake the test every third year. However...they make
money off of the annual dues ...
[ more ] [ reply ]
Anonymous
Your comments are dead on...ISC^2's passing is more
like 70%, or was when I passed in '99. You're going
to get comments about ISC^2 allowing for activities
that earn points, so that individuals don't have to
retake the test every third year. However...they make
money off of the annual dues ...
[ more ] [ reply ]
Certifiably Certified
2002-10-23
Floydman
Floydman
I discussed of the same trends in the IT industry in general, and seeing it coming in the security industry in particular in my paper "Autopsy of a successful intrusion" about a year ago. This paper just got mirrored on neworder.box.sk, and got a bunch of readership from this, and some interesting ...
[ more ] [ reply ]
[ more ] [ reply ]
Certifiably Certified
2002-10-23
Anonymous (3 replies)
Anonymous (3 replies)
I really enjoyed your column on certifications, and couldn't agree with you more. I'm struggling to find a position in the infosec industry and find myself getting smeared by the alphabet soup kids. I have 10 years in the trenches working in telecommunications, and the internet industry, and have be...
[ more ] [ reply ]
[ more ] [ reply ]
HR departments...
2002-10-24
Anonymous
Anonymous
...are basically keyword filters, unfortunately. They don't know what the job posting means, they just know how to match up words. If the posting says CNE, and CNE isn't on your resume, you don't get the interview. I once had an HR person doing a preliminary phone interview for an engineering pos...
[ more ] [ reply ]
[ more ] [ reply ]
Certifiably Certified
2002-10-24
Anonymous (2 replies)
Anonymous (2 replies)
What do you consider a "REAL" security professional? Is it anyone like you who feels they are the king of security, but shouldn't be bothered to take a test?
Your post is just whining and complaining. I've met quite a few security professionals who know what they are about, but don't have a cer...
[ more ] [ reply ]
Your post is just whining and complaining. I've met quite a few security professionals who know what they are about, but don't have a cer...
[ more ] [ reply ]
Certifiably Certified
2002-10-24
Anonymous
Anonymous
It's true that the only person who can make your own world better is you. However, the best course of action is not necessarily to get certified so as to get headhunted when it comes to job satisfaction. Neither is getting in with a bunch of people you know.
These days it looks like you gotta h...
[ more ] [ reply ]
These days it looks like you gotta h...
[ more ] [ reply ]
Certifiably Certified
2002-10-28
Anonymous
Anonymous
I think the answer is to get certified then. If that's what it takes to get HR to consider your resume, then that's what you have to do. Once you get past the screening process you can tout your experience and expertise in the field and win the job.
If the people doing the hiring are expecting ce...
[ more ] [ reply ]
If the people doing the hiring are expecting ce...
[ more ] [ reply ]
Certifiably Certified
2002-10-23
Fabio Ghioni
Fabio Ghioni
Your article is a "Robert Anton Wilson" concidence (see Illuminatus!). I was just discussing this very subject with a professional friend as few multi-certified poli-mastered subjects have tried to push themselves on the top list of recognized Security pros in Europe. And you know what we said whe...
[ more ] [ reply ]
[ more ] [ reply ]
Ever try one?
2002-10-23
Regular Guy (3 replies)
Regular Guy (3 replies)
I simply do not understand the angry tone directed toward individuals engaging in professional growth.
Take an individual who has achieved a Masters Degree in Computer Science, been working in the field for over 8 years and continues to perform professional growth where the mechanism of this prof...
[ more ] [ reply ]
Take an individual who has achieved a Masters Degree in Computer Science, been working in the field for over 8 years and continues to perform professional growth where the mechanism of this prof...
[ more ] [ reply ]
Re: Ever try one?
2002-10-24
Andrew Jones
Andrew Jones
I have taken SANS's Security Essentials course (and passed the certification exam), and i just shelled out another $2000 for their IDS course. I have tried one.
I don't think Mr. Forno's point is that all security certifications are patently bad. He even mentions SANS as being established and res...
[ more ] [ reply ]
I don't think Mr. Forno's point is that all security certifications are patently bad. He even mentions SANS as being established and res...
[ more ] [ reply ]
Ever try one?
2002-10-24
Anonymous
Anonymous
I am one of these people mentioned in the article. I am net to the tech scene, but deep in my heart I am a geek hardcore. The training, and certifications have helped me get my position, but to be honest there were people in my classes who had no business getting the certifications. They were not in...
[ more ] [ reply ]
[ more ] [ reply ]
Ever try one?
2002-10-29
oh-woe-is-us@so-sad.com
oh-woe-is-us@so-sad.com
"Certifications can demonstrate a commitment to ..."
---
Yes -- they can. They can also demonstrate the ability to take tests and understand theory. They _can_ do a great deal, but do they?
Is there any _proof_ that someone who's gotten a "Microsoft Security Certification" is really somehow...
[ more ] [ reply ]
---
Yes -- they can. They can also demonstrate the ability to take tests and understand theory. They _can_ do a great deal, but do they?
Is there any _proof_ that someone who's gotten a "Microsoft Security Certification" is really somehow...
[ more ] [ reply ]
Whole lot of useless words
2002-10-24
Anonymous (2 replies)
Anonymous (2 replies)
I'm really disappointed in you.
Instead of complaining, come up with a better way. How do you recommend that an HR droid pick a suitable person? The person doing the hiring does not have the time to do a technical interview with every applicant. There has to be a way to separate the wheat from...
[ more ] [ reply ]
Instead of complaining, come up with a better way. How do you recommend that an HR droid pick a suitable person? The person doing the hiring does not have the time to do a technical interview with every applicant. There has to be a way to separate the wheat from...
[ more ] [ reply ]
Re: Whole lot of useless words
2002-10-25
Phil Burg (philb@operamail.com) (1 replies)
Phil Burg (philb@operamail.com) (1 replies)
I'm with Richard on this.
Why on earth would you ask an HR staffer with no technical or security knowledge to select candidates for a security position ?
Stating that certifications are good becaue they make it easier for HR to choose candidates is silly - it's patching a broken system that ba...
[ more ] [ reply ]
Why on earth would you ask an HR staffer with no technical or security knowledge to select candidates for a security position ?
Stating that certifications are good becaue they make it easier for HR to choose candidates is silly - it's patching a broken system that ba...
[ more ] [ reply ]
Re: Whole lot of useless words
2002-10-28
Anonymous
Anonymous
You seem to have no idea about what goes on in hiring.
If you expect human resources just to be a mail carrier for 10,000 résumés, you have no idea what is their purpose.
A busy manager can't be expected to read 500 résumés (common amount) to staff a new position. A company hires HR people to w...
[ more ] [ reply ]
If you expect human resources just to be a mail carrier for 10,000 résumés, you have no idea what is their purpose.
A busy manager can't be expected to read 500 résumés (common amount) to staff a new position. A company hires HR people to w...
[ more ] [ reply ]
Whole lot of useless words
2002-10-25
blacklight
blacklight
There is one way: cut HR out of any and all technical hiring - Back in 2000 (I've changed jobs since), my staff and I used to do our own resume screening with most unqualified candidates being tossed within thirty seconds or less apiece - anyone who claimed to have supervised 2,000 computers was dea...
[ more ] [ reply ]
[ more ] [ reply ]
Certifiable
2002-10-24
Anonymous (1 replies)
Anonymous (1 replies)
Richard,
Excellent piece.
I passed the CISSP exam this summer with NO revision, NO boot-camp, NO intensive training course, NO homework, NO use of the study guide (I didn't even purchase it), NO special additional reading and NO trouble at all. I paid my money to do the exam, then got too b...
[ more ] [ reply ]
Excellent piece.
I passed the CISSP exam this summer with NO revision, NO boot-camp, NO intensive training course, NO homework, NO use of the study guide (I didn't even purchase it), NO special additional reading and NO trouble at all. I paid my money to do the exam, then got too b...
[ more ] [ reply ]
Certifiable
2002-10-24
Anonymous (1 replies)
Anonymous (1 replies)
As a CISSP, I'd say that, in a way, you have proven the point. You have 10 years experience. You've been around enough to know the wide range of knowledge that a true Information Security Professional should know. You may not be a firewall junky, but you probably know enough about firewall techno...
[ more ] [ reply ]
[ more ] [ reply ]
Certifiable
2002-10-25
Anonymous
Anonymous
True, 10 years experience (plus some good fortune) presumably got me a pass. Question is, does having CISSP letters after my name actually prove the quality & extent of my infosec knowledge, any better than the 10+ years experience already on my CV? Potential employers may believe so, but I'm not ...
[ more ] [ reply ]
[ more ] [ reply ]
Certifiably Certified
2002-10-24
Wykkyd (2 replies)
Wykkyd (2 replies)
The point of the article is that formalized knowledge, whether that be from a college/university degree, or from certifications (a demonstration of intelligence) in and of itself is not a valid supplanter of experience (wisdom).
The arguments about multiple candidates with equal experience, one h...
[ more ] [ reply ]
The arguments about multiple candidates with equal experience, one h...
[ more ] [ reply ]
Certifiably Certified
2002-10-24
DarkCrypt0
DarkCrypt0
I totally agree with you.. I would also add one thing...
Personality.... I am only 19 and only have 1 sheet of paper to my name, my high school diploma. I would like to tell you the story of how I got here(network sys admin of a local law firm)
While an intern at a local corporation I was as...
[ more ] [ reply ]
Personality.... I am only 19 and only have 1 sheet of paper to my name, my high school diploma. I would like to tell you the story of how I got here(network sys admin of a local law firm)
While an intern at a local corporation I was as...
[ more ] [ reply ]
Certifiably Certified
2002-10-24
Alphabet Soup
Alphabet Soup
Are we not questioning the "wisdom" of the hiring manager here?
I personally view my certifications, (and I certainly fall into the alphabet soup category), as an introduction to the area in which I work, much in the same way I do not believe my driving licence means I am anything more than "safe...
[ more ] [ reply ]
I personally view my certifications, (and I certainly fall into the alphabet soup category), as an introduction to the area in which I work, much in the same way I do not believe my driving licence means I am anything more than "safe...
[ more ] [ reply ]
Certifiably Certified
2002-10-24
Anonymous
Anonymous
Not all certifications are equal. As the author states, SANS is a crediable group. Here are some items which set SANS as a leader.
1) Use input of security leaders such Marty Rosech (Snort), Richard Stevens (IP the protocols book (before he died)), the creator of Tripwire (can't remember his name) ...
[ more ] [ reply ]
1) Use input of security leaders such Marty Rosech (Snort), Richard Stevens (IP the protocols book (before he died)), the creator of Tripwire (can't remember his name) ...
[ more ] [ reply ]
Certifiably Certified
2002-10-25
LittleW0lf (1 replies)
LittleW0lf (1 replies)
I believe Mr. Forno is right on as usual. I hear all these complaints from folks here that Mr. Forno doesn't know what he is talking about, yet his experiences are my experiences too...
I do not believe in most of the certifications either, though I don't have problems with going through the cer...
[ more ] [ reply ]
I do not believe in most of the certifications either, though I don't have problems with going through the cer...
[ more ] [ reply ]
Certifiably Certified
2002-10-28
Anonymous, CISSP (1 replies)
Anonymous, CISSP (1 replies)
Okay, I have to admit it. I think that moving one's web server to port 81 can help prevent a majority of problems. Granted, what do I know? I've only managed hundreds of web servers, both Apache and IIS, without an intrusion. Of course, when I say, "move it to port 81", I know it will ONLY preve...
[ more ] [ reply ]
[ more ] [ reply ]
Certifiably Certified
2002-10-29
Anonymous cissp
Anonymous cissp
I just recently took and passed the CISSP exam. Then I found at a conference a book on passing the CISSP. I looked it over, and wouldn't you know that it basically shouted out the answers to the exam.
My motivation for taking the CISSP was to show that I knew a lot on security. I didn't really...
[ more ] [ reply ]
My motivation for taking the CISSP was to show that I knew a lot on security. I didn't really...
[ more ] [ reply ]
Certifiably Certified
2002-10-25
Marcus Green
Marcus Green
The first line of recruitment is generally done by HR. The people you need to impress to get to an interview are HR. If you tell HR you have 10 years experience and are really, really good, honest and sincere they do not have the ability to judge. If you have a certificate they have a straw to grasp...
[ more ] [ reply ]
[ more ] [ reply ]
Right on!
2002-10-25
Gary L.
Gary L.
Richard,
Your article strikes such chord.
I'm an independent consultant/contractor specialising in VoIP and CTI, specifically Cisco AVVID. I've specialised in this technology for the last three years, pretty much since it was introduced to the European market. I've been in IT for twelve year...
[ more ] [ reply ]
Your article strikes such chord.
I'm an independent consultant/contractor specialising in VoIP and CTI, specifically Cisco AVVID. I've specialised in this technology for the last three years, pretty much since it was introduced to the European market. I've been in IT for twelve year...
[ more ] [ reply ]
Certifiably Certified
2002-10-25
windows311@hotmail.com (SPAM avoidance)
windows311@hotmail.com (SPAM avoidance)
To all the guys criticising certification - Answer these questions:
How does one benchmark 'experience'?
How does a person get a job based upon experience if there are no identifiable and measurable criteria?
One only lives once - and in business the call is 'Show me the money' !!!
Why n...
[ more ] [ reply ]
How does one benchmark 'experience'?
How does a person get a job based upon experience if there are no identifiable and measurable criteria?
One only lives once - and in business the call is 'Show me the money' !!!
Why n...
[ more ] [ reply ]
Qualifying Experience
2002-10-26
Regular guy
Regular guy
The U.S. military has a method of qualifying experience in the form of examination.
After years of studies, the Department of Defense realised that Soldiers, Sailors, Airman and Marines while trained in equal settings, advanced differently.
For example; A Sailor (during initial training) must ...
[ more ] [ reply ]
After years of studies, the Department of Defense realised that Soldiers, Sailors, Airman and Marines while trained in equal settings, advanced differently.
For example; A Sailor (during initial training) must ...
[ more ] [ reply ]
Certification as barrier break
2002-10-27
Anonymous
Anonymous
I've browsed most of the comments, but nobody mentioned another side of certification. Everybody like to hire people with experience, but nobody cared to ask those people how they were hired to there first job and in some cases second job. In a lot of cases the answer is simple - they lied about the...
[ more ] [ reply ]
[ more ] [ reply ]
Responsibility is on the manager
2002-10-27
Rob Dao
Rob Dao
I agree with Richard in that a certification doesn't and shouldn't be a deciding factor in the recruitment process. The hiring manager should should have enough security experience to filter through the fluff on a candidate's resume. For example, if somone tells me they have a CISSP and a CCSA, I ...
[ more ] [ reply ]
[ more ] [ reply ]
Certifiably Certified
2002-10-28
Anonymous, CISSP, GSEC, GCIA, GCFW, CCNA, CCSE (1 replies)
Anonymous, CISSP, GSEC, GCIA, GCFW, CCNA, CCSE (1 replies)
I would agree that the CISSP is basically a useless certification if you are looking for a deeply technical security practitioner as the test is severely dated, shallow and not all that hard to pass. However, I noticed this article did not mention any certifications that are currently available from...
[ more ] [ reply ]
[ more ] [ reply ]
Certifiably Certified
2002-10-29
Brad Bemis
Brad Bemis
You indicate that the CISSP exam was a joke, yet you also mentioned that you have some 14+ years of infosec experience. I would argue that your experience transcended the exam, not that the exam itself was a joke. The CISSP certification is meant to validate a very broad understanding of informati...
[ more ] [ reply ]
[ more ] [ reply ]
Certifiably Certified
2002-10-28
Brad Bemis
Brad Bemis
Odd? This never happens? Security practitioners locked in a vocal debate over the value of certification? Who would have thunk it? ;-)
From one side, you have those that believe that certifications have little or no value to those operating in the security industry. These anti-certificatio...
[ more ] [ reply ]
From one side, you have those that believe that certifications have little or no value to those operating in the security industry. These anti-certificatio...
[ more ] [ reply ]
Please send me my certification...
2002-10-30
D3M (1 replies)
D3M (1 replies)
The cheque is on the way...
I use the passwords:
"aaa"
"password"
"secret"
my username on the system or sometimes I really fool them by using my first name...
I'm just wondering where the line is between bogus certs and real ones?
Do I have to make sure my certs are certified with a c...
[ more ] [ reply ]
I use the passwords:
"aaa"
"password"
"secret"
my username on the system or sometimes I really fool them by using my first name...
I'm just wondering where the line is between bogus certs and real ones?
Do I have to make sure my certs are certified with a c...
[ more ] [ reply ]
Please send me my certification...here it is
2002-11-01
Henk Pretorius
Henk Pretorius
In a world full of people with different ideas it would be impossible to say what is right and wrong in this regard. BUT should I look to employ a security professional I would look at my requirements and a cert and the persons working experience is what I need then that person will get the job.
Wh...
[ more ] [ reply ]
Wh...
[ more ] [ reply ]
Certifiably Certified
2002-11-01
Tommy
Tommy
Richard. I agree with your article that you would take a guy with experience rather than a guy with just a whole bunch of no nonsense certificates but the thing is, how does a student like me get that experience without having a certificate behind my name. I understand that there a load of guys out ...
[ more ] [ reply ]
[ more ] [ reply ]
Certifiably Certified
2002-11-03
Jeff Schmidt
Jeff Schmidt
After reading all the posts I have a few comments to make.
1) "How do I get InfoSec experience without the cert?" - start lower down on the experience ladder. How about network admin and work your way up. No you won't make the big bucks but it will provide you with lots of experience, and not ...
[ more ] [ reply ]
1) "How do I get InfoSec experience without the cert?" - start lower down on the experience ladder. How about network admin and work your way up. No you won't make the big bucks but it will provide you with lots of experience, and not ...
[ more ] [ reply ]
Certifiably Certified
2002-11-05
Bob Radvanovsky, Certified Technological Sanitation Disposal Engineer (CTDSE)
Bob Radvanovsky, Certified Technological Sanitation Disposal Engineer (CTDSE)
The paper that these certifications are written on, is worth less than the paper to wipe my butt!
But, to the 'HR bunnies' (recruiters that claim that they know the industry, do nothing to promote it, except fill their pocketbooks, and are popping up like rabbits) out there that don't know the fi...
[ more ] [ reply ]
But, to the 'HR bunnies' (recruiters that claim that they know the industry, do nothing to promote it, except fill their pocketbooks, and are popping up like rabbits) out there that don't know the fi...
[ more ] [ reply ]
And another thing...
2002-11-05
Bob Radvanovsky, Certified Technological Sanitation Disposal Engineer (CTDSE)
Bob Radvanovsky, Certified Technological Sanitation Disposal Engineer (CTDSE)
One thing that we (as a society) are starting to do -- we are falling into the pit of quickly becoming a 'fast food society'. Can't remember the article, but it talks about our society becoming increasingly more and more disposable.
What does this translate to? If you don't meet 'XYZ requiremen...
[ more ] [ reply ]
What does this translate to? If you don't meet 'XYZ requiremen...
[ more ] [ reply ]
[ more ] [ reply ]