Your comments are dead on...ISC^2's passing is more
like 70%, or was when I passed in '99. You're going
to get comments about ISC^2 allowing for activities
that earn points, so that individuals don't have to
retake the test every third year. However...they make
money off of the annual dues required, and the
certifying organization is a bit...well,
self-serving...when it comes to the CPE's.

Ex: At the CSI '99 conf in DC, ISC^2 was holding a
trial exam. Any certified person could take the exam
and get 40 (one year's worth...need 120 CPE points to
recertify every three years) CPE points. Just for
taking the practice exam. That can take all of an
hour...and you only got 1 CPE point per hour of
attendance at the conference.

Also, publishing articles is another interesting point
when it comes to CPEs. Back in '99 (may have changed)
you could get as many points for writing an op-ed
piece as you could for writing a researched,
peer-reviewed piece. For the work, it hardly seems
fair.

Regarding hiring...you're right. However, one thing
that I've seen is that many organizations are more
willing to get the certified person (over the person
w/ proven experience, writing/speaking, etc) due to
budgetary constraints. I've seen it, and run into it
personally.

" Someone who truly knows how to implement security
the right way should be evaluated and respected
accordingly by their demonstrated work experience..."

How can this be done? Most managers aren't like you,
The managers who write job descriptions and send them to HR have no idea what
they really want, and of course (as you said) HR is
going to evaluate the resume based on the alphabet
soup alone. I've seen this w/ HR, as well as w/
placement firms that claim to specialize in IT
security (TechUSA).

Your words are well taken, and well understood (by me,
anyway). But that understanding does little to change
the way things are...or the way they will continue to
be. I'm helping interview candidates for a
internet/intranet position...and most don't know where
IIS keeps it's logs. Basic troubleshooting skills are
spotty at best. Only one candidate so far has
mentioned using IIS Lockdown or URLScan to help
protect a server...none has mentioned Registry
settings (all though everyone has said "patches"). My
point is that we're getting MCSE+I's who claim to have
all this experience w/ IIS, yet some don't know the
basics of the setup, or hardening.

Ugh!

Hasta, dude...keep the good stuff coming.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/118/16887#16887