I have taken SANS's Security Essentials course (and passed the certification exam), and i just shelled out another $2000 for their IDS course. I have tried one.

I don't think Mr. Forno's point is that all security certifications are patently bad. He even mentions SANS as being established and respectable. He also did not say that he does not hire people with certifications. I think his point is the inequality that exists between people with experience but no certifications and people with certifications and no experience. Companies are choosing the later, although certifications are not worth much without the experience to back them up. He says nothing about the group of people with both experience and certifications.

Additionally, from his writings, i believe that Mr. Forno takes his profession very seriously, and it disturbs him that security certification entities are popping up purporting to "teach security", when they are only out to make a buck. (As a counterexample, take again SANS, which is a not-for-profit organization, and takes the attitiude that they are not teaching to the exam, but rather teaching what their students need to know, and if their students know everything they need to know, they will do fine on the exam.) These same entities are also trying to appeal to the money grubbing side of their students by claiming to be able to drastically increase their salaries. They show no concern for helping their students to do their jobs well.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/118/16899#16899