I believe Mr. Forno is right on as usual. I hear all these complaints from folks here that Mr. Forno doesn't know what he is talking about, yet his experiences are my experiences too...

I do not believe in most of the certifications either, though I don't have problems with going through the certification material. I've seen folks who have CISSPs who cannot even comprehend real security principles when they see them, and I've seen more than my share of idiots with CISSP diplomas who think that the easiest way to prevent an attacker from attacking you is to change your web server to port 81 instead of the default of 80...principles which appear to come from the CISSP material...as most folks who do not have CISSPs do not believe this. And the fact that hackers could use port scanners to attack their boxen seems to blow them completely out of the water.

I know employers who actually descriminate against CISSPs. According to their logic, which I am beginning to agree, CISSPs cannot think for themselves, and thus aren't worth putting into situations where quick and thorough security decisions must be made. However, I've also met my share of CISSPs who are really good at security too, and who know that running a webserver on port 81 vice port 80 may keep you away from the stupidist script kiddies out there, it isn't going to keep you out of trouble if you aren't installing patches and configuring the system properly...and they tend to agree with me, that their CISSP is only worth what their employer wants to make it worth...and they wouldn't have paid for it themselves.

But maybe I am biased by the fact that since I cannot qualify for a CISSP (due to my relationships with known hackers,) I might be extremely negative for that reason.



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/118/16928#16928