I agree with Richard in that a certification doesn't and shouldn't be a deciding factor in the recruitment process. The hiring manager should should have enough security experience to filter through the fluff on a candidate's resume. For example, if somone tells me they have a CISSP and a CCSA, I will expect them to have Enterprise Security as well as FW1 Admin experience. With this combination, this person alone should have the ability to not only implement a firewall policy but also to derive that policy from business and operational requirements. In my experience, I found that when I want someone who is a "talker", I hire a CISSP. When I want a "walker", I hire someone with a SANS cert or CCSA the like.

As for HR, they execute a search according to the requirements set forth by the hiring manager. Again, the buck stops at the hiring manager to meander his way through the rivers of resumes that HR provides. If this person doesn't have the skills to do this, then perhaps a more qualified manager is in order.

Finally, I think certifications are fast becoming what degrees are. Certifications may not always speak to one's experience but it is fast becoming that "ticket" one must have in order to get into the stadium. A good manager must decide by experience alone whether or not someone will get on the playing field to play in the game.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/118/16946#16946