"Certifications can demonstrate a commitment to ..."
---
Yes -- they can. They can also demonstrate the ability to take tests and understand theory. They _can_ do a great deal, but do they?

Is there any _proof_ that someone who's gotten a "Microsoft Security Certification" is really somehow more knowledgable about security than someone who hasn't?

If the certs are _FREE_ and there is no profit motive for those giving the tests then lets see how much of a push there is for certification.

Right now there is a cert program for yoga instructors as well. You have until the end of this year to step in to be "grandfathered" in if you've taught 5000 hours or more.
I guess that's around 3-12 years depending on how much
you teach/week.

But think about that -- now lets say a yogi from India comes over next year. Sorry dude! You don't qualify.

In this case, it's not so much a cert organization that's pushing this, but established teachers that want to place barriers on entry into the field. Too many new teachers and it becomes hard for established teachers to raise rates and create a 'demand'. One teacher had her start by jumping up in a meditation session and started doing 'spontaneous', 'uncontrollable' yoga poses -- flowing
from one to the next -- no training -- but she got a following and now she's a guru and her followers are now qualified to teach -- even though few of them have actually studied much outside their world. Who certifies
the 'certifiers'?

What are the professional qualifications of those who came up with the cert process and questions? Does anyone care?
Were they exercises out of a "Security for Dummies" book?


I read, cover-to-cover, one of the latest security prep
books. It was 'ok' reading, but I would more than likely
subtract points from someone who put that on their resume than not.

Having read the book -- I know how much and how little it covers the real world. If someone boasted of such a cert as if it were some accomplishment, as someone who knows better, I'd be underimpressed. I know enough to know how
little depth it covers.

On the other hand -- many managers, unable to keep up in technical knowledge in their field, may not know enough to know how worthless the cert is and may hope to use it as a
shortcut to find a qualified candidate.

I suppose on some level, those who use certs as hiring criteria may not be good employers to work for -- as they obviously have little knowledge of the field and won't know enough to be impressed with real knowledge and skill.

...And...security, like good planning, or even good
IS maintenance is an invisible and often thankless task.

If you are good at your job, no one knows it -- things just don't go wrong. It's almost never that 20 competitors' networks or disaster recovery plans fail due to some common disaster and the 21st company (yours) doesn't. Everything is different each time.

I have to agree with the original author. Certs are are a shortcut for having to think -- they are like 'labels'. If someone has a label, you don't have to get to know them. You can just relate to them by their labels.

Lame.
owiu



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/118/16971#16971