"I believe that the vaunted CISSP certification is worthless, because it holds no guarantee that any of its holders have incident response capability. However, it would be a great certification to have if I were a non-technical executive rather than a hands-on line manager, and I wanted to b.s. and otherwise harass the technical staff. There are probably a few of these paper pushing security certifications floating around. Give me real certifications like CCSA, CCSE, CCNP, CCSP, CCIE/Security, GIAC any day of the week."

What a load of bunkum. Any certificate is only as good as the person implementing it. If the CISSP is percieved as a more 'management' security approach, then it will be the managers, not the engineers (who have a tendency, like programmers, to cut corners & security to save their own overworked butts), who will instill an overall top-down approach/attitude to security. The CISSP covers all aspects of security, but not in great depth, however once you have the qualification and are working on a specific project, you know the approach and practices that need to be implemented. These will have to be implemented in great detail therefore further learning is necessary depending on the projects.

All of the other certifications you talk about are very technical, great if you are talking about a specific product/solution, but it's generally not one technical mistake that causes security breaches, it's the lack of good security practices (and therefore the security culture) that will cause most problems.

You need to learn that both Technical and non-technical (and remember you have to have worked in the areas of security for at least 4 years for the CISSP) certifications are needed to at least give confidence to management that the 'implementors' know what they are doing. Whether they do or not comes down to the compentency of the individuals and the companies atitude to security as a whole.

JT

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/159/19976#19976