, 2007-05-01
I wrote a column for Securityfocus some time ago that aired my concerns over GIAC dropping the practical portion of their certification process. That column resulted in a lot of feedback, with most agreeing about how GIAC bungled what was up till then, the best certification around.
Expand all |
Post comment
Blocking port 53 TCP
2007-05-02
Richard Bejtlich (1 replies)
Richard Bejtlich (1 replies)
Re: Blocking port 53 TCP
2007-05-02
Don Parker (1 replies)
Don Parker (1 replies)
Re: Re: Blocking port 53 TCP
2007-05-03
Anonymous (2 replies)
Anonymous (2 replies)
Re: Re: Re: Blocking port 53 TCP
2007-05-04
Anonymous (2 replies)
Anonymous (2 replies)
Time for a new certification
2007-05-02
Rob Shein (1 replies)
Rob Shein (1 replies)
ded) list about this. I think this list is a way better example of what is wrong with certs, as people are constantly posting "what cert do I need to become a pen tester" or "I wanna work in security, what cert do I need?" While some of this type of nonsense does spill over into the pen test list, alot of what goes on there are legitimate questions. Every group has its share of posers, but at the same time it is impossible for everyone to know everything. I've been pen testing for a while now, and working in security even longer, and I still find things that I haven't seen before. Google is my friend, but it is always nice to be able to ask a group of folks if they have seen it before, too.
But back to the main topic. Certifications. I wouldn't consider the requirement of writing a paper a "practical." It is still only testing the ability of someone to perform research and spit out what they have read and learned in a different way. Thousands of people do that in colleges and high schools every day and it doesn't prove that they are smart or that they know the material. Just because someone can write a paper about some obscure corner of something remotely related to computer security doesn't mean that they will be able to analyze a packet or determine if an IDS alert is a false positive or not. And honestly, there probably will never be a way to test for this kind of knowledge, at least in a practical manner.
The fact remains that the certification process for our industry is very broken. Certs make resumes look good, but I have seen people with no certs run circles around people with tons of certs and degrees to boot. Why is that? One: There is the perception that certs are for lamers, whatever that means. Two: Certs are expensive. Especially the GIAC ones you are plugging. Not many people can just run out and take these tests on their own. Three: A great number of people in our industry spend 8-12 hours a day in the mud of defending their networks against their users and hackers, and the last thing they want to do when they get home is crack open a book and study for some stupid test.
I have been on both sides of the street. I have reviewed resumes and interviewed candidates, and now I feel like I need more certs and a higher degree to reflect my knowledge, yet I also *hate* studying for these things, paying for them, taking a day off to take the test, etc....
And the recertification process for the certs that have them is also impractical. For the same reasons getting a cert is hard, getting the necessary CPE, CPC, CTE, or whatever the acronym, to keep the cert valid is almost impossible. I don't have the money or the time to take a week off of work to go to a $2500 class. And my employer doesn't seem to want to pay for it, either. So what am I to do?
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/443/34516#34516