I do not think i named all of them but you get the picture. This is a contractual obligation. It drives the cost of the contract through the roof. I also find it hard to find certified resources who will work for reasonable rates in my area which outside the DC area.

“…without certification there is very little proof of competence.”

WITH certification there is also very little proof of competence, plus you waste a lot of money.

“…if I have the skills why not proof it by doing an exam?”

Because the exam does not test skills.

And ofcourse I contribute to ISC2 financial gain, but there is also a lot of cost involved in developing the CBK and exams. Seeing the material, preparing for the exam, I think it fills an important gap.

If you, as an executive favor people who get this certificate, then I hope your company is not a vendor of products that we use. I bet I could get my mother to achieve this certificate, which requires merely some BS’ing in an essay, or memorizing a bunch of stuff so you can spew it on a multiple guess exam. My mom is smart, but not about computers or security . But she would definitely pass this exam after studying. And believe me, you would not want her developing applications for you. If you disfavor smart security people who don’t get this cert because they are smart enough to see that it’s meaningless, then you’re missing some talent, which I would be happy to acquire and use in my own company.

This is, pure and simple, a money-making scheme. Bernie Madoff would be proud.

well, you’ve sure redirected my mindset regarding CSSLP. I wasn’t too sure I wanted to do the CISSP after what I had read about it but I had already studied for it and was required to do so by my employer (although plans fell through and I ended up taking it on my own time later just to fume off).

The one that actually did look interesting to me was the GIAC:http://www.giac.org/, though I can’t claim to know much about it. Does anybody here have first hand knowledge about it? They seem to have a bunch of requirements; papers, labs and such-things that I guess help somewhat confirm that you actually understand what you’re talking about and are not just parroting well.

Cheers,

With a multiple choice exam, you just have to be able to related and remember words without really understanding the context so well.. Whereas, with an essay you have to describe concepts in the appropriate context.

In terms of general security principles cert versus a technology specific cert, if you have the choice of someone who understands the generic principles and can apply them to any technology, i feel that this is much better than someone who only knows how to do the ‘right’ thing with a specific technology without necessarily understanding why and therefore cannot infer the principles and apply them in different situations to different technologies.

In general, I believe certification can be a good thing, the process for studying for a certification often means that you will learn more which is never bad. Having a certificate that attests to some level of knowledge is also not a bad thing. However, people have to take into account that testing procedures in general are flawed and relying solely on an individuals list of certifications is a bad\risky thing to do.

Will the fact I have a bunch of SANS certs mean I am incompetent? I transitioned from software development to information security 3 years ago and I have been “piling up” certs since then. It is one of my “hobbies” at the present, though that “hobby” has also helped me supplement my development experience with a lot of security information in a fairly short time (relatively).

Am I worse for it? No. I would even argue that in certain roles I am stronger than someone who has been doing security the entire time since I have a lot of other quite varied experience that provides a much broader perspective.

I do want to get the CISSP to be done with it, though it will be of no help to my current job. I did apply for the CSSLP since I see little downside (other than the cost). I would love to see secure development processes more widespread.

Brad

“While certification is not necessary to get started in security it IS necessary to get a job doing it.”

I call BS. Many of the best security consultants and researchers I’ve worked with had no industry certifications. A handful did, but quite honestly, they were the minority.

I’m with you on the hiring thing. I’m looking for experience, not a bunch of letters. That being said, here’s a new cert that really shows some promise: http://www.asscert.com/ :>

“Certification is the ticket to get started in security? Not true, and certainly not across the board. You’re fooling yourself if you think the day is going to come where security practitioners will need a Master’s degree to get hired.”

While certification is not necessary to get started in security it IS necessary to get a job doing it. Furthermore I’ve worked for companies who would of never considered me for employment due to my lack of a bachelors and masters degree. I got in the door as a contractor and they waived the degree requirement when they offered me a permanent job once they saw the value. While this is not true in all cases – it is the norm.

Personally when I’m in a position where I am hiring or interviewing individuals I don’t even look at certs. Matter of fact if someone lists a half dozen certs on their resume I tend to put that resume at the bottom of the pile.