At 09:48 AM 17/02/98 -0800, Larry Kwiat wrote:
## Reply Start ##
>>Can we please get back to the certifications which do exist,
>>things like the CISSP and others which have been discussed
>>in this thread, and get away from this obsession with technologies.
>>Certifivcation does exist, and it does count for something.
>>Lets stop pretending it doesn't exist.
>Also, lets not forget that certification does count for _something_
>and that the thing that it accounts for is more important than the
That can be taken a number of ways, could you clarify please.
My fear is that, yes the certification will count for the
fact that it is carried out by the Big N-1 and the vendors,
and that's what we have to avoid.
>Blind credentialism is worse than no credential at all.
YES YES YES!! But the trouble is that too many organizations will
turn around and say "Cissp? ISSA? ISACA CSSPAB? ASIS?
CSIS? Don't give me this s***, just go fix my computer!"
Yes but how? What's secure for me may be unusable for you.
I've been in organizations where kids who think they're
slick admins (but were still in diapers when I was hacking
kernels) tell their boss I don't know what I'm talking
about, and then said kid replaces most of the vendor
supplied software (which lets face it was buggy anyway)
with freeware, but without consulting or telling anyone
and without testing, documenting or setting up procedures
for maintenance. Who's his boss going to believe, this kid
with a recent masters in CS, or me with a 25 year old
degree from a 900 year of university which didn't even have
courses in CS when I was there.
As I've said before, most of what I've learnt isn't
teachable, you have to have been down in the trenches,
under fire, shoveling the s***. In security most of what
you learn is from things that have gone wrong. Like
with a CPA, you have to be a CA and then run your
'internship', and like an intern at a hospital, you
learn from the rough stuff, the sleepless nights, the
>We need to supervise (as professionals) the facts of certification.
Probably, on the basis of 'if we don't hang together
we shall be hung separately' ?? Yes, we need a
world view that can say that there are people out there
who don't know what they're talking about. Mark T would
say that the Big N-1 have a disproportionate share of
these. Certainly, I agree with him, from first hand
experience, that billing is more important that quality
or results, with these people. But you can be that if
we make this as tied down as the accountants, the Big N-1
will pick it up and run with it to their own agenda.
>Certification must, in order to work, only certify that you have a
>working familiarity with the equivalent of Ohm's law, Maxwell's et al.
Which gets back to the CISSP.
Look everyone, before we flog the idea of certification
round the field once more, go out and get a copy of the
CISSP exam guidelines and see if addresses the issue of
"principles vs specific technologies" for yourself.
>To be really credible, a certification must not represent a leverage for
>anything more than basic competence in the knowledge of principles.
Look to the CISSP
## Reply End ##