On Fri, 20 Feb 1998, Anton J Aylward wrote:
> >I think we can all drudge up examples of
> >people with certifications and a complete lack of clue.
> I think the same can be said for degrees, doctorates, professorships,
> democratically elected representatives.... Are you condemning the
> principles and the practices because of some poor individuals?
No, I'm questioning the principles and practices because of the scope of
success. *Anyone* who wants to can pass <insert your favorite computer
certification here>, and *everyone* can _not_ do <insert your favorite
computer task here>. That, to me, means that we have a serious breach
between the process and the results. It would be trivial to hire based
on certification *if* the certification showed that the hiree was
experienced enough to do the work. Certifying that someone has only some
set of "base skills" seems less than useful to me. Certifying that
someone has some set of "base knowledge of base skills" less than that.
As Bennett has pointed out, many traditional degree programs are a
*starting point* to entry level, and I find it hard to accept that an
auditor (which is what we were originally discussing) in the field should
have what ammounts to entry-level credentials. When I need an audit of
my network security, I don't care if you've got a CPA, and I don't care
if you've got a PhD. I *do* care that you've got enough knowledge to
competently audit a complex multiprotocol, multivendor, multidiscipline
networking environment. Doing the social and politic bit is the *easy*
part of all of this. Gaping holes there tend to stand out and are easily
tested. It's the implementation details that is what an audit is
*supposed* to evaluate, and you can't do that without effective knowledge
of the environment. If my packet filter doesn't drop TCP packets with
FO=1, then it doesn't matter how well you check my filtering ruleset, or
even if you just check to see that I have one, and that it is
documented. I'm expected to take everything into account when I design
and implement networks, platforms and procedures, and I expect the audit
role, which is my assurance that I've done the right thing to be able to
do the same. I don't think you can certify for that, and I think that
anything less is only useful if you have industry-wide acceptance,
because otherwise you're *not* screening out bozos because there are
competent people who *don't* hold the certification, and indeed they can
be more competent than those who do.
> One thing I meet every so often is situations where some 'consultant'
> (read contractor) has installed "security" equipment which has
> actually served to make life difficult for everyone by impeding
> the workflow. The 'consultant' called this 'security', and no-one
> knew any better. So 'security' consultants have a bad name at
Sometimes having security means impeading the workflow. That's a business
choice. Sometimes it's more important to interrupt the workflow just to
make the workers *aware* of security. To secure some things to an
acceptable level you need to do things that aren't non-intrusive. That
has nothing to do with the level of security or the knowledge of the
practicioner. The day before yesterday, I noticed one of our security
guards interrupting the workflow by not letting a courier deliver
packages to our building because the courier couldn't present a valid
courier card. I didn't see this as a bad thing.
> >If certification
> >programs perpetuate that state of events, then perhaps we actually are
> >better off without them, or as Bennett suggests, using them as negative
> So you're judging the certification process by the worst examples of
> the people who make use of it for their own ends. That's like condemning
> God because of fornicating priests, or the democratic processes because of
> corrupt (or over sexed) politicians.
No, I'm questioning the value of the process, something you seem want not
to do. I don't accept your predicate that certifications are good.
You've yet to show a compelling case for them as they currently exist in
the computer industry.
> >Let's examine this from another angle, and see why we're at where we
> >are. What exactly would drive someone like myself or Bennett to take
> >such a course?
> I don't know. I suspect you've already made up your mind
> and nothing short of threats would do so. But lets ask the
That's where you're wrong. If there were a compelling reason for me
to take time to go through a process like certification, I'd do it.
> question another way: what drives undergrads to study
> trig, calculus and stats, logic, and heaps of maths?
> It won't - to link to another part of this thread - help them
> install W/95 from a CD. Eventually they get examined on it
> and granted the BSEE or whatever.
That's not the same question. The question is about the relevence of the
process if all it does is attract those who *want to be* and excludes
those *who already are*. Once again, you seem to miss the point that
there is a difference between certifications which show a level of
competency and certifications which deem to provide something which
equates to employability or contractability.
Let's assume that someone knows a great deal about firewalling, computer
security, physical security, information security, network security, and
things like that. Now, if you can't apply the metric to them, and you
can't apply the metric to their peers, and the metric is only applied to
those who want to be where they are, then again, your metric is not useful
for measuring anything more than people who want to make a career change,
or who spend time collecting certifications. For an audit, neither of
those groups are of interest to me. For employment, one of those groups
is of seriously negative interest to me.
Your entire sample group is people who want the job or a contract, not
people who do the job 24x7. I see that as a very significant shortcomming.
Rather than trying to reword that issue, how about taking a stab at fixing it?
If you can find that answer, then your position will have significant merit.
> When I look back to my degree, the parts I never studied for,
> the parts I thought irrelevant, were things like transistor based
> circuit design. RF theory was eventually useful when I was doing
> VSLI fab, but the only things which have stuck with me over the decades
> are the fundamentals, maths, logic, stats. And the discipline
> of six years of latin. Which I've never used, except in graveyards
> while on vacation. But if I had to give it up, latin would be the last
> thing I gave up, because it required more self discipline and focus
> than the others.
And I'm sure that nobody hires security auditors based on knowledge of
dead languages. Once again, I submit that you've not shown a case which
says that perpetuation of the process gains us anything over not doing
it. We've seen over and over again cases of degrees and certifications
not providing value. We've seen cases of people with no degrees and no
certifications providing value. Until you can come up with a way of
normalizing the results between those groups, you haven't given evidence
that the process is worthwile.
Paul D. Robertson "My statements in this message are personal opinions
net which may have no basis whatsoever in fact."