1998-02-23-00:51:46 Jeromie Jackson:
> I recently took the CISSP exams and passed.
> As far as the credibility of the test, I would have to make several
That's seriously appreciated --- observations drawn from personal
experience are are a boon in this sort of discussion, and they've been
pretty thin on the ground, at least re CISSP.
>[... description of the test, consistent with what else has been said
> here, namely that it may be good for breadth, but it doesn't say
> much useful about the candidate's depth of computer security
> knowlege ...]
> In summary, I feel the test is useful in assuring a customer that the
> consultant/firm has @ least done a little work in the security areana.
That may be true. The question remains, is it a better tool than other
conveniently-available alternatives --- interviewing and checking
references --- for guaging the expertise of a computer security auditor
before hiring them? So far it doesn't sound like it. The depth the CISSP
doesn't get in to is the knowlege that's critical to doing a good
computer security audit.
> Many firms in today's market are those which have no security knowledge
> whatsoever, and mearly see good margins. This being the case, ignorant
> consumers need a way to determine who they can rely on.
Ignorant customers can lean on two traditional approaches: interviewing
and checking references. Interviewing will narrow it down to people who
know more about security than the interviewer, and good liars. Reference
checks will narrow it down further. Nothing's perfect, but the
traditional tools for measuring the worth of candidates seem likelier to
help than the CISSP.
> [...] I would equally say that organizations who are not knowledgeable
> within the infosec security domain have no other choice than look for
> certification status.
And _That_ statement is the one I'd disagree with _MOST_ strongly. For
computer security expertise, certification may weakly indicate a very
weak and dilute base of knowlege, totally insufficient to do a good job.
By contrast, interviewing will at least reveal two things that are good
to know: (a) that the candidate knows more than you do, however little
that may be, and (b) that they come over as professional. Having gotten
whatever goodie you can out of the interviewing --- more if you have
even the expertise you can get from a couple of weekends reading --- you
then check references. The less you know about a field (i.e. the less
qualified you are to give a tough interview) the more critical
> Look @ the NCSA tests. I will not say they are good, however they are
> better than none at all.
But we're not comparing the CISSP with nothing at all, we're comparing
it with traditional hiring practices that work quite well.
> As far as judging the CISSP certifications usefulness based solely on
> what is provided on their web page, that is utterly ignorant. Just
> because an organization doesn't have an elaborate web page doesn't
> mean the organization as a whole is incompetent.
If that were all --- ``doesn't have an elaborate web page'' --- then
you'd be right. But this is much more severe; as far as I've been able
to find, they don't have _Any_ substantive information available online
at all. If they were competant and they had something worthy buying on
its merits, they'd make that information available in the medium most
used by practicing computer security admins. Either they're incompetant,
or they know they don't have anything of value to us, I can't think of