OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: L Williams (eldub@pobox.com)
Date: Tue Jan 08 2002 - 11:53:33 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I took (and passed) the SSCP back at CSI 2000. Generally I stay away
    from the "which certification" conversations, but I'll share some
    thoughts on why I decided to take it, how I prepared, and would I do it
    again.

    First, personally I am fairly pragmatic and make a big distinction
    between someone who understands the "theory" of security and the
    "practical application" of security. In cognitive theory the concept is
    called "transfer". That is, the ability to apply what one knows to real
    situations.

    In *my opinion*, the greatest failure of the CISSP is that it tests
    one's ability to spout "theory". It is horribly inaccurate at gauging a
    person's ability to apply the concepts. This has resulted in a glut of
    "security experts" who have no ability to solve real-world
    security-related business problems.

    I took the SSCP because it seemed to address this weakness of the CISSP.
    I prepared by reviewing the SSCP guide and reviewing McAfee's virus and
    malicious code dictionary to brush up on some terms I was confused by. I
    believe that if you have been a practitioner in most of the bodies of
    knowledge, you should be fine. I found the test to be fairly simple.

    Continuing, I think SANS is trying to address the transfer issue with
    their requirement for a "paper", however, the reality is that a paper
    does not really prove one can apply concepts to a real situation.

    What the security field needs is an exam akin to the CCIE exam Cisco
    provides. Essentially, an exam that tests book knowledge, but then
    requires the examinee to deal with realistic case studies. Let the case
    studies be evaluated by a jury of practitioners. Then we may see
    certification that is meaningful.

    Oh yes, so if I'm so negative towards the CISSP, why am I even on this
    list? As I said, I'm pragmatic. The reality is that I will probably take
    the darn CISSP because the industry fails to recognize any other
    certification. Every single time I work with a customer I get asked what
    "SSCP" means...

    -Laudon Williams
    eldub@pobox.com