OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Crispin Cowan (crispin_at_wirex.com)
Date: Sat Oct 26 2002 - 20:59:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Michael Dean wrote:

    > ust a short note from N. Ca where high tech unemployment is about 8%.
    > I am in a group studying for the CISSP test. This certification, we
    > believe, is important in differentiating ourselves,

    Yes, the CISSP is very important in differentiating recruits: those who
    advertise CISSP's are the ones I do *not* hire.

    I am half kidding;

        * CISSP is a defect I am willing to overlook if the candidate has
          other compensating qualities. There are a few CISSP-carrying folk
          that I really respect. They probably know who they are.
        * If one is running a large IT shop with a massive labor pool
          requirement, then the near-guaranteed mediocrity that comes with
          CISSP is an advantage rather than a defect. But I'm running a
          security R&D shop, and by and large don't have time for CISSP'ers.

    Why am I so down on it? Because "certificates" like this encourage
    people to do rote memorization sufficient to pass a tick-box test, not
    to actually go out and learn principles for their own sake. I want staff
    who are into security because they really love it, and are compelled to
    learn new stuff for their own pleasure, not test-takers who see security
    as the next lucrative thing.

    So what do I look for? Personal initiative, creativity, and clue.
    Evidence would include published open source software, security fixes,
    thoughtful Bugtraq postings, and well-done code audits
    <http://sardonix.org/>.

    > NOw your answer below -- I think that guy is all wet. Maybe that's
    > the attitude in the corner drugstore, but not in any big business.

    I think Antonomasia is largely correct. It's not that big business does
    not want security, it's just that functional requirements often trump
    security desires. In some cases this is actually a good idea (managing
    some risks is cheaper than fixing the vulnerabilities). In some other
    cases it is just cluelessness; management doesn't understand the risks
    they are creating. Management generally only acts proactively when they
    can quantify the bottom line associated with security, which means that
    they're either a bank, or they're about to be subject to HIPAA :)

    Crispin 

    -- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQE9u0iO5ZkfjX2CNDARAUwZAJ0bFQzzA9s3bR31AmzUjmpau5958ACgoEc4 U8x8YI7QrqJ6tvLF99uywRU= =/kfn -----END PGP SIGNATURE-----