OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Network Security Certification

Re: Network Security Certification

Paul D. Robertson (probertsclark.net)
Tue, 28 Apr 1998 17:50:19 -0400 (EDT)

On Tue, 28 Apr 1998, Anton J Aylward wrote:

> I've just taken the course.
> The exam is Saturday.
> No its not mainframe oriented.
> I've been doing this for nearly 20 years and I find the material
> a challenge. Despite what people like Paul Robertson say, this is a
> true test.

I seriously questioned the real-world value of such certifications based
on my experiences with the people who held them. I know folks who have
them who are _seriously_ missing pieces of the real-world puzzle. Some of
them are fair at the business side things, but I've yet to meet a
certificate holder who impressed me because of the certifcation process,
or other than one case, their grasp of real-world security problems.

In the ensuing time since this went around, I've met another couple of
holders, one of whom I would actually trust to do real-world evaluations
of my networks. All the experience and knowledge said person gleaned that
made them meet my criteria was prior to them even considering the test.
My observations are still overwhelmingly negative.

Maybe your evaluation criteria are different than mine. Perhaps I just
know better qualified non-certificate holders than you do. I still
maintain that while the body of certificate holders is less than the body
of clued by an order of magnitude or so certifcation doesn't hold a large
ammount of value. I still know more uncertified people who can explain a
TCP fragment offset bug, evaluate key handling techniques, understand that
IP spoofing doesn't just include your own address block, understand the
difference between syslog() and syslogd...

If your resume came accross my desk, and you had certification but not
experience, it wouldn't mean much to have the certification. If you
had experience but not certification, it wouldn't mean much not to have
the certification. The conferences I've been to where folks are going for
the test, they've been going to bail out of a mainframe career pretty late
after the ship had already hit the iceberg. I prefer to see people in
critical industries who can keep an eye out over the bow. Perhaps that's
changing, but until it does, my observations remain valid for those I've
talked to and observed.

I know a few people who swear by MCSE and CNE certifications too, I tend
to not put much stock in those certifications either. I've yet to
interview an MCSE who can subnet. I'm sure some can, but the mean of my
experiences with MCSE's has turned it into a negative metric.

I've been RACF "special", I've been a VM sysprog, my first job had IBM
360 mainframes running DOS. I've yet to see a certification process that
tests enough current knowledge to be more useful than the same ammount of
time spent doing individual research.

> Mail me back after Saturday and I'll tell you more of my experience with it.

I'd encourage you to share it with the list. Despite my obvious reaction
to the results I've seen from certification processes, I'm interested in
your perception of the process, and I'm sure others are too.

Um, I wasn't going to do that whole rant again, but that's what you get
for bringing me into it. Maybe I'll shut up next time this comes
around...

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
probertsclark.net which may have no basis whatsoever in fact."
                                                                     PSB#9280

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:48 CDT