"I Am Certified - You Are Secured"

docrice

Interesting reading. I agree with at least a good majority of it.

https://www.infosecisland.com/blogview/15226-I-Am-Certified-You-Are-Secured.html

I also have a wall of certifications (at least compared to what I had less than two years ago) and I still don't feel like I know what I'm doing. Security is hard. So far, I haven't encountered a whole lot of security paper tigers, but perhaps you guys have seen them in the wild and in action.

Bl8ckr0uter

Very good article and the comments were also gold. Really makes you think about what you know and how you can prove it. Very good post, +rep.

I have said before about my problems with many CISSP holders that I have met (and I will not go into them again) and also various CCNA and MCSE holders (had an MCSE who didn't know what DNS was, this particular MCSE said he was an expert at Active Directly but didn't know what DNS was and had never heard of a trust. Mind you my non certified, non MS loving self has heard of these things and I am pretty sure I could set up a trust, maybe not to the degree of some of the folks around here but I digress).

While I was laying in bed with my wife reading Total Money Makeover I was actually thinking about (among other things) making sure that anything I put on my resume I back up. I looked at my goal time line and knock like 4 test off of it because I want to make sure I have enough time to go through and read the old TCP/IP books and really master the Networking part of Network Security. After talking with a few friends of mine, I just don't think anyone does that anymore. I actually had a guy tell me that he doesn't read packets at all (a SR Network Engineer for a major company). But again I digess. All I am saying is that there are too many l33t hackers people in this world for any up and comers like me to not make sure we are current and deep in our basic knowledge of attack vectors and defense. We just have to know this stuff at a deep level, and not just pretty gui based tools, I mean stuff like hping (I just learned about this like two weeks ago, its actually extremely hardcore) and how things really work.

SephStorm

i saw this on LI, and while I have heard it has good points, I couldnt stay with it. Perhaps it is because I put so much into obtaining my certs and using them as a platform for learning, that I tune articles with such a tone out. And indeed, I can't see the benefit of it. We all know these people exist(Joe Black). But articles such as this don't help the situation any. And I don't remember him speaking about the certs in the industry that do require direct knowledge and application of that knowledge.

But I will agree, cert chasing has its downsides. Despite my best efforts, I find that I am not quite where I need to be on my knowledge of security, or indeed, IT. I find myself questioning whether something is a risk, or if the risk is worth taking. I often cant give a dictionary explination of something, but I do know it... And don't get me started on Office administration... Don't ask me why they train us on Exchange Server when most of our issues are client side, and I have no way of knowing what the issue is before I go to google...

Idk, I may spend most of the next year affirming my current security experience and building my general IT knowledge.

Bl8ckr0uter

SephStorm wrote: »

Idk, I may spend most of the next year affirming my current security experience and building my general IT knowledge.

^This. I feel the exact same way. In order to be a Network Security Engineer you really have to focus on the words in that order. Learn Networking. Learn Security. Learn Engineering (putting it all together). In my opinion that is the way to really be l337.

[Deleted User]

Bl8ckr0uter wrote: »

^This. I feel the exact same way. In order to be a Network Security Engineer you really have to focus on the words in that order. Learn Networking. Learn Security. Learn Engineering (putting it all together). In my opinion that is the way to really be l337.

Amen. You don't just dive into security.

chrisone

haha this guy said it best "who the hell needs a CCIE to maintain firewalls"

He is right in a sense but come on now, the ccie security involves a hell of a lot more than just firewalls, and lets face it, security is more than just firewalls. He makes some good points, but this is just another view of certs from another random dude, no offense, id take my cissp or ccie security certs if i had them.

Bl8ckr0uter

Just so you know he is the author of this thread:

http://www.techexams.net/forums/ec-council-ceh-chfi/35544-so-you-want-take-ceh-read.html

grauwulf

xmalachi wrote: »

Amen. You don't just dive into security.

sadly - many people do. a brain **** gets you a few certs, a few certs gets you a job and then *poof* lulzsec has a party on your new company's dime. it's a little depressing but it's good to see people with the right frame of mind. your tagline of "Goal: experience" is a great example of what I would think of as the right approach, it pretty much says it all

chrisone

Bl8ckr0uter wrote: »

Just so you know he is the author of this thread:

http://www.techexams.net/forums/ec-council-ceh-chfi/35544-so-you-want-take-ceh-read.html

Yeah i read that guide as well, it was a great read and i respect the guys view on certs and i agree with him on almost everything. My point is he isnt the first guy to write this type of article, they are written on a daily basis. I still hold my stance on the quality of the CISSP and CCIE certs. I hold with high regard the skill set one gets achieving those certs, rather than the mystique and prestige one holds with the title which is what i think the author has a nitch with.

I think studying and mastering your craft for more than 12-18 months is high level stuff and i respect any individual who does so. In no way does that mean you are better than anyone but i respect the skill set and dedication people put in for the CCIE.

ipchain

Very interesting read. I agree with him on most of his points, especially on the value of CISSP.

So far, my pursuit of knowledge has led to a few certifications being awarded to me, but I do not consider myself to be an expert in the security arena. Security is very broad, so I often realize that I am barely scratching the surface - there is much more to be learned out there.

To date, I have read and practiced subjects that were either directly related to my job, or of special interest to me. At the moment, I find myself exploring unknown territory as I am studying for the CISSP, which I don't really hold to very high standards. Nevertheless, CISSP is in very high demand, so rather than writing a very long post citing many reasons why I don't believe I should pursue it, I decided to bite the bullet and get it over with. I am aware it will not be an easy task as I am totally unmotivated, but I will get it done at the end of the day.

There are many reasons to get certified, but I don't believe certification should be the deciding factor as to whether you get a job or not. I fully understand requirements do need to be met, so why not give someone a conditional letter of employment stating they must attain CISSP status within (6) months from the date of hire? It sure looks like a win-win situation to me.

I consider myself a life-long learner, so I will forever be in the pursuit of knowledge. Whether it is through certifications or not, knowledge is something no one can take away from you. My primary driver is not financial gain as I already have my dream job, which I plan on keeping for another (30) years or so. What drives me is the desire to stay current, to explore new horizons, and to motivate my peers to do the same. Information grows when shared, so I find it very rewarding when I can share with others what I have learned.

Let's be realistic folks, no certification will help you make six figures - it's the combination of certifications and experience that will. While you may question this rationale, it is the way business is being conducted today, so we must learn to cope with it. Fortunately, a brighter future awaits us, but only time will tell.

Just my two cents.

Regards,

- Alain

darkladdie

Funny blog post to me.
It reminded of a survey I filled out just after I got my CISSP with my manager shoulder surfing. He was amazed about low a value I assigned to having a cert in order to perform a job, I believe I had it as next to last in value.

sb97

chrisone wrote: »

haha this guy said it best "who the hell needs a CCIE to maintain firewalls"

He is right in a sense but come on now, the ccie security involves a hell of a lot more than just firewalls, and lets face it, security is more than just firewalls. He makes some good points, but this is just another view of certs from another random dude, no offense, id take my cissp or ccie security certs if i had them.

Oddly enough, my experience shows that whomever is managing the firewall needs to be on the ball. The reason being that anything that goes wrong on the network is immediately blamed on the firewall. Therefore the firewall admin tends to have to be able to perform at least basic troubleshooting on everything else.

afcyung

The problem I have with the Article is that it doesn’t look at the current economy. It is extremely easy for a company right now to demand certain qualifications, that to most, exceed the requirements for the position, solely because we a have an underemployed work force that is looking for any type of work. It’s easy to want someone with a CISSP/CCIE when there are plenty of them looking for work. It is the same thing we are seeing when a company wants a guy with a BS in IT to work tier 1 helpdesk support.


I also found the author of the article wrote from a jaded perspective. Statements like “Security? I don't care for it. I learned a long time ago that companies do not want security. They do not want assurance, they simply want a framework to ensure that they did no wrong. My goal is simplified ten-fold and my aim, ensure that someone on the C-level can cross their T's dot their I's and get on with their game of golf. Obviously golf is the only association to the word Ping [1] many will ever come to know.” makes me wonder if you don’t care for security then why be involved with it. Also doing something like this where you don’t provide what they need instead you provide what they want you put yourself in the position of being the fall guy.

I also think we are witnessing a change in perspective on InfoSec at the top of organizations. Things like LULZSEC and Sony breaches should highlight to any C-Level person that security should be a corner stone of the business model. Once the fallout from Sony shows up in their bottom line other companies will take a look at their current stance on security if they already haven’t and make changes. I also see increasing federal regulations making security a higher priority as well.