Sunday, April 20, 2008

Not a CISSP ?!?!

Chris Eng over at veracode has an interesting post on their blog about immunityinc's "not a cissp" button.

If you've been under a rock, here is the button:

I've got mixed feelings about the button. For one thing, I've seen a couple of CISSPs wearing that button at defcon/shmoocon, i guess they were practicing some SE. But secondly, its easy for people in the top 5% of the security game to say you don't need certifications because they (most importantly) already have that level of experience and name recognition. Dave Aitel doesn't need to take a test and throw some letters after his name to prove to anyone he knows his stuff, he proved himself long ago but i cant imagine he came out of the womb with that much fu, maybe he did I don't know.

For us mere mortals who are just trying to get a paycheck and get some experience alot of places are requiring certifications to be on the contract or get the job or even to get your resume to the hiring manager. For .mil/.gov this is because of 8570. To me, requiring certifications is a step in the right direction. Since no one has come forward with a scalable "hands-on" way to certify people, that paper test (for now) will have to do. At least people are trying to get qualified people in the slots, saying CISSP or some other cert makes you automatically qualified is another matter.

I'll be the first one to agree with Chris that "that like many security certifications, it’s an ineffective measure of a security professional’s practical abilities." See my CEH != Competent Pentester post but the game is the game. If you have to sit for a test to do/get the job then stop bitching and take your test and move on with it. If you want to stand your ground and just bitch and not get the job, enjoy your time on the geek squad.


gabeleblanc said...

I don't get it some of these Elite dudes like Dave Aitel have worked with DoD people, so they should know the current state of affairs. The fact of the matter is that there are many people in "IA" positions that are just not up to par and the 8570, CISSP etc initiative is merely an attempt to weed out some weak players. We as people that work in this field for the Gov. have to abide by these rules, it's just a game, putting a check in the box. If companies like NG or Raytheon or whomever want to bid on these big dollar Gov. contracts they have to have people with these Certs that they can place on the proposal. It may suck for us that have to get the certs and it does not mean that we actually endorse the cert and believe that it holds merit but we have to put the check in the box to play the game. So like you said either we do what is required or we don't get to do the super secret squirrel shit we get to do and instead we sit on the outside with an elitest attitude thinking we are to good to get a petty cert. I also agree that these certs are poop, especially CEH, churning out cats that think they are l33t h@xors cus they went to a 5-day bootcamp and passed a multiple choice test, it don't mean doo-doo. Overall I don't think is the certs themselves it is the attitude about the certs and people on both side of the coin; those who are getting the certs and those looking for people with the certs believing that a piece of paper magically grants powers not had before that piece of paper. But this is nothing new, it is almost the same as institutions handing out pieces of paper that spells out a degree on it. Some people with degrees actually know their shit and many, many more just brained dumped everything the second their last class ended. Sorry...Rant over

CG said...

yeah the issue i think is less the quality of the test and more the people who are uneducated improperly placing experience behind some letters in your signature block.

it wasnt that long ago people were sreaming, like you said, to have some sort of method to level the playing field and weed out weak players, now people are bitching about how the gov is weeding out those weak players.

I think we are still moving in the right direction but people need to understand that CISSP or whatever doesnt equal hands on knowledge. CISSP does equal a good knowledge (at least for the test) of some important core IA principals. does that help you write 0day, no, but they should understand IA controls and CIA and all that other not so fun IA stuff.

Rob Edinger CISSP said...

A CISSP credential, when taken with a resume or blog posting that shows the ability to write well and use good grammar, is a positive indicator of knowledge, skills and abilities. A CISSP is only one shibboleth among many that one can use to determine whether someone is a security poseur, a supercilious orthographer of argot, or an epigonic Cresson-Woods. Nothing says “Not a CISSP” more clearly than an inability to write well.

CG said...

"A CISSP is only one shibboleth among many that one can use to determine whether someone is a security poseur, a supercilious orthographer of argot, or an epigonic Cresson-Woods."

--yeah like putting them in front of keyboard and saying "Go!" Which is the whole point of the post.

i have a couple of comments on Rob's post.

1. Blogs != whitepaper, thesis or anything meant to be "academic." At least i dont treat it that way.

2. if the CISSP was about grammar and punctuation, then they should test it.

3. i'll take someone that cant spell with technical ability LONG before i'll take someone that has the "little brown handbook" memorized.

4. I also completely disagree that 1) someone cant be a good security professional and not write well and 2) writing well equals anything more than, well, writing well. The fact that someone can throw big words around tells me nothing about their technical ability (which i am far more concerned about).

Anonymous said...

I think that for everyone's sake (Rob included) it is good that the CISSP doesnt have a punctuation test!

Gary said...

CISSP is neither a technical security nor an English language qualification. It is a general information security management qualification that emphasises breadth of coverage over depth - 'a mile wide and an inch deep'.

A few CISSPs are strong in all domains most are stronger in some than others.

Technical qualifications such as SANS GIAC are a better guide to someone's technical security knoweldge and expertise than CISSP. Although we might argue about the relative areas, technical qualifications tend to be 'a mile deep and an inch wide'.

Some jobs/projects require BOTH breadth AND depth, at least in certain areas. Many CISSPs have other qualifications too.

Some CISSPs can write well, which is handy when it comes to preparing information security awareness materials and policies, business cases and management reports. Some can't and shouldn't.

Don't neglect the experience and CPE elements of CISSP that are intended to emphasise the value of practical work experience and continuous personal development in information security. There's a bit more to it than paying the registration fee and sitting the exam.

Kind regards,
Gary Hinson, CISSP and proud of it

CG said...

good response Gary, thanks for it.

Unknown said...

One thing I can say about writing ability; How a person puts their thoughts down on paper for the world to see, a paper presented to peers or the boss says alot about how that person thinks. If the paper is a series of random thoughts with tidbits of goodness scattered throughout, who is going to take the time to find and use the tidbits? Likewise, at the end of most pentest/assessments, at least the ones I've been on, there has always been a backbrief to management and then a separate one for the techs. If you can not write well, chances are you can not present well either, scattered thoughts, techy verbage for a non-techy audience, etc. If you alienate the management by caging their eyes back with boredome, do you really think they will invite the team back?

Thoughts on CISSP and writing...Thank whatever diety you pray to that writing samples are not required on this test. I've done LSATs and I never want to do that crap again.