tag:blogger.com,1999:blog-4088979.post113770010927432904..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Notes from Airplane ReadingRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-4088979.post-1137729218176600722006-01-19T22:53:00.000-05:002006-01-19T22:53:00.000-05:00Gah! I keep forgetting about the ISSA meetings. I'...Gah! I keep forgetting about the ISSA meetings. I'd like to get to a couple.<BR/><BR/>DoD requires certifications? What happened to judging employees or potential candidates by experience, knowledge, and other factors that have a more direct effect on job functions? This approach of having a list of items that makes a good employee just doesn't work in the real world. We all probably know someone that can pass certification tests but miserably fails in real-world situations (and I say that as someone with a few certifications).<BR/><BR/>Guidelines are as close as you can get to list of precise requirements or you will end up hiring based on a cookie-cutter approach and lack diversity of experience and knowledge. Am I just being naive?<BR/><BR/>The people doing the hiring don't trust themselves or the technical managers to make good hiring decisions. They seem to feel the need to make these lists of requirements in an effort to reduce the number of subjective judgements required when evaluating job candidates. I just don't think that works.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1137715254552626402006-01-19T19:00:00.000-05:002006-01-19T19:00:00.000-05:00Richard,You probably already know this but Securit...Richard,<BR/><BR/>You probably already know this but Security+ is not even anywhere near the same class as the CISSP. I am quite sure no work experience is required to take the cert - it's a very 'base' level certifcation. Additionally, although Security+ tests a somewhat broad range of topics, it is universally agreed that the exam requires you to pick the best answer from badly worded questions and bad choices of solutions. "Relevancy" of questions was generally ok but when I took the exam one of the questions was to do with an obscure acronym of an 'security-related' association.<BR/>Make of this opinion what you will, however I'm sure many others have similar sentiments regarding the Security+ certification.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1137703600834079962006-01-19T15:46:00.000-05:002006-01-19T15:46:00.000-05:00Harlan -- I've debated this point with many people...Harlan -- I've debated this point with many people who think CISSP is a technical cert. Someone running as a candidate in a local infosec group even advertised himself by saying "I have my CISSP, so that means I have technical skills."Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1137702390944759982006-01-19T15:26:00.000-05:002006-01-19T15:26:00.000-05:00"The survey found that respondents with certificat..."The survey found that respondents with certifications from...the International Information Systems Security Certification Consortium -- also known as (ISC)2...think that their training does not give them as strong an advantage in performing hands-on security jobs as platform- and vendor-specific certifications do."<BR/><BR/>Well...duh! The CISSP cert does not claim to be a technical cert, and when I received my certification in '99, was not advertized as such.<BR/><BR/>I agree that holders of the other certs (SANS, Cisco, etc) are more technically prepared than the ISC^2 cert holders, in general, though that really depends upon the consultant.<BR/><BR/>H. Carvey<BR/>"Windows Forensics and Incident Recovery"<BR/>http://www.windows-ir.com<BR/>http://windowsir.blogspot.comAnonymousnoreply@blogger.com