I appreciate you get asked this all the time ;) and have been looking
through some of the previous posts on this topic (honest!) but can I
ask what you think of security certification (esp. CISSP - is it worth
the money/effort ?).
Have worked as a security developer for the past few years (sys + app
dev etc.) but have little enough to do with operational or "soft"
security stuff.
a_j_moran@yahoo.co.uk writes:
> Hi All,
>
> I appreciate you get asked this all the time ;) and have been looking
> through some of the previous posts on this topic (honest!) but can I
> ask what you think of security certification (esp. CISSP - is it worth
> the money/effort ?).
>
> Have worked as a security developer for the past few years (sys + app
> dev etc.) but have little enough to do with operational or "soft"
> security stuff.
The CISSP is deemed by most to be a worthwhile certification.
However, there is an experience requirement that someone with a CISSP
will have to certify that you've been working in the IT field for some
number of years.
In article <1124374693.332180.191620@g14g2000cwa.googlegroups .com>,
<a_j_moran@yahoo.co.uk> wrote:
>Hi All,
>
>I appreciate you get asked this all the time ;) and have been looking
>through some of the previous posts on this topic (honest!) but can I
>ask what you think of security certification (esp. CISSP - is it worth
>the money/effort ?).
>
>Have worked as a security developer for the past few years (sys + app
>dev etc.) but have little enough to do with operational or "soft"
>security stuff.
>
Personally, I think that if you have the knowledge and the experience
the time and effort required to achieve certification is not excessive.
If you have walked the walk for the period of time required for the cert,
which in the case of CISSP is 5 years, then you should have adequate
exposure to the 10 domains to pass the exam after a review of the domains
that you may be weaker on. In this case the money involved is trivial.
ISC2 dues and the exam cost and perhaps a study guide or two.
OTOH, if you do *not* have the professional exposure and feel the need
to attend a "boot camp" or cram course of some sort than it can be
quite expensive. In this case you also may not have the practical
experience to maximize the benefit of the certification...
> In article <de29eo$irr$1@bolt.sonic.net>, claudel@bolt.sonic.net says...
> > OTOH, if you do *not* have the professional exposure and feel the need
> > to attend a "boot camp" or cram course of some sort than it can be
> > quite expensive. In this case you also may not have the practical
> > experience to maximize the benefit of the certification...
Yeah I know what you mean. for me its half about doing something to
motivate me to learn about other stuff (crypto, protocols, pki etc are
all my daily bread but stuff in some of the other domains doesn't
really fall into my remit) and partly to shore up my cv. I'm really
not sure it matters that much if you really have the experience - that
said I have seen it cited as a requirement for some jobs.
I guess I would rather learn it myself than attend courses..
In article <1124380915.619187.175550@g47g2000cwa.googlegroups .com>,
<a_j_moran@yahoo.co.uk> wrote:
>
>Leythos schrieb:
>
>> In article <de29eo$irr$1@bolt.sonic.net>, claudel@bolt.sonic.net says...
>> > OTOH, if you do *not* have the professional exposure and feel the need
>> > to attend a "boot camp" or cram course of some sort than it can be
>> > quite expensive. In this case you also may not have the practical
>> > experience to maximize the benefit of the certification...
>
>Yeah I know what you mean. for me its half about doing something to
>motivate me to learn about other stuff (crypto, protocols, pki etc are
>all my daily bread but stuff in some of the other domains doesn't
>really fall into my remit) and partly to shore up my cv. I'm really
>not sure it matters that much if you really have the experience - that
>said I have seen it cited as a requirement for some jobs.
>
>I guess I would rather learn it myself than attend courses..
The CISSP is fairly broad and general. I was in a similar situation
where about 3/4 of the material was stuff I had daily exposure to,
but several of the domains were completely out of my orbit.
I was a bit shocked when I started on my first review before
the exam by how much I actually *did* know. It probably would be
more difficult for somebody without a technical background to
absorb some of the material in the more technically oriented domains
than it is to learn the formalities of some of the business oriented
stuff in the non-technical domains. That, for me, was mostly a matter
of learning the enough of the language and the terminology that applies
to what is mostly common-sense processes to understand the exam questions.
Some certs are definitely money grabs (what's this groups take on that
point regarding CISSP?) but it is interesting to hear about your
interview tests. Although we should, we don't and mostly when we
interview it comes down to a few ad-hoc questions (e.g., API how-to's
etc.) but not much more than that! its a sort of geek instinct that we
use but I have my doubts that our geek radar is fully switched on
sometimes ;)
Out of interest what sort of questions do you ask ?
In article <1124383524.942317.163650@g47g2000cwa.googlegroups .com>,
<a_j_moran@yahoo.co.uk> wrote:
>Some certs are definitely money grabs (what's this groups take on that
>point regarding CISSP?) but it is interesting to hear about your
>interview tests. Although we should, we don't and mostly when we
>interview it comes down to a few ad-hoc questions (e.g., API how-to's
>etc.) but not much more than that! its a sort of geek instinct that we
>use but I have my doubts that our geek radar is fully switched on
>sometimes ;)
>
>Out of interest what sort of questions do you ask ?
>
I'm not completely sure what you mean by "money grabs".
There's definately a minor cottage industry that has sprung
up that provides "boot camps" and "exam crams", etc at high
rates catering to those who feel the need for that sort of
facility. As far as CISSP, the ISC2 dues are not exorbitant.
I doubt if anyone there is amassing extreme wealth from
their certification programs. IIRC the CISSP exam fee was
around $500, but it is easy to see how that revenue was
expended to cover venue, proctors, exam processing, etc...
fair enough ;) I think some certification programmes though are geared
at collecting fees, selling books and courses and ensuring revenue
streams with renewal obligations - I remember seeing an account of the
financial statements for some business cert programme (I think it was
CFA?) and the money made was absolutely enormous. that said maybe your
are right Claude and CISSP doesn't fall into this category.
ObDisclaimer: I am a CISSP. All my friends call me a hacker, although
I'm more of a generalist and lack the specific technical or business
skills of someone who, say, does systems programming or auditing for a
living.
Many certifications do an excellent job of gaging your ability to
memorize and to take tests. These certifications are typically used
by Human Resources departments as a kind of pre-qualification test,
e.g. the CISSP. If you already are a skilled practitioner (your
posting implies that this isn't the case), a certification like the
CISSP is good for getting someone to seriously consider your resume,
although I will admit studying for the CISSP introduced me to a few
concepts to which I had no previous exposure (such as all of the
MBA-type risk analysis/management stuff).
If you are looking to build technical skills, I recommend looking into
the SANS information security certifications. There used to be both
testing and practical components to their certifications, and I think
that hands-on experience with peer review is both a better way to
learn and a better way to certify. I'd follow up the SANS security
certifications with the CISSP at some later date, if only because the
CISSP is well known.
It is vitally important that you practice (literally). If you can't
learn new things at work, build a lab at home with junk equipment or
with VMware, and go to town. I may choose your resume because you
have the right letters after your name, but if you don't know what you
are doing or what you are talking about, you *will* flunk at least one
of my in-person interviews.
Best wishes,
Matthew
--
jsoffron: I'm generally pretty high on national defense...
Mr. Bad Example: Careful...it's a gateway policy. Before you know it,
you'll be mainlining the hard stuff like trade agreements.
jsoffron: Too late...I've been freebasing Nafta all day... Sweet,
sweet NAFTA.
- As seen on Slashdot
> If you are looking to build technical skills, I recommend looking into
> the SANS information security certifications. There used to be both
> testing and practical components to their certifications, and I think
> that hands-on experience with peer review is both a better way to
> learn and a better way to certify. I'd follow up the SANS security
> certifications with the CISSP at some later date, if only because the
> CISSP is well known.
Thanks for the SANS tip - I did look at this. The sample tests looked
easier than CISSP (at least the technical *NIX stuff was
straightforward for me). It would be interesting to hear what others
think of SANS vs. CISSP though.
Does the CISSP cover more general principles or go into platform
specifics ?
> It is vitally important that you practice (literally). If you can't
> learn new things at work, build a lab at home with junk equipment or
> with VMware, and go to town. I may choose your resume because you
> have the right letters after your name, but if you don't know what you
> are doing or what you are talking about, you *will* flunk at least one
> of my in-person interviews.
Good point. Workwise I get a lot of technical exposure and some
(though never enough) fun time to try out new kit (e.g., HSMs) or APIs.
My own "lab" (such as it is) is a couple of *BSD/Linux cohosted
installs and I use it mostly to do my own crypto and programming.
a_j_moran@yahoo.co.uk writes:
> Hi Matt,
>
> > If you are looking to build technical skills, I recommend looking into
> > the SANS information security certifications. There used to be both
> > testing and practical components to their certifications, and I think
> > that hands-on experience with peer review is both a better way to
> > learn and a better way to certify. I'd follow up the SANS security
> > certifications with the CISSP at some later date, if only because the
> > CISSP is well known.
>
> Thanks for the SANS tip - I did look at this. The sample tests looked
> easier than CISSP (at least the technical *NIX stuff was
> straightforward for me). It would be interesting to hear what others
> think of SANS vs. CISSP though.
>
> Does the CISSP cover more general principles or go into platform
> specifics ?
I believe SANS does also offer CISSP prep training, which confuses
things a little. I work with a number of CISSP and GIAC certified
folks, and am purusing CISSP at this point.
CISSP is widely deemed as FAR easier to obtain than any of the GIAC
certifications. The main reason is that GIAC certifications used to
all require practicals: http://www.giac.org/practicals/
.....while CISSP requires only that you pass a test. For instance, one
manager in our security organization obtained his CISSP after spending
a couple days with CISSP for dummies and sitting for the test. That's
not to say CISSP is a creampuff cert by any stretch, but just one
datapoint that indicates that it can be pretty easy to get for an
experienced person.
> Good point. Workwise I get a lot of technical exposure and some
> (though never enough) fun time to try out new kit (e.g., HSMs) or APIs.
> My own "lab" (such as it is) is a couple of *BSD/Linux cohosted
> installs and I use it mostly to do my own crypto and programming.
>>>>> "aj" == a j moran <a_j_moran@yahoo.co.uk> writes:
aj> Does the CISSP cover more general principles or go into
aj> platform specifics ?
It's very general. A single test covers ten major topics, ranging
from encryption to business continuity planning. There are a number
of good study guides. I used Shon Harris' book.
Best wishes,
Matthew
--
jsoffron: I'm generally pretty high on national defense...
Mr. Bad Example: Careful...it's a gateway policy. Before you know it,
you'll be mainlining the hard stuff like trade agreements.
jsoffron: Too late...I've been freebasing Nafta all day... Sweet,
sweet NAFTA.
- As seen on Slashdot
I am just thinking even if I don't have that many years of experience,
but an IT guy should be bright enough to pass the exam without
attending the cram course...
Self study is quite adequate, but one should have his mind flourished
by the best practice idea to make it applicable in the workplace
A good site covering CISSP materials which many should know is: http://www.cccure.org
Take some time to look at the references listed in it, they may be of
some help.
>>>>> "PC" == peterchoicm@gmail com <peterchoicm@gmail.com> writes:
PC> A good site covering CISSP materials which many should know
PC> is: http://www.cccure.org
Thanks for the link! Several colleagues were asking about CISSP study
materials. I will forward this resource to them.
Best wishes,
Matthew
--
jsoffron: I'm generally pretty high on national defense...
Mr. Bad Example: Careful...it's a gateway policy. Before you know it,
you'll be mainlining the hard stuff like trade agreements.
jsoffron: Too late...I've been freebasing Nafta all day... Sweet,
sweet NAFTA.
- As seen on Slashdot
certification 
Linear Mode
