+ Reply to Thread
Results 1 to 10 of 10
  1. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #1

    Default 2011 (ISC)˛ Global Information Security Workforce Study

    This report comes from a certification-related organization, so take it as you will.

    https://www.isc2.org/uploadedFiles/I...11_MLW_Web.pdf
    Reply With Quote Quote  

  2. SS -->
  3. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #2
    A study sponsored by the National Coffee Marketing board finds that drinking coffee (seems to) cure baldness.

    A study sponsored by the Very Big Chocolate Company of America finds that eating chocolate every day fights tooth decay.

    A study sponsored by PepsCokInc find that 4 out of 5 people surveyed prefer High Fructose Corn Syrup be fed to them intravenously.

    A study sponsored by Polyester Manufactures Unlimited finds that most people who die in automobile accidents are, in fact, wearing cloths made mostly of cotton.


    But seriously...

    Shouldn't the outlook for employment as a security professional be rather bleak if we were actually doing a good job of designing, implementing, and maintaining effective security policies, processes, and technologies?
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  4. NOC Ninja cisco_certs's Avatar
    Join Date
    Nov 2010
    Posts
    119
    #3
    Its amazing how much CISSP are getting paid.


    RANT warning!

    The sad thing is most people in security doesnt even have the slightest idea how network works and doesnt even have security certs at all.

    Its funny how most of the "security" guys that i know only does is scan the system with a third party software that they dont even really understand and does risk assessment . They dont even know how to set up and config IDS/IPS. Also, doesn't know what to do when getting attacked. Doesnt even know how to check logs on switches and routers.
    Reply With Quote Quote  

  5. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #4
    Really? Is this issue with the majority of (seemingly incompetent and well-paid) CISSPs a common thing in the industry? I'm not asking this rhetorically since I had the impression that most CISSPs were generally very capable in their line of work. I'm planning on attempting that exam this year mainly because it seems to be the common denominator HR requirement for most security-related positions, but it's also an exam that I'm lacking motivation for since 1) it's not as technically-oriented compared to the rest of the ones I've done and 2) if the an exam requires me to go beyond three hours, my attention span drops off quickly and failure potential increases exponentially.

    I've known one CISSP in my company that I knew from a distance but didn't have a lot of confidence in, and I've interviewed a CISSP years ago for a position my company had open and I didn't get a good feeling about his abilities. Other than that, I surmised that most CISSPs deserve their keep.

    Or are you just referring to infosec workers in general?
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #5
    Quote Originally Posted by cisco_certs View Post

    Its funny how most of the "security" guys that i know only does is scan the system with a third party software that they dont even really understand and does risk assessment . They dont even know how to set up and config IDS/IPS. Also, doesn't know what to do when getting attacked. Doesnt even know how to check logs on switches and routers.
    Out company recently went through an audit. I laughed at the CISSP who had not heard of a Host based intrusion detection system. I have only met a few but every CISSP I have met has been super cocky and less than impressive.
    Reply With Quote Quote  

  7. NOC Ninja cisco_certs's Avatar
    Join Date
    Nov 2010
    Posts
    119
    #6
    I think the issue here is HR or Security in general doesnt know what CISSP really is for. Like everybody said that CISSP is as wide as the sea and only a few inches deep. Also, majority of CISSP says that its more for management rather than being technical.

    I dont know, maybe its the ISC marketing, maybe its the company that doesnt really know shi* about security and network.


    My point is if you are a CISSP or work in "security", you should have in depth understanding of the network. Most guys that are in a security position doesn't know what to do when the network is being attacked, doesn't know how to set up and configure ids/ips, doesn't know how to secure a switch/ routers, doesnt know how to create an ACL, doesnt know how to check logs and etc.

    Im not saying infosec in general but the infosec that i bumped into are sadly like this.

    The question is "How can these guys protect/secure a network if they don't know the network or doesn't know how to hack?"

    I believe a person should have the knowledge on how to hack a network to be able to defend a network.

    No wonder companies/corporations/gov't get hacked/attacked easily. Dont get me wrong, Im not bashing CISSP. Im planing to take CISSP sometime next year.
    Reply With Quote Quote  

  8. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #7
    I think it's the classic misinterpretation on what a particular certification represents, similar to the "CCNA" brand and how HR and some hiring managers think it's something more than it really is. Unfortunately, you'll get the HR / recruiter types recognizing that over a CCNP. Or a better example in the security space would be accepting a Security+ while dismissing / downplaying the GSEC / GCIA / [fill in your favorite trophy cert]. It's just the nature of the game.

    It'll take a while for companies to start recognizing the CCNP Security, like how many are still looking for MCSE and not MCITP. There are too many certifications and related tiers for managers to really make sense of them.

    But hey, DoD 8570 puts the CISSP in the Tech III bracket so I can understand why many would assume it's technical. To be honest, I've gone through the CISSP materials and while I can appreciate the knowledge it imparts, I don't see myself needing to be intimately familiar with concepts like the Clark-Wilson or Bell-LaPadula models at my day job. I only want the cert for the potential paycheck increase, although I'd hate to admit that.
    Reply With Quote Quote  

  9. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #8
    Quote Originally Posted by docrice View Post
    I don't see myself needing to be intimately familiar with concepts like the Clark-Wilson or Bell-LaPadula models at my day job. I only want the cert for the potential paycheck increase, although I'd hate to admit that.
    This falls dangerously close to the thinking of people in college who are only looking for a degree to get a better job, and complain about having to take classes they see as non-essential, such as history, literature, and most electives. Schools is meant to broaden your ability to understand what has come before and too see what may come (opportunities) in the future. This requires learning a lot of things that you won't take the time to learn once you are out of school.

    The information in the CBK domains also contains a lot of things you won't take the time to learn after you have passed the exam(s). Having attained these certs allow InfoSec professionals to demonstrate their knowledge and understanding of a wide range of InfoSec topics, including the history of how InfoSec has evolved. The assumption is that best best employers to work for will want this kind of knowledge and background in their best (that is, difficult to replace) employees. Otherwise, employers will just go to the local security tech trade school and hire less-capable people who have been trained only to perform a few specific jobs (that is, people who are easily replaceable).
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  10. Random Member docrice's Avatar
    Join Date
    Apr 2010
    Location
    Bay Area, CA
    Posts
    1,687

    Certifications
    GSEC, GCFW, GCIA, GCIH, GWAPT, GAWN, GPEN, GCFE, GCFA, GMON, OSWP, SFCP, SnortCP, Sec+; expired: CCNA (R&S, Security, Wireless), WCNA
    #9
    Quote Originally Posted by JDMurray View Post
    This falls dangerously close to the thinking of people in college who are only looking for a degree to get a better job, and complain about having to take classes they see as non-essential, such as history, literature, and most electives. Schools is meant to broaden your ability to understand what has come before and too see what may come (opportunities) in the future. This requires learning a lot of things that you won't take the time to learn once you are out of school.
    Yes, I do agree with this. Don't get me wrong, in the long-term I can appreciate the knowledge and in some ways I found the CBK topics interesting since they provide context for what I do. What I meant to convey was that from a daily hands-on perspective in my current job, it's not always immediately relevant from an operational must-know perspective (although everything is relevant to some degree) and my efforts to catch-up to other peoples' technical abilities is causing me impatience. Every time I take another course or read the daily news I feel way behind, and sometimes it just seems like job descriptions list the CISSP because HR knows that's what's popular without taking specific skill sets into account.

    Or maybe I'm just ranting because I'm a slow learner. Probably the latter.
    Reply With Quote Quote  

  11. Junior Member
    Join Date
    Mar 2010
    Posts
    29
    #10
    Quote Originally Posted by docrice View Post
    I think it's the classic misinterpretation on what a particular certification represents, similar to the "CCNA" brand and how HR and some hiring managers think it's something more than it really is. Unfortunately, you'll get the HR / recruiter types recognizing that over a CCNP. Or a better example in the security space would be accepting a Security+ while dismissing / downplaying the GSEC / GCIA / [fill in your favorite trophy cert]. It's just the nature of the game.

    It'll take a while for companies to start recognizing the CCNP Security, like how many are still looking for MCSE and not MCITP. There are too many certifications and related tiers for managers to really make sense of them.

    But hey, DoD 8570 puts the CISSP in the Tech III bracket so I can understand why many would assume it's technical. To be honest, I've gone through the CISSP materials and while I can appreciate the knowledge it imparts, I don't see myself needing to be intimately familiar with concepts like the Clark-Wilson or Bell-LaPadula models at my day job. I only want the cert for the potential paycheck increase, although I'd hate to admit that.
    Let's understand that InfoSec (IA or whatever you want to call it) is a big field. I deal with crypto systems, key management etc. and not with "networks" so knowing Bell-LaPadula, Biba, security models is immensly helpful to me. I agree, however, that DoD 8570 is screwed up and CISSP shouldn't be a Tech III cert.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks