Read the first four paragraphs of this:
Forget the rest, forget that its about 'creative writing', just answer that question.
Bruce Schneier among other, myself included, have asked questions like that. Are you 'paranoid' enough to be in the security business?
One of my colleagues, Rob Slade yes *that* Rob Slade when he is teaching in Toronto, usually asks me to come along to talk for an hour to his students about "The CISSP Experience".
The first thing I ask the class is if there are any active or ex-military or law enforcement people present. To date there never have been, and to be honest it leaves me with a bit of a "Bah Humbug!" feeling when the class is really a company stuffing its IT department through the course and exam "for the numbers". Rob has some cynical comments to add but don't forget for him it's a days work and a days pay.
I'm also hit on for a variety of reasons by kids (even postgraduates) who "want to break into" -- yes that's the words they use, ironic isn't it? -- the security business. I suppose because the press makes it look more glamorous than just being a programmer or sysadmin. I keep telling them that its experience that counts, not certifications; too many, especially those from Asia, seem to think that a certification is badge that gets you work. Not so. Mind you, locally the recruiters cant seem to tell what makes InfoSec different from IT. But that's a subject for another time.
And hence the opening lines to Holly's blog.
No, Holly, you're not alone; many true security professionals, be it Infosec, military or law enforcement, think like that.
- What is the 'attack surface'?
- What are the potential threats? How to rate them?
- How can I position myself to minimise the effect of an attack?
- What is the 'recovery mode' (aka: line of retreat)?
If you can't do this, then you shouldn't be in "Security".
I was saddened to hear of an InfoSec colleague who met with overwhelming frustration at work:
After two years of dealing with such nonsense, I was forced to resign
within two months of discovering a serious security issue which possibly
jeopardized overseas operations. I have since found out that they are
selling the company and didn't want any who knew the problems around.
Speaking as an auditor who occasionally does "due diligence" with respect to take-overs, you've just shown another use for LinkedIn - contacting ex-employees to find out about such problems.
Certainly a lot of employees leaving or being fired in the couple of years before the pending acquisition is a red flags, eh?
A young colleague asked about the value of the CEH certification. Would it "Add Value" to his existing CISSP? The syllabus looked interesting to him and he wondered how prospective employers would view this.
This was my reply:
There are TEN domains to the CISSP's CBK. People come to security from
many walks of life and fields of endeavour and information security has
many facets beyond protecting networks and hosts from malicious attack.
There have been times in my career when the work covered by the CEH
would have been relevant, but back then neither the CEH not the CISSP
existed. But even back then I realized that the real problem was not
the networks or the hosts or the system administrators.
Each decision you make, each certification and specialization you focus
on leads you down a career path. I've often criticised "reactive mode"
security. The same I'd apply to your career. Is this a proactive move?
Is there a career plan here? Where do you see yourself in five or ten
years? How long do you expect to be doing Pen Testing?
Many of us took the CISSP not as a learning exercise but to validate our
already existing skills and experience. You can read in the archives
tales of people at the seminars that pre-dated "boot camps" who wrote
the books that the exam questions were based on. I mention this
because of the way you have worded your question. Are you interested in
the CEH as a validation of your experience or do you expect the course
to teach you Pen Testing? If the latter, then I'd think again.
But ultimately it boils down to the issue of your career. Many of the
older members of this forum, and older CISSPs in general, have very
diverse backgrounds. There is an old joke about a Phd being a 'delta
function', you know more an more about less and less. Many career moves
are like that. I mention this because I, and others, feel there is a
point in a career where it is the width of experience, the 20-20
peripheral vision, the understanding of context, the ability to avoid
Errors of the Third Kind, that employers value.
Yes, it depends on your age - which you didn't mention - and other
factors. Context is, as I keep saying, everything.
Maybe one day I'll go back an finish my degree in Social Anthropology.
All in all I feel understanding people and the social dynamics of
organizations is more relevant to communicating and effecting the
changes needed to bring about good security practices. But that's me,
my context an my career objectives.
You need to make it clear what are yours before you can say whether a
CEH - or any other certification for that matter, is relevant to you.
As Robert Heinlein said:
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders, give
orders, cooperate, act alone, solve equations, analyze a new problem,
pitch manure, program a computer, cook a tasty meal, fight efficiently,
die gallantly. Specialization is for insects.
Related articles by Zemanta
- Society of Payment Security Professionals Welcome 50 New CPISM/CPISA's (pindebit.blogspot.com)
- Ethical Hacking: Beat Hackers At Their Own Game (shegeeks.net)
- "A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship,..." (secretenemyhideout.com)
- Ethical Hacking - Beating Bad Guys for Fun & Profit (giveaway) (geekmommy.net)
- Sci-fi writers take US security back to the future | Jenna Lang (guardian.co.uk)
- Get Paid To Hack (joetech.com)
It seems that many people in HR don't realise that the interview is a two-way street. Not only are they trying to find out if the candidate is suitable, but the candidate wants to know about the position, the firm, the job and the people he will be working with. The most sucessful intervvvews are when both parties realise this and work accordingly.
Thirty plus years ago the company I worked for out of university assumed that the hires were there for their career. As such they invested in them. Training for middle management and beyond began quite early.
One of the first thing we got was interviewing skills, that is DOING the interviewing. You might wonder why this was so early on. I was told that part of interviewing was determining if the candidate would fit in with the team. (How different from the attitude where hiring 'gurus' and
'whiz-kids' for their individual excellence is the only criteria.) Hence the candidate needed to meet the team and so the team had to understand how to interview.
But today? How many companies invest in training in that strategic manner?
The last couple of decades have been ones where job-hopping is the norm, so why should a company invest in training someone who will shortly be gone? Most people look to their own training, hence the rise of the training companies.
Hence also the rise of evaluating applications by their training record, and in some cultures the attitude that training is a ticket and certification is a ticket to a job. Many of have seen on other forums people posting
Its really hard, I've found, to convince people with this cultural background and set of assumptions that its experience that counts.
I wonder if the same applies to HH/HR/screeners?
I ask because I'm one of those people who isn't good at classroom learning. I'm better off taking things apart and experimenting. In the classroom I'm a pest, I ask questions as my mind races ahead and "off on irrelevant tangents" - which amounts to next weeks lesson! You're never going to see a long list of courses taken and certifications earned on any of my resumes.
I'm off doing the "I wonder what if ..". I think in terms of 'ability' rather than skills with specific pieces of equipment and software. I'm more like the guy in Asimov's short story "Profession".
Well, it takes all sorts.
Related articles by Zemanta
Its one of those bootstrap problems - the new CISSPs who need to read the information can't get at the FAQ on how to sign up for the CISSPForum because they need to be members of the forum in order to read the instructions.
Yes, I know the information is at the (ISC)2 web site, but that's an incredibly difficult site to navigate.
Both sites are very rich, but very different in nature. Gary makes use of custom mind-maps to assisit in navigation, whereas the Wiki allows for registered members - CISSPs - to contribute.
The CISSP Forum at YahooGroups is very active. It is not a purely technical group, but an active support group for CISSPs. It handles well over 1,000 messages a month and is the kind of "social network" that some vendors would pay millions of dollars to own - if it wasn't a closed group that spurns advertising.
The astounding thing is that so few CISSPs know about it. (ISC)2 seems to make no effort to publicise it to people as they gain their certification.
If you are a CISSP, visit either of those two pages, or better still go directly to the (ISC)2 web page for registration - https://www.isc2.org/cgi/cissp_forum.cgi - and sign up.
- Why CISSP? (itauditsecurity.wordpress.com)
I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity
Calendar of Posts