In the words of Gomer Pyle - "Sur-pise, sur-pise, sur-pirse!"
In other words "you reap what you sow”.
That really is the bottom line here. Maybe not so much in the private sector where the “mission” is usually the same from day to day – give or take a bit. If a company is in the business of making widgets, they’ll most likely be making widgets for the foreseeable future and very little changes – inside and out.
That is a very important distinction from government where the “mission” or “threat” changes every day even though the overarching mission may stay the same. It’s usually ALL about putting out fires, and damned be the consequences – just get it done.
For years now, I and many other IT/IS professionals have claimed that experience is the only true measure. Unfortunately HR (human resources) types and the like have shoved the “certification” and “educations” mantra down the throats of information security professionals and many are buying what is being sold.
As a result, you end up with a bunch of “over educated” and “over certified” do nothings that have little to no field experience; often times performing some type of "oops" resume generating event. Yes, I am aware of the chicken and egg scenario. I believe that expericenes can be had outside the workplace as well as in the workplace.
But you can't really completely blame the inexperienced button pusher for wanting to learn or to do better. Good people want to learn, gain experience and impress the "boss" with their skills.
Personally, I will take the field experienced person WITHOUT any “official” education whatsoever. I know several absolutely brilliant individuals in the IT/IS field that have (until recently forced) nothing to “prove” that they can perform their mission – except proven experiences.
Here’s a Duh moment for those believing that certifications, degrees and constantly changing specialized frameworks are the complete answer to our information security woes…
Chinese hackers. Does anyone really believe that thousands of Chinese hackers have their CISSP/CCNA/MCSE etc, etc?
I would suggest that most, if not all rely on experience – and they are winning, no FUD here.
HR, politicians, attorneys and the like (IE Gov’t) fail to understand (or care) about the critical importance of hands-on, in the trenches experiences. Even though the US armed forces live by FTXs (field training exercises) and always enforce everything with hands-on training, they fail miserably when doing the same in the IT/IS fields - moreso gov't and not armed forces.
For every certification or training that I have attended, I have always asked, “why not more/any hands on”?
Or better yet, why can’t we have a complete virtual environment where we can “break” things and see the cause and effect so that we may defend or fix the issues?
The answers have been that it cost too much or that “we aren’t permitted to do that” or some other bureaucratic answer that makes absolutely no sense at all. I realize that some trainings are beginning to incorporate this process – finally.
Although I believe ISC2 and associations similar to them do a better job than most, I also know that a very large portion of the training companies are simply “garbage in – garbage out” at the lowest cost possible.
Let’s face it; it’s all about profit and competitive market analysis studies. Much of it has very little to do with real learning, and in the end it all comes down to getting past OCR resume readers – thanks ignorance.
Maybe if we were to just ask a few more certifying bodies, so called experts or PhDs how to “fix” the problem?
Meanwhile, we could spend another decade chasing our tails until we really are too far in the hole to do anything constructive. Or maybe the politicians can just hurry and push through some garbage legislation that will surely fix all the issues – because that always works.
Maybe I shouldn’t allow this to frustrate me so much, but I really have noticed a significant degradation over the past couple of decades and it seems to be getting worse by the month - especially in and about the government sectors.
General thought and potential fixes?
- Complete revamp of certification processes to include (during or additionally) real world scenarios. We have enough examples to use from real world breaches and honeypots.
- CCIE has an exam and lab side to the certification, why not others? No more paper tigers!
- Enough of the certification whore process. Companies & government must understand that a jack of all trades is a master of none – including myself at times.
- More “real” competition with regard to price vs deliverables of certifications, instead of "hey, what are they charging? That's what we should be charging"
- How about NPO (non-profit orgs) training facilities that everyone can use? Does the
- Transparency and reality - $6000.00 for a certification class and 20% pass rate because the vendor changed the test – come on! Oh, I can re-sit the class for free - gee thanks! Teach the material, not the test.
