Re: FYI: CISSP Certification?
Gene Spafford (spaf@cs.purdue.edu)
Fri, 28 Oct 1994 11:48:45 -0500
I'll just make one personal observation about the IISSCC certification
process.
When they started up the program, and announced the "grandfathering"
scheme, I checked it out. I found that if someone like John Draper
(the original "Captain Crunch") or Kevin Mitnick were to apply under
the grandfathering, they would probably meet all the requirements.
Unless someone questioned their backgrounds, they would probabl;y meet
the requirements. If they pass the test being devised now, they could
probably also meet the necessary requirements. Several of the
long-time "black hats" who have not been publicly exposed and
convicted could also meet the requirements if they have been working
as "security consultants" and say they adhere to the code of ethics.
There is no "vetting" process to weed these people out.
On the other hand, I would not qualify for certification. This is
despite the fact that I write books and articles on security, direct
research, produce security tools in wide-spread use, work with
response teams and law enforcement agencies, and consult worldwide on
the management of computer security. The way the requirements read,
my experience doesn't count. Yet, I don't know of anyone who would
consider me to NOT be a "security professional."
In all fairness, I don't know if the requirements for certification
have changed in the 18 months or so since I looked at them -- the
program is still being ramped up. However, given the above, I would
place little value on the presence or absence of CISSP on someone's
resume.
--spaf