[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] IT security professionals in demand in 2006



The certs get you in the door

Being crappy at your job and showcasing your shortcomings will show you out the door.

sk wrote:
Not everyone who gets involved in security gets there because it was the

primary objective. The implication I was trying to make was that some

people get pushed down the security road. If they actually go down that

road they will focus on practical security, and start to learn more, but it

takes something to push them down that road.


well ok then they are in the security field, but it doesnt make them
"professionals".
not everyone with a CISSP is a professional and its simply to show off to
bosses and people which arent familiar with the IT security filed.
I'm into security since +11 years, i surely know what i am talking about.


Yes, I do. At least to 19-21 year olds at community colleges. I regularly

speak to students about to head out into the field after taking courses to

learn about networking or information security courses to let them know

what the real world is like. I use the security guard analogy and it clarifies

alot of things. Most of the people in these courses recognize the lack of

respect for mall security guards they had only a few years earlier, and at the

same time the enhanced (generally speaking) respect a person has for

someone driving an armored car. It is not a perfect example, but as an

analogy it clarifies things fairly well.


ok fair enough, but you talk on a list where people have tons of certs and
are security professionals, so no need to be so basic.


I disagree with this. Someone who is really interested in security who

does not have experience in the field, or at least knowledge of business

process will do more harm than good. At least to pass the CISSP you need

to understand the basics of networking and some formalized

knowledge. It is not a good cert, but there is a minimum 'you must have

memorized at least this much' threshold to finish the exam.

i'm not talking about a complete moron. i mean someone who already
understands the ins and outs of a network and is familiar with
administration,
but then goes into the security field and keeps learning. he soon will be
way more skilled as anyone with a CISSP.
someone whos not familiar with different operating systems,administrating
those and a fair understanding of networks wont be able to go far in the
security field anyway...


Compare that to someone who has read a few papers on security and follows

best practices (whose? why? etc). Small businesses can't afford to

hire expensive consultants, but they deserve better than budding hackers to

help them. Furthermore, if there is an incident the business can be held

liable for, pointing at a CISSP and saying he helped set it up can go along

way to proving that at the very least some due diligence was shown.

Pointing at timmy down the block who sets up wireless is not going to have

the same value from a business perspective.

sure this makes sense, but i was not talking about some kid in the basement,
but an professional administrator or even better a programmer
going into the security field out of interest. then again, as i said, a
small company will outsource security.


In the real world this can cost as much as $1000 CAD an hour, for a cheap

consultant. Ongoing support is unrealistic for many businesses.

i know its not like i work on the moon you know :P but i dont talk about
constant support. a small company doesnt need that anyway.
once in a while, maybe once a year have a real security audit of the
network. with good administrators this is enough as if they are told whats
wrong with
the network in first place (i.e. when the company starts) and then taking
the advices and work based on those, a small company should be fine
if they keep updating their software (what they will be told most likely by
the security team that does the audit). well but this isnt the topic really
so nevermind.


I know of a few that go out of the way to only hire IT guys that have a

security background. But they are definately exceptions to the rule.

yes, surely they do as some boss will obviously look at certs, but thats
where we come to my original topic, those certs dont proove anything so
the CEO may think he hired a good security consultant and feels save, but
his trade secrets go out of the network all day unnoticed as the security
guy
has no idea whats really going on as most of them sit on their certs and
think thats it, but without constantly learning your going nowhere.
they spend all their working time on their high paid asses and brag on some
forums or mailinglists on how skilled they are.


Real world information security is about risk. It is an insurance policy.

You spend $X,XXX in the hopes that an incident that costs $X,XXX,XXX won't

happen. Until you convince business that ideal security (not perfect, as

we agree perfect is impossible) should be the objective, not risk mitigation,

businesses will not improve spending.


yes its about risk, but this 1,000,000 $ or more costs after a security
breach only applies to very large networks. most of the time its just that
expensive
because companies have to hire expensive security professionals while the
actual work wouldnt cost much at all.


To convince businesses that ideal security is better, we need to have

legislation that holds business owners accountable for security failures that impact

individuals other than shareholders.


most of the time you can only convince a CEO to pay more for security after
they have been compromised, but thats life...


This is the unfortunate reality that security researchers and the talented

security professionals live in. This is not a world that hackers live in. Hackers

live in an academic world that lets them posit scenarios where SHA-1 breaks

are a legitimate threat (it will be soon, but it is not a realistic or credible

threat *right now*). Hackers, regardless of their motivations, live in a

world where the only limits are their imagination, dedication, and willingness to

overcome ethical 'challenges' to gain access to facilities and resources

they require to push the boundaries of security.

well i agree somehow, but then again many many real hackers work in the
professional security field and even sometimes hold such courses
for certs as they know exactly that noone is a professional after such a
cert, but they get paid for it well so why shouldnt they exploit that
opportunity.
i remember some text that vH from THC wrote "hackers go cooperate" or
something ..might be a nice read for you :-)

so well i just want to say that a security professional should be someone
who is really professional and CISSP doesnt make you one.

-sk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/