Thursday, November 17, 2005


Thoughts on IT Security Professionals

Over the weekend, I spent some time reading Security Monkey's blog as I wanted to understand why he has so many readers even though he doesn't post anything advanced in terms of information protection. He is the motivation for today's blog entry on the correct way to hire security professionals...

The notion of information protection is growing in corporate America, as the media coverage of breaches in security related to identity, relational databases and other application level attacks has companies in a tailspin. The need for security services is at its peak, and this intense market pressure is creating a lot of instant “experts” with an impressive list of certifications but little practical experience in the down-and-dirty art of securing a network.

It seems as if many small companies who hire security professionals are desperate to hire anyone who even remotely knows the bare basics of security in order to solve problems with viruses, malware and spam which have already been mastered by large enterprises. Small companies are uncapable in making realistic assessments of the insultants that sell them services. I wonder how many of these small companies demand concrete proof of competency.

Proof of competency is not CISSP certifications or any certification endorsed by software vendors (NOTE: I have over seventeen and still can't find my way to the bathroom). Certifications are indicators of a general grasp of the concepts and nomenclature of information protection. Thats the best one could hope for. The worst case is that they are useless and can cause trust to be placed where it shouldn't.

The purpose of most certifications is to produce income for the certifying body. Certifications are primarily tools used by insultancies as the logo carries weight in marketing gigs. Certifications or the lack of them also are not indicators of incompetence. It takes someone special from the CISSP community to advice enterprises that they shouldn't focus on the acronym after one's name. Maybe the way you can tell if the insultant is worth their salt is whether they point out the ethical disconnect to folks in Human Resources that certifications don't exist to make their jobs easier.

Maybe the folks such as SecurityMonkey are onto something. Maybe I should take the lead in developing a certification for Enterprise Architect's who want to get promoted. Maybe I could convince every HR person I run into to demand that a certification in whatever I derive is of immense value and that they should pay an additional $25K signing bonus to whomever possesses it. Of course, I will base the exam 100% on the contents of the book: A Practical Guide to Enterprise Architecture...

If you have read this blog and think that I am stating negative things about SecurityMonkey, nothing could be further from the truth. I do question the intelligence quotients of his loyal followers who seem to let him get away with consulting on kindergartner level security issues, regurgitating security news commonly found in other places and not providing him with a challenge. Maybe his readers deserve exactly what they receive...

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?