Wednesday, June 18, 2008
Is it a bad thing that there are no IT security generalists?
I am project leader for the OWASP Certification Project where the goal is to provide credible certification for software security professionals that is language agnostic and provides an effective measure of a security professionals practical abilities.
As an Enterprise Architect, I understand the importance of the ability for a security professional to articulate risk to IT and business executives, yet I am also equally passionate that security professionals should also have the capability to sit down at a keyboard and actually do something as opposed to just talking about. In order to accomplish this goal, it requires one to not only understand how the most popular security exam is deficient (CISSP) but to figure out how to make one with more depth, integrity and completeness.
The CISSP exam requires folks to understand physical security, cryptographic algorithms, network security and even civil law in the same exam. I wonder if being a mile-wide and an inch deep is serving the needs of business and the duty to protect or causing it harm.
Security is more than just taking overly simplistic exams and the testing of one's ability to memorize obscure facts. The funny thing is that many of the participants in OWASP are considered some of the best security professionals on the planet, yet very few even made the effort of becoming a CISSP. In my own career, I have achieved over seventeen different certifications, so don't get it twisted to think that I fear exams. I do however fear that the trend of IT security is following the worst practices of the past when IT managers used to require new employees to become MCSEs which translated into a lot of folks having book-level understanding of security and not practical abilities.
I am savage in the belief of the principle of show me the money. If you are a skilled penetration tester, can write secure code and can reverse engineer software, you are worth more than any CISSP. For those who embrace the mental disorder of hybridism and distillation, balance between these two are needed where true IT security professionals understand both not just one over another...
Links to this post: