Matt Wallace wrote:
>
> I'm all for training, but anyone advising companies should make
> them aware that a lot of certifications aren't worth the paper
> they're printed on. After you meet enough CCNAs who ask, "Can
> you show me how to log into the router?" or MCSEs who
> don't know how to set a static route on an NT box, you start
> to realize you'd better have a better way of qualifying people.
> Furthermore, there are a number of certifications that are really
> worth LESS than the paper they're on. When I got my CCSE (the
> checkpoint cert), it was given merely for attendance. No knowledge,
> testing, or comprehension required. A false trust in certifications
> is a sure path to trouble. I know a number of people who view some
> certifications as a significant negative. By the same token, even
> the best engineers may list them just for the sake of the HR
> department. One tactic that can be recommended is to find a very
> highly respected, very observant security person with experience
> and good people skills, and hire them on contract to do your
> interviewing from a technical standpoint, if you don't already
> have one on-staff.
Surely, but we're talking about someone who wants to make sure his
department has "the best and brightest," and while it is certainly
true that not all certifications are created equal, there is a point
in favor of those who -have- a certification, which is that they -at
the least- have demonstrated an interest in building on their
learning.
I would certainly not say that one should -only- hire people with
certifications; for one thing, at that point I'd be cutting my own
throat in terms of future employment. (My only "certification" is
that I've been actively involved in learning about and implementing
security for the last ten years, and seriously involved in the last
three.)
But it is worth considering as one of the points in a hiring
procedure.
> In any event, I'd recommend putting as little stock in most
> certifications as you can stand. MOST people with CCIEs or
> CISSPs, in my experience, are going to be clueful, but definitely
> not so with many others. For the MCP, CCNA, and CCSE, a good
> indicator is how the bearer perceives the cert. A person with a
> CCNA who admits, "If you can't get a CCNA, you shouldn't be near
> a firewall," or someone who tells you right away, "Well, the CCSE
> certs were just given out for attending a 4-day class," is at least
> being honest about it. (And is shrewd enough to note that such
> paper really does NOT make the candidate.)
Again, certainly. It is up to the manager to know about which
certifications are meaningful and which might be no more than
paper. It is also up to the manager to know the right questions to
ask -- and up to the potential candidate to know the right answer to
the questions, including "I don't know, but I'll find out." All
other things being equal, I give a lot more attention to someone who
doesn't claim to know all the answers than to one who -does- so
claim -- and is wrong.
(One question I might ask, as a manager: "Tell me a little bit
about the CCSE program you took.")
As always in an interview process, there are no sure guides. And
there may be some embarassment -- I went completely blank in an
interview recently and couldn't explain what "snoop" was. But a
good manager uses all the tools he or she has to evaluate a
potential employee, and one of those tools is the interest in the
field evidenced by a relevant certification.
-- LJM
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
