Bravo Michael for your comments.
This also I believe can be called the Degreed V Non-degreed syndrome you
find in a majority of companies.
Renee Lee
-----Original Message-----
From: Michael H. Warfield [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 06, 2000 9:49 PM
To: Loren MacGregor
Cc: Matt Wallace; Firewalls
Subject: Re: Qualifications
This is going to be a bit longish but will be my only post
to this thread...
On Thu, Apr 06, 2000 at 07:15:57PM -0700, Loren MacGregor wrote:
> Matt Wallace wrote:
> > I'm all for training, but anyone advising companies should make
> > them aware that a lot of certifications aren't worth the paper
> > they're printed on. After you meet enough CCNAs who ask, "Can
> > you show me how to log into the router?" or MCSEs who
> > don't know how to set a static route on an NT box, you start
> > to realize you'd better have a better way of qualifying people.
> > Furthermore, there are a number of certifications that are really
> > worth LESS than the paper they're on. When I got my CCSE (the
> > checkpoint cert), it was given merely for attendance. No knowledge,
> > testing, or comprehension required. A false trust in certifications
> > is a sure path to trouble. I know a number of people who view some
> > certifications as a significant negative. By the same token, even
> > the best engineers may list them just for the sake of the HR
> > department. One tactic that can be recommended is to find a very
> > highly respected, very observant security person with experience
> > and good people skills, and hire them on contract to do your
> > interviewing from a technical standpoint, if you don't already
> > have one on-staff.
> Surely, but we're talking about someone who wants to make sure his
> department has "the best and brightest," and while it is certainly
> true that not all certifications are created equal, there is a point
> in favor of those who -have- a certification, which is that they -at
> the least- have demonstrated an interest in building on their
> learning.
Yes... And no...
I was asked by someone (a recruitment / training specialist) what
I thought about certifications. I told him that in interviewing applicants
that I would not hold it (the certification) against the applicant IF they
didn't make too much about it.
He looked at me strange and I explained... If an applicant comes
to me claiming that they are qualified BECAUSE they are CERTIFIED then
they most certainly are not QUALIFIED at all. If certification is their
"main claim to fame" they are out of there. If they demonstrate their
qualification, irrespective of their "certification" then the certification
is a respectable "accomplishment" and may well weigh in their favor against
someone else of equal qualification (outside of the certification). In
other words, certification is not qualification. Qualification must be
achieved first and then certification may be considered a plus. Without
qualification, certification is considered a "negative". Those who consider
certification equivalent to qualification are disqualified tautologically.
There are those who demonstrate an interest in building ON TOP OF
their learning by achieving certification, and those people are good. There
are also those who belive that achieving certification is all the learning
they need. Those people are BAD. I wish I could say authoritatively which
ones out-number the others. I suspect that it depends greatly on the
certification programs (there is a reason MCSE is commonly referred to by
some as "Minesweeper Consultant and Solitaire Expert"). Unfortunately, I'm
afraid that too many certification programs that started out good
degenerated into the bad outnumbering the good through no fault of their
own.
I don't generally blame the certification programs for this. Once
people figure out that there is some intrinsic "value" to some
certification,
they figure out some way to obtain them or to make money off of them
(diploma
mills). People who accept these certifications, uncritically, compound the
problem when the "certified" individuals are not as valuable as the
certificate should indicate. That lets the cycle continue. If employers
examined applicants critically outside of the certification, it would be
less valuable for people to become mere aquirers of certificates.
> I would certainly not say that one should -only- hire people with
> certifications; for one thing, at that point I'd be cutting my own
> throat in terms of future employment. (My only "certification" is
> that I've been actively involved in learning about and implementing
> security for the last ten years, and seriously involved in the last
> three.)
> But it is worth considering as one of the points in a hiring
> procedure.
Only after all other qualifications are met.
I will take an uncertified person who demonstrates the skills
and knowledge that I am looking for over a certified person who is relying
on the certification as his credentials, any day. In fact, I'll keep
looking if all I get in are "certs".
In terms of training... Taking an employee and training him and
getting him certified is a good thing. Hiring someone new off the street
just because they are certified is a fool's qualification. You know the
former and want them to improve. You don't know the later and have
forgotten
Hobson's lament - "All the good ones are taken".
> > In any event, I'd recommend putting as little stock in most
> > certifications as you can stand. MOST people with CCIEs or
> > CISSPs, in my experience, are going to be clueful, but definitely
> > not so with many others. For the MCP, CCNA, and CCSE, a good
> > indicator is how the bearer perceives the cert. A person with a
> > CCNA who admits, "If you can't get a CCNA, you shouldn't be near
> > a firewall," or someone who tells you right away, "Well, the CCSE
> > certs were just given out for attending a 4-day class," is at least
> > being honest about it. (And is shrewd enough to note that such
> > paper really does NOT make the candidate.)
> Again, certainly. It is up to the manager to know about which
> certifications are meaningful and which might be no more than
> paper. It is also up to the manager to know the right questions to
> ask -- and up to the potential candidate to know the right answer to
> the questions, including "I don't know, but I'll find out." All
> other things being equal, I give a lot more attention to someone who
> doesn't claim to know all the answers than to one who -does- so
> claim -- and is wrong.
There is a difference, and a very fundamental one, between
getting an employee trained and certified and hiring someone. The
former is adding an accomplishment. The later risks equating
a dubious accomplishment with qualification. Tread carefully and
understand the difference.
> (One question I might ask, as a manager: "Tell me a little bit
> about the CCSE program you took.")
> As always in an interview process, there are no sure guides. And
> there may be some embarassment -- I went completely blank in an
> interview recently and couldn't explain what "snoop" was. But a
> good manager uses all the tools he or she has to evaluate a
> potential employee, and one of those tools is the interest in the
> field evidenced by a relevant certification.
> -- LJM
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
