In message <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
writes:
Nice to see you're still alive and kicking, Mark.
[XYZZY trivia snipped]
<Joining Mark's rant on the poor state of the affairs in IT security>
>It's great to earn all that certification, but what is being glossed over
>at every single organization offering their certification shingle is the
>history which ione can then deduce why Internet security is in the shape it
>is.
IMHO, the IT organizations should take upon themselves to teach their
employees on history of the security issues since early 60's. And even if
organizations offering the certifications did teach people history of IT
and non-IT security, we'd still have majority of the Joe Average type of
people that would memorize the text but not understand it.
Most people don't go for independent certifications but rather get
vendor-specific ones, as they normally get higher salaries that way.
I still remember a company stating that if one gets CCIE cert they get
$15,000 raise straight away. From the discussion on CISSP forum a couple
of months ago there was a general conclusion that CISSP cert doesn't
normally yield such pay raise if any.
Sadly, what one could learn from history is, that people don't
want maximum security they could get. It either costs too much (IIRC,
Digital dropped their A1 project soon after it was finished because there
was no profit in that) or it doesn't provide all the bells and whistles
that people expect nowadays from computers.
Suppose organizations decided to teach history of IT security:
What history could teach us is that we took the wrong approach with
regards to usability and convenience. Instead of modular approach of many
easy to understand parts of a system that all communicate with each other
according to the rules we have set up, we ended up with monolithic systems
where no one part is easily distinguishable from any other part and the
whole thing is rapidly approaching "white man's magic" state. Clarke's
Third Law anyone?
Something like that is still in conflict with reality in today's IT world
and thus can't fly just yet.
> That is the difference between a good honest to goodness security type
>person versus the Joe Blow/Jane Blow who just passed all the SANS
>certification, and is now advertising themselves as "Hi, I am so and so,
>and I will be your security expert today".. Understanding why Internet
>security is in the sad shape it's in, and producing solutions or working
>with vendors in producing less than sloppy code. There should be no reason
>why buffer overflows still exist but they do.
In other words, the good honest to goodness security type person groks
security issues while the Mr. and Mrs. Blow usually sound like commercials
for this or other vendor's products.
[Willy Wonka song as performed by Marylin Manson snipped]
>It is a world where security professionals learn perils of greed when they
>work for eccentric organizations throughout their career..
Given enough time and proper conditions to grow, all IT organizations
develop eccentricism. :)
<End rant>
Cheers,
Saso
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
