> I'm a touch ambivalent about the certification thing. On the one hand it can > be a pain (and one more damn course to take), on the other hand I can > understand how external non-expert regulatory regimes could desire reasonable > assurance that the folks doing the work are qualified.
Be that as it may, the data rather clearly suggests certification in the security realm is (very) badly correlated with qualification. > As it stands it is a [sic]"the prime contractor needs the cert" thing, so > everyone under that person/organization would not require it. It would > depend to some extent how onerous getting the cert is to tell how it might > shape contracting relationships. In any case, it wouldn't hurt for everyone > to get the cert if at all possible. Ah. You're seeing the cert as a test that can be objectively passed. But there's nothing that requires that. It's more a state that must be subjectively granted. If the certification authority doesn't like you, you don't work -- no matter how qualified, no matter how much certain people would like to hire you. Don't think "well, it's only the prime" that needs to sign protects you -- that just means the stakes on getting you fired quick are much higher. Bottom line: What if the only people allowed to do security work were CISSPs? (Yes, this applies to government systems and critical infrastructure, for now. But you know, that latter part isn't well defined either. Is Linux critical infrastructure?) --Dan _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
