Message-ID: <42450864.5080308@psilanthropy.org>
Date: Sat Mar 26 06:59:55 2005
From: hades at psilanthropy.org (Anders Langworthy)
Subject: [OT] CISSP Test

SecurityLSI wrote:
> I wholeheartedly agree that there needs to be an industry benchmark,
> something that says you cannot operate in this field unless you have passed
> x. I'm thinking along the lines of something similar to the Bar exam that
> lawyers have to take, or perhaps a license like what doctors are required to
> obtain before being able to practice. I fear its going to take something of
> that level to truly separate the chaff from the wheat. Anything less and you
> only end up with braindumps and bootcampers throwing resume after resume at
> you.
> 

There is an important distinction between something like the Bar, and 
medical licensure.  The InfoSec equivalent of the legal Bar would be 
impossible to implement, because unlike a courtroom, a network is not 
under regulated control.  If you wish to practice law, you must do it in 
a government-controlled courtroom*, and that government says that you 
must pass the Bar before doing so.

My network, on the other hand--like my body--belongs to me.  Nobody has 
the right to tell me who I can and cannot hire to work on them.  In the 
same way, I could pay somebody off the street to perform surgery on me 
if I wished.  I wouldn't recommend it, and they wouldn't be a licensed 
doctor, but nobody can stop me.

So what difference does it make if we add another benchmark/"cert"?  We 
already have plenty.  Even if it were possible, would we really want to 
grant absolute power to something like the medical AMA?

* Judge Judy doesn't count.

--
Anders

Powered by blists - more mailing lists