Date: Tue Dec  6 03:35:18 2005
From: andre.ludwig at gmail.com (Andre Ludwig)
Subject: IT security professionals in demand in 2006

If you guys spent half the time you do crying about why *insert
certification i don't have here* blows monkey ass and just
took/studied for *insert cert i am playa hatin on here* you guys would
get paid evelenteen billion dollars more (oh and the free bikini girls
that come with the certs are awesome).

Remember guys not every hiring manager is n3td3v (or dare i say l33t3r
then h3?), soooo the masses need their idiot stamp of approval so that
the drooling PHB's can hire another body to warm/fill another pod/cube
 This way they (the PHB's) can fend off the next SOX auditor with said
new hires alphabet soup ninjah skills/ Kung FU.

One more thing

Alphabet soup != technical skill,

anyone worth a billionth of a damn knows that one.

/rant


/ had to throw another / in for the hell of it

Dre <---has a shiny idiot stamp of approval, wheres my decoder ring damnit!


On 12/5/05, sk <sk@...undzero-security.com> wrote:
> >Not everyone who gets involved in security gets there because it was the
> primary objective.  The implication I was trying to make was that some
> >people get pushed down the security road.  If they actually go down that
> road they will focus on practical security, and start to learn more, but it
> >takes something to push them down that road.
>
> well ok then they are in the security field, but it doesnt make them
> "professionals".
> not everyone with a CISSP is a professional and its simply to show off to
> bosses and people which arent familiar with the IT security filed.
> I'm into security since +11 years, i surely know what i am talking about.
>
> >Yes, I do.  At least to 19-21 year olds at community colleges.  I regularly
> speak to students about to head out into the field after taking courses to
> >learn about networking or information security courses to let them know
> what the real world is like.  I use the security guard analogy and it
> clarifies
> >alot of things.  Most of the people in these courses recognize the lack of
> respect for mall security guards they had only a few years earlier, and at
> the
> >same time the enhanced (generally speaking) respect a person has for
> someone driving an armored car.  It is not a perfect example, but as an
> >analogy it clarifies things fairly well.
>
> ok fair enough, but you talk on a list where people have tons of certs and
> are security professionals, so no need to be so basic.
>
> > I disagree with this.  Someone who is really interested in security who
> does not have experience in the field, or at least knowledge of business
> >process will do more harm than good.  At least to pass the CISSP you need
> to understand the basics of networking and some formalized
> >knowledge.  It is not a good cert, but there is a minimum 'you must have
> memorized at least this much' threshold to finish the exam.
>
> i'm not talking about a complete moron. i mean someone who already
> understands the ins and outs of a network and is familiar with
> administration,
> but then goes into the security field and keeps learning. he soon will be
> way more skilled as anyone with a CISSP.
> someone whos not familiar with different operating systems,administrating
> those and a fair understanding of networks wont be able to go far in the
> security field anyway...
>
> >Compare that to someone who has read a few papers on security and follows
> best practices (whose? why? etc).  Small businesses can't afford to
> >hire expensive consultants, but they deserve better than budding hackers to
> help them.  Furthermore, if there is an incident the business can be held
> >liable for, pointing at a CISSP and saying he helped set it up can go along
> way to proving that at the very least some due diligence was shown.
> >Pointing at timmy down the block who sets up wireless is not going to have
> the same value from a business perspective.
>
> sure this makes sense, but i was not talking about some kid in the basement,
> but an professional administrator or even better a programmer
> going into the security field out of interest. then again, as i said, a
> small company will outsource security.
>
> >In the real world this can cost as much as $1000 CAD an hour, for a cheap
> consultant.  Ongoing support is unrealistic for many businesses.
>
> i know its not like i work on the moon you know :P but i dont talk about
> constant support. a small company doesnt need that anyway.
> once in a while, maybe once a year have a real security audit of the
> network. with good administrators this is enough as if they are told whats
> wrong with
> the network in first place (i.e. when the company starts) and then taking
> the advices and work based on those, a small company should be fine
> if they keep updating their software (what they will be told most likely by
> the security team that does the audit). well but this isnt the topic really
> so nevermind.
>
> >I know of a few that go out of the way to only hire IT guys that have a
> security background.  But they are definately exceptions to the rule.
>
> yes, surely they do as some boss will obviously look at certs, but thats
> where we come to my original topic, those certs dont proove anything so
> the CEO may think he hired a good security consultant and feels save, but
> his trade secrets go out of the network all day unnoticed as the security
> guy
> has no idea whats really going on as most of them sit on their certs and
> think thats it, but without constantly learning your going nowhere.
> they spend all their working time on their high paid asses and brag on some
> forums or mailinglists on how skilled they are.
>
> >Real world information security is about risk.  It is an insurance policy.
> You spend $X,XXX in the hopes that an incident that costs $X,XXX,XXX won't
> >happen.  Until you convince business that ideal security (not perfect, as
> we agree perfect is impossible) should be the objective, not risk
> mitigation,
> >businesses will not improve spending.
>
> yes its about risk, but this 1,000,000 $ or more costs after a security
> breach only applies to very large networks. most of the time its just that
> expensive
> because companies have to hire expensive security professionals while the
> actual work wouldnt cost much at all.
>
> >To convince businesses that ideal security is better, we need to have
> legislation that holds business owners accountable for security failures
> that impact
> >individuals other than shareholders.
>
> most of the time you can only convince a CEO to pay more for security after
> they have been compromised, but thats life...
>
> >This is the unfortunate reality that security researchers and the talented
> security professionals live in.  This is not a world that hackers live in.
> Hackers
> >live in an academic world that lets them posit scenarios where SHA-1 breaks
> are a legitimate threat (it will be soon, but it is not a realistic or
> credible
> >threat *right now*).  Hackers, regardless of their motivations, live in a
> world where the only limits are their imagination, dedication, and
> willingness to
> >overcome ethical 'challenges' to gain access to facilities and resources
> they require to push the boundaries of security.
>
> well i agree somehow, but then again many many real hackers work in the
> professional security field and even sometimes hold such courses
> for certs as they know exactly that noone is a professional after such a
> cert, but they get paid for it well so why shouldnt they exploit that
> opportunity.
> i remember some text that vH from THC wrote "hackers go cooperate" or
> something ..might be a nice read for you :-)
>
> so well i just want to say that a security professional should be someone
> who is really professional and CISSP doesnt make you one.
>
> -sk
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists