A piece about security certifications caught my eye this morning. Now, I'm not a huge fan of certifications or anything (notice how there are no letters after my name,) but what bothers me about this article is the fact that there is plenty of discussion about what makes a good "security pro" but absolutely no discussion about requirements for what the "pro" needs to *do* for the company hiring them. It's the same attitude taken when bringing a product in without considering the business requirements. What do I mean by this? I mean that just like there are no "good products" without asking "good for what", there is no such thing as a "good security pro" without asking "good at what".
For example, Joel Snyder says that to be a security pro, "You need to be comfortable driving the big three firewalls from Cisco, Check Point and Juniper.'' Oh yeah? I do? I've been doing security for a decade, and I've never seen a PIX console in my life; I'm sure it's all impressive and stuff, but it's just never come up in the course of doing my job. Same with Firewall One and whatever the hell Juniper's firewall is called. And driving it? I've just as much clue how to drive that than I do an oceanliner. Do I have to know how firewalls work if I'm going to work with cryptography, forensics, auditing, penetration testing, application security, etc, etc? Joel seems to think so. Maybe I'm just jealous of the folks like Joel with the 'r3e7 (|-|3cKp01n7 sKil1z, but it seems to me that there's more to working in security than just working with firewalls.
Posted by Ed at August 25, 2005 09:46 AM