By Denny Roger

Every day I receive emails requesting information about information security courses and certifications. My answers by email or during a lecture are always controversial, especially when I am speaking at some university. Let’s understand what really happens.

I was talking with two colleagues about how to get a good job. One of the issues discussed was how the interviewer can evaluate your knowledge. The issue came up because many professionals hold positions in the information security without having what it takes to perform the function. The fault is not of the professional who is performing the function, but the person who hired the “professional”.

The person who is recruiting do not have the knowledge necessary to evaluate the professional profile. This fact occurs all over the world. However, the employer evaluates the candidate’s knowledge through the indication and certifications.

First of all, the indication doesn’t work because the candidate can provide the contact of a friend or relative as a reference. It is obvious that the friend or relative will provide good references. This happens very often.

Second, the company requires you to have certain certifications. If you want to get a job or increase your salary, just studying and pass in some exams (for example, CISSP).

Third, many professionals are certified because the company paid the required certification. Some times, the employer required that the employee has a certification.

There are many cases where the professional is certified in a particular technology but works in another area. For example, one of our co-workers recently achieved CCIE certification. However, this professional works with Windows systems. In other words, has experience in one area but is certified in other. This co-worker only “sought” the certification because the company requested.

Fourth, the certification proves that the person has the ability to learn about any subject. Does certification not prove that the person is prepared to perform a certain function in the information security.

Fifth, the technology evolves much faster than any course or certification. In the information security we are learning new things every day. Courses and certifications are outdated very fast.

Sixth, the most important is its ability to solve problems and create proactive strategies against new threats. The certifications will not help you at the time when your computing environment is experiencing a new type of attack.

Conclusion

The personal department or even the technical interviewer needs to understand that there are immortals and mortals of information security.

The immortals are the people who can prove their experience. They are recognized by the community of information security. These are people who share their knowledge with their colleagues, lectures, develop courses, write articles, participate in discussion groups etc.

Mortals are the people that aim to have some kind of certification to try to make themselves different in the market.

Denny Roger is responsible for more than 100 projects about Information Security, including: risk management, maturity level, audits, penetration test, vulnerability management, security incident response, computer forensic investigations, information security policy and implementation of security technologies. As member of the ABNT / CB21 / CE 27, he participated in the development of ISO 27001, ISO 27002 and others ISO 27000 family standards. Contact: denny@dennyroger.com.br.

Regards,

Denny Roger
denny@dennyroger.com.br
55 11 8136 8025

Follow me on Twitter: http://twitter.com/dennyroger
Professional profile on LinkedIn: http://www.linkedin.com/in/dennyroger
Member of International Association of Emergency Managers (IAEM)

 | Enviar por e-mail  | Hits para esta publicação: 256