Cyberguardians

    I had the pleasure of reading Protect Your Windows Network From Perimeter To Data by Jesper Johansson and Steve Riley. Even though it lacks Vista coverage being written in 2005, it is still very relevant and useful to security professionals today. It's a book that I wish I had read sooner, as its a very good primer to security in a windows environment. Its the perfect companion to the Windows Security Resource Kit. The book's two authors are both seasoned security veterans and their IT geek humor is enjoyed throughout the book. I found myself thinking, "Yeah, I've been there before" several times and laughing at the absurdity of the situations we are frequently presented with.

    Two notes of caution about this book before delving in. These guys were both Microsoft employees at the time of the writing, so yes you will see some mild MS bias throughout, but they do a good job of reminding you in the text as well. I mean really, who recommends ISA server over a FW appliance like Netscreen, Checkpoint, or ASA, other then a MS employee or a Redmond Kool-aid drinker. Also, while this book contains great nuggets of information, for someone thats been in the security industry awhile, there will be a lot of general IT security information that you can just skim through in the first few chapters. This does not take away from the book in any way, just broadens the target audience some. 

After reading a very spirited, informative discussion on this topic over at SecurityFocus I decided to throw my own hat into the ring. I want to expand on several relevant topics. 1 - Certifications are a joke - A certification alone, without experience is typically not worth that much in the real world. It proves that the candidate can pass a test, often with having the questions in advance( see Testking/ActualTests). All it really guarantees, is that the candidate has some basic knowledge of the subject. Even the certs with experience requirements are pitiful, due to the fact that they do not audit every candidate. And if they did, there's always a chance they lied, like most people do on their resume.  2 - Certifcations are necessary - until the HR machine is overhauled, you cannot afford to not have certifications. Unless you have a good contact in the company, most non-certified individuals will be screened out by the non-technical HR employee, who basically knows keywords. I think also if your very specialized, like on a certain product or field, having one of the more advanced certs could be very rewarding financially. Also on the opposite spectrum, having certs in several different areas, like various OSes, networking, security, etc can show that your pretty versatile. 3 - Experience is still king - despite the fact that you have a lot of "enhanced" resumes out there, experience is still the most important factor in deciding whether or not a candidate will be successfull. A good track record of completing projects, troubleshooting, implementing, etc along with personal references from those jobs are still the best indicator that I've seen. Granted you need to do a fair amount of vetting via the technical interview, I still think its what employers should put more emphasis on versus certifications. In conclusion, I would like to state that I don't think its possibile for anyone to argue that the current certification system we have is not broke on multiple levels. We have hiring managers without a clue. We have money grubbing, so called experts selling us mediocre certifications. In short, we all have to take responsibility for fixing it. Whether its done by educating people of the dangers of paper only certified employees or by designing a new system, something needs to be done.