I am curious. How many security professionals are in this forum? This seems like quite an appropriate forums for said professions. I myself an a CISSP (Certified Information Systems Security Professional), which means I am supposed to understand things like security, risk analysis and mitigation, business continuity, and pretty much any other such thing that computer based traders might want to be concerned about. I am not looking for a job, I have a good one, just curious how many other certified on non-certified but genuine security professionals are here. Scot
Before I retired to trade full time I managed Database Administration (DB2, Oracle and SQL Server). In several shops earlier in my career I did all of the ACF2 security and native SQL security for DB2 databases.
I am. Worked, presented, and published in the INFOSEC/IA/IO/IW field since 1992. I refuse to hold any infosec certification since I don't believe in them. How's that for a very generalized starter?
rick, I used to believe the same thing. I have been in IT since 1990-ish. I never needed certs because I have an established background. However when 9/11 + Enron Crash + Arthur Anderson Crash destroyed my career by flooding the IT market place with untalented but cheap IT workers, I ended up leaving IT for a few years. When the time was right I entered IT again, but it was a LOT harder than I expected to explain my absense from IT. I ended up chasing several certs to prove to employers that I still had it going on. I now work a contract for the government and they have their own certification requirements, I was promoted into an IT/IM/IA management position for the gov and the appointmnet I currently hold requires the CISSP. I therefore chased it. It's easy to say you don't need the certs when you don't, until you find yourself in a situation where people are asking, "How come you don't have any certs?"
The CISSP cert certainly has a lot of mindshare, which is sad because the GIAC certs are more effective, IMHO. The former tests your ability to recite InfoSec knowledge while the later tests your ability to apply it.
Yeah I can see that - but in those cases, I've turned down enticing jobs because when folks ask that question for a CSO-level job, they're really looking for a showpiece to say "look, we must be secure because we have a certified dude in charge of things!" -- that to me suggest inside the box management thinking, ineffective security, and a corporate culture I will NOT fit into very well.....not because I am an asshle but rather because they don't want to hear what needs to be done. The best security pros whom I look up to have no certifications -- they're known for their papers, presentations, and work histories as industry thought leaders. I count my self in "their" league versus the "corproate" version of infosec. Sorry, I am a bit bitter about my profession. If you want to read more, pm me - my april fools' prank last year was right along these lines.
I've worked in infosec for 15 years now for a variety of companies and for 10 years before that working on Unix kernel coding writing file systems and network stacks. In the early days I did quite a lot of network security and firewalls work but I moved away from that to enterprise security architecture with the occasional bit of incident response thrown in when I can get it (that's a perk really). I also act as the security stakeholder for strategic initiatives. I hate writing policies and standards but luckily we have quite a big security group and there are others who like doing those. A CISSP will help get you past the first cut but no further. The thing that matters is experience and whether what you have done matches the job requirements. There are far too many paper CISSPs wandering around for it to have any meaning as a certification.
I am a professional security guy (find vulnerabilities c/c++/php/.net/whatever, write tools in aforementioned languages etc...). But I'd slowly like to make the transition to trader.