h8er:  So, how does it feel to work for a company that has made so many bad security decisions.

MSFT guy:  Well, I feel lucky to be in a position to try and influence good security decisions going forward - are there any specifics you want to give me feedback on?

h8er:  All those prompts irritating people, for example.

MSFT guy:  Oh, so you don't like that aspect of UAC.  We've gotten a lot of feedback on that, but the UAC security changes in Windows Vista encompass a pretty wide range of options designed to make it easier for most users to run as non-admin.  Plus, we've incorporated some of the feedback into SP1 and I think it is a lot better.  Have you tried SP1?

h8er:  <crickets chirping in the silence>

MSFT guy: (still trying) Let me ask it a different way.  A lot of folks have said that after the first few weeks, the UAC prompts tapered off, have you not found that to be the case?

h8er:  <crickets chirping in the silence>

MSFT guy: What about some of the other changes in Windows Vista - I think the addition of ASLR, for example, was a good decision and raises the bars for attackers developing exploits.

non-MSFT guys standing nearby:  He has probably never even tried Vista - I bet you run Linux and just heard the prompt stuff second hand.

h8er:  I don't run Linux ... I run a Mac!

(NOTE: This seemed to rattle him, so he went on the offensive.)

h8er:  Don't you feel embarrassed working for Microsoft knowing that 40% of your customers are infected with Malware?

MSFT guy:  Actually, based upon research in the latest Security Intelligence Report, less than 1% of machines have malware and need corrective action - plus, recent research in the same report has shown that most of that is on older platforms and Windows Vista has an even lower incidence.  40% is a pretty high number, what source did you hear that from?

h8er:  <crickets chirping in the silence>

(NOTE:  Need a new tack, better try something different.)

h8er:  Well, I feel a lot safer running my Mac and knowing the malware writers aren't targeting me.

MSFT guy:  Oh, threat landscape is a different topic than the security of the software, but I can't really agree anyway.  Many of the folks I talk to are more concerned about spearphishing or targeted attacks specifically against their valuable data.  Recent data shows that Mac OS X has quite a higher incidence of security vulnerabilities that other comparable systems.  That means that if an attacker did target them, he'd have a lot more options to choose from.  In that case, I feel much more comfortable using or recommending Windows Vista than I would using your Mac.

He left shortly after that, but not before giving the Microsoft guy an invite to his company's party - I won't tell you which company it was, but it makes the story even funnier.  To cap it, a few minutes later, one of the bystanders came by and said "so, did the Mac fanboy get tired of harrassing you and leave?"

Having lots of fun at Black Hat 2008 ~ Jeff

I digress. What inevitably happened once I started walking around with this button proudly displayed was that I would get one of two reactions. The first group — mostly current and former co-workers and acquaintances — understood the humor and got a good chuckle out of it. The second group would ponder for a bit and then ask, with some confusion, why I’d intentionally point out the fact that I’m not a CISSP. I’d give a brief answer and get back to talking about Veracode (we booth babes have responsibilities, you know).

So, why indeed? The long answer is that like many security certifications, it’s an ineffective measure of a security professional’s practical abilities. Employers and customers often assume the guy with the five magic letters on his resume is technically superior to the guy without. In my experience, it’s exactly the opposite, particularly in situations where you have to sit down at a keyboard and actually DO something as opposed to talking about it. Certainly, I’ve encountered some very notable exceptions to this observation, but we’re playing by the 80/20 rule here.

There’s a good reason for this. The trend in information security is toward specialization. Security has become such a broad umbrella of varying disciplines that it’s quite difficult to be a generalist. A security career is a balance between breadth and depth, and these days, the skilled pen tester, reverse engineer, or vulnerability researcher is more marketable than the guy who knows a little bit about dozens of different disciplines but can’t apply that knowledge in a practical situation. The CISSP subject matter illustrates this perfectly — you have cryptographic algorithms, site location principles, network security, and civil law on the same exam. I won’t even get into the complaints I’ve heard about the poorly-worded, overly simplistic exam questions or the ones that simply test one’s ability to memorize obscure facts.

I’m not claiming that there’s no value to holding the CISSP certification. It can’t hurt to have some exposure to business continuity planning, for example. The problem, as I stated in the beginning, is that the CISSP title is often interpreted as an indicator of practical abilities rather than a book-level understanding of security basics. These misaligned expectations can ultimately lead to bad hiring or staffing decisions.

Career advice, take it or leave it: If an employer or prospective employer demands that you get your CISSP in order to be hired or to progress in your career, run fast in the opposite direction and find a place where you will be valued for your cumulative experience rather than a piece of paper. Learn by doing, don’t “learn the test,” so to speak.

And that, in a nutshell, is why I love my “Not a CISSP” button.

By the way, here was my other favorite from RSA, thanks to WhiteHat. This one and “Samy is my hero” were the best out of a pretty clever selection… even though they forgot the semicolon after the single quote. <grin>