[dsacco]

>> The author pokes fun at CISSP, but how else can I figure out if someone is 'good' at security?

I'm the author.

If you are hiring a security consultant for your firm and you know how to judge infosec skill, use a work sample and check references.

If you're hiring a security consultant to perform a penetration test or audit for your (non-infosec) company, hire people who have a healthy mix of the following:

1. Public, verifiable work (e.g. bug bounties).

2. Solid references and past experience with clients who themselves understand what to look for in a security consultant. You obviously check these references. Alternatively, a solid reference that the candidate worked at NCC Group, Accuvant, Leviathan, etc.

3. Research in the field, such as discovering a new class of vulnerability, publishing vulnerabilities in ubiquitous software, etc.

Prioritize #2, because not all adept security folks like to conduct research or participate in publicly verifiable work.

Of the certifications you can have, the Offensive Security[1] certs are pretty rigorous. For example, the OSCP is a good indicator that a candidate knows what they're doing to offensively test a client's network. That's about it. Almost all other certifications are run by people who have, at best, textbook knowledge of information security. People who get the CISSP can probably accurately describe a cross-site scripting attack to you in an interview, but there is no guarantee they can practically find it or defend against it.

The other issue is that while some certifications are good, a lot of folks in infosec just don't care for them. They can find high paying jobs in prestigious companies without a degree or a certification of any kind, so they simply don't bother, even though they could pass it. This means that you can't reliably throw out candidates with no certifications...which circles back to my original recommendation. Work samples, references and public work are the best ways to judge a candidate's talent. I'm directly aware that this system is used at Matasano and Accuvant, and it's likely the norm at the other "quality" security consultancies.

'tptacek would have a lot of great advice to contribute on this matter as well.

[1]: https://www.offensive-security.com/information-security-cert...

[sprkyco]

+1 for anything from OffSec I failed their OSCP once and after some reassessing I will not be taking for another year or so. However, there are many companies that list if not require a CISSP and other CISSP holding individuals are hesitant to degrade the efficacy of the cert.

[tptacek]

Generally: a requirement that candidates hold CISSP is a strong negative signal about the job. This observation would have qualified as "insightful" 10 years ago, but in 2015 it's verging on conventional wisdom.