The immortals and mortals of information security

Fourth, the certification proves that the person has the ability to learn about any subject. Does certification not prove that the person is prepared to perform a certain function in the information security.

Fifth, the technology evolves much faster than any course or certification. In the information security we are learning new things every day. Courses and certifications are outdated very fast.

Sixth, the most important is its ability to solve problems and create proactive strategies against new threats. The certifications will not help you at the time when your computing environment is experiencing a new type of attack.


The personal department or even the technical interviewer needs to understand that there are immortals and mortals of information security.

The immortals are the people who can prove their experience. They are recognized by the community of information security. These are people who share their knowledge with their colleagues, lectures, develop courses, write articles, participate in discussion groups etc.

Mortals are the people that aim to have some kind of certification to try to make themselves different  in the  market.

Denny Roger is responsible for more than 100 projects about Information Security, including: risk management, maturity level, audits, penetration test, vulnerability management, security incident response, computer forensic investigations, information security policy and implementation of security technologies. As member of the ABNT / CB21 / CE 27, he participated in the development of ISO 27001, ISO 27002 and others ISO 27000 family standards. To contact Denny, please click here.

Pages: 1 2

No related content found.

Filed Under: ArticlesBe My GuestMy career


RSSComments (6)

Leave a Reply | Trackback URL

  1. Joe Muggs says:

    In my experience, the terms “mortal” and “dimwit” are apropos. Certifications supplement the mortal’s skills and substitute for the dimwit’s.

  2. One thing I would recommend to anyone that wants to get into Information Security is to start understanding the difference between InfoSec and Information Technology Security or Information System Security (i.e. IT or IS Security). This helps you prove to the business that you know the “business needs” for the technology security that you’re putting in place; they then accept the security rather then feeling you did it just to “get in the way”.

    I’d recommend that anyone interested in this get a good understanding of the ISO 27000 standard … and I agree with the comment earlier that the CISSP is out of date … it relies too much on technical knowledge. The 27000 standard covers the other aspects required: administrative controls and physical controls (along with the logical controls i.e. technology). Information is stored in many other places the on electronic systems: paper, microform, in our brains; if you haven’t secured these along with the technology then you don’t have “Information Security”.

  3. […] was to briefly outline the experience in the work carried (information security). Please visit Part of my presentation will cover the elements of […]

  4. Poison says:

    Denny, you hit the nail on the head when you say that the fault lies with the recruiter. However, to be fair to them, the alternative of getting folks who are recognized amongst their peers is also not an easy task.

    Firstly, someone who is certified is probably also a member of those professional forums, for instance a CISA will be a member of the local chapter and will be required to attend and even talk about their experiences to get the CPE credits. So its hard for an outsider to be able to tell who is really proficient in their area.

    Secondly, most recruiters are not members of the forums themselves and therefore are not aware of the standing of a member there.

    Thirdly and most importantly, most companies do not yet understand the importance of Infosec. Sounds wierd, yes, but its true. Look at the breaches happening around you. Unencrypted tape drives, laptops, USB sticks, etc… being lost resulting in data breaches!
    Unpatched servers, virus attacks, etc….!!!

    I mean, these cos are’nt even losing data to skilled hackers. They’re losing data due to their incompetence and stupidity. Are these small companies that cannot afford an Infosec team? No !!!
    Then why can’t they implement encryption on all storage media, disable USB access, patch servers, update AV dat files and push updates?

    The reason is clear, the managements of most companies still feel that Infosec is simply not important enough. They feel that the cost of a Security incident is less than the cost of investing in setting things right. I’ve seen numerous incidents wherein they pompously claim that they have accepted the risks, its a risk that has never materialized in the last few years, and therefore is unlikely to happen in the future.
    But having a CISO is imperative, cos clients will ask about the organizations Infosec initiatives, so these forward thinking companies hire a team of jokers with certifications who are content to be YES men, and tout them as the cure for all their infosec woes. Give them a lofty title and they will keep the clients happy. If only it was so easy though…..

    Oh, and if the clients are really insistent, then well go get the org certified too. ISO27001, SAS70, SOX et all…. Never mind that the consultant is so brain dead that he/she will sign anywhere you ask him to sign as long as the payoff is good.

    The real credit for success goes to management and the real blame for failure also goes to management. They’re also the real Mortals and Immortals in this story.

  5. […] Click here to continue reading The immortals and mortals of information security […]

  6. Albatross says:

    Having taught the CISSP bootcamp, I consider the content of CISSP training antiquated and out of touvh with what the industry needs or requires. Despite this, I always advise aspiring security professionals to get their CISSP. Because, as you rightly point out, the CISSP is the single most widely recognized security certification in the world. The CISSP is a success of marketing, if not securiity. IMO it would be VERY hard to sustain a Fortune 500 infosec career without a CISSP.