Sunday, July 23, 2017

Certifications

I started a post draft a few months back, shortly after passing my CompTia Security+ exam (a job requirement). From a functional standpoint, my job is not really on the network side, configuring firewalls, etc., but databases may contain PII or PHI and poorly designed applications can be vulnerable to SQL injection attacks. Oracle and other database software publishers release periodic security updates of their products and/or provide configured security alerts, e.g., the use of predictable passwords. We also need to harden database servers, e.g., against unnecessary, predictable and/or vulnerable ports. (In fact, for one federal client, I discovered Oracle Management Server (which, for example, would allow me to remote manage other database servers from a centralized location) was not functioning because ports which allowed communication between database servers via Intelligent Agent had been blocked by network administrators.)

The DoD requires Security+ for a number of system administrative positions (including DBA) Depending on the contract, new hires without Sec+ might be given 2-6 months, but I know people who failed the exam and were let go. (I don't think CompTia publishes failure rates, but a significant percentage fail to reach the minimum score of 750, which corresponds to just over 80%; in fact, I know someone with a D.B.A. degree who failed his first attempt. Another implicit indication is they offer a preparation bundle which includes a free re-test. Why would they even offer such an incentive unless there was a good chance you would fail, even with their preparation materials?) In one case before I took the exam, I was basically offered a defense contractor job in Mississippi when an account manager told me I had 2 weeks (i.e., before moving) to take/pass the exam.  That wasn't even locally possible; there are often only a limited number of slots through Pearson (CompTia's testing facility partner) which dry up the closer you get to the date. I suspect if you live in a large enough metropolitan area that might not be an issue, but I and others, short of flying to another city just to take an exam, had to wait a few weeks for an available slot. So basically they cancelled the job offer (and contacted me later to see if I had picked it up in the interim). There are other vendors who explicitly make a contingent offer on achieving it, and in many cases, they'll trash the resumes of even 20-year DBA's without the cert listed on them.

Security+ used to be a perpetual certification (until 2010 or so, don't quote me) but given the rapidly changing world of technology,  CompTia now issues 3-year certificates with a 50 CE (continuing education) unit renewal (CE's can be earned in a variety of ways, e.g., taking or delivering salient training or classes, qualifying seminars/webinars, credit for security-related employment, etc.) In fact, DoD demands that ongoing education process; I have a friend with a perpetual Sec+ certificate who had a Japan-based assignment, but the USMC demanded that he retake the exam (I gather he had not been involved in post-certificate continuing educational activities).

One of the things I had mentioned in my earlier post draft was that I can still recall when I finished my oral doctoral qualification exam (which followed passing my major and minor comprehensives) thinking I would no longer have to take any more exams; I would be the one giving them as a professor. Of course, that was quite naive, even assuming I didn't seek another doctorate or other degree (e.g., law). There was, of course, the dissertation proposal defense and the dissertation defense; my academic articles would be subject to peer review, my teaching evaluated by students and administrators, the tenure process, etc. When I restarted my professional career post-academia, I often faced tech screening, had to take various training courses/exams, etc. And there's been more and more push towards certification as a type of common baseline, e.g., as a filter for qualified job applicants. To a certain extent, I understand the need, given grade inflation, variances among college programs, etc.

Personally, I found some of it rather insulting. One example was this one consulting client had a rule that all contractors, as well as employees, had to take this IBM programming aptitude test. I'm like, give me a break! I had worked as a professional programmer/analyst before I started on my MBA. I have written in multiple computer languages (APL, Fortran, COBOL, etc.), had taught several programming classes and had assigned programs in others (which, of course, I personally completed in advance). So I take the stupid test, and the astonished client says, "You know, you are quite gifted." No kidding!

It's somewhat annoyed me when I get similarly quizzed over Oracle. I mean, I had gone through multiple levels of tech screens to get a job offer as a senior principal from Oracle Consulting almost 20 years ago. Are you seriously going to compare a 90-minute multiple choice question exam to over 20 years of experience from someone who used to work for Oracle? (I did decide to earn an OCA (Oracle Certified Associate) in 2005 while I was between assignments at a consulting company; I would have gone for my OCP, which required a second exam, but Oracle decided to make the cert dependent on taking one of some 8 (?) Oracle University classes ($3500 a seat). The company wouldn't cover the class; well, they might after I improved my utilization (billing percentage) rate (which had more to do with their sales guys not winning new contracts). (I saw being on the bench as a perfect opportunity to pick up training, and the additional certification might make me more attractive to prospective clients.)

Of course, some exams, including CompTia's, have gone beyond just multiple choice (which allows more comprehensive coverage, objectively scored) to increased  use of scenario/performance-based questions. A candidate is obligated not to discuss actual test questions, use purported test banks/brain dumps, etc. But to give an example I've not personally seen, one might be asked to specify underlying constructs of the CIA triad and accordingly sort relevant items, e.g., clustered servers, encrypted message bodies, message digests, etc. Or perhaps analyze a network diagram and identify risk mitigation tactics. The basic idea is to focus on critical thinking skills; you can, to some extent, do that with multiple choice items, e.g., rank-order hashing algorithms in footprint, speed, collisions, etc..

I found Security+ to be a particularly challenging exam given the wide scope of the subject, including topics like access to system resources, server and network configuration, job design, system, communication security, disaster planning, etc. (For a more detailed description, see here.) As someone who has widely read and researched test measurement and validation constructs, I was favorably impressed by question sampling and construction. Some unspecified questions aren't scored. One must also be disciplined and pace yourself; in my case, the scenarios appeared at the start of the exam; it's not obvious how the scenarios are scored, and it's easy to get sidetracked in the process. I remember when I initially completed the scenarios, I realized that I had less than a minute per question to finish the exam (but it turned out that I completed the exam with time to spare, enough to go back and review questions). There weren't a lot of predictable questions (e.g., what are the 7 layers of the OSI model?)  But the exam included questions which went beyond any of the material I had studied for the exam, including multiple preparation guides and practice exams; I had watched the Professor Messer videos on Youtube, etc. I felt I was doing well, but I had heard of people failing by 5 points, and I remember thinking, "If I have to take this exam again, how will I study for it?  My preparation hadn't covered the material for some questions; of course, to some extent my taking the exam when I did reflected real world constraints. I am a bit of a perfectionist, and no doubt I would have done better with more time to study.

Luckily, you don't have to wait long to get the results, although they want you to first fill out a survey of sorts after you submit the final answers. I remember being relieved to see not only had I passed but by a comfortable margin, but just in case I had a swelled head, they printed up a number of exam objectives that I need to review. For obvious reasons (i.e., forbidden brain dumps), they don't tell you directly which questions you missed, which questions weren't scored, etc.

Yes, even with a PhD in MIS, there is a lot to learn in the rapidly developing area of IT, especially since I left academia around the time of the introduction of Windows 3.0 and Microsoft Office. I'm already working on my CE's. As much as I enjoyed the process of gaining my certification, I would prefer not to take the $300 exam again.