Saturday, 6 June 2009

EC-Council courses certified by NSA

Chris Riley brought up a good post on his blog...something I totally missed in the news :-o

Following (literally) the press release from EC-Council we read "EC-Council Courseware certified to have met the CNSS Standards by the
United States National Security Agency (NSA) and the Committee on
National Security Systems (CNSS)
". Shocked? I am!

What does it change or prove?
From my point of view it says that EC-Council knows how to do marketing, which obviously they do a lot. My impression when meeting EC-Council people at different expos and conferences were like, uhmmm... security? WTF? Business is business, most important part is to keep it going. Create a business model (hey - I don't blame you for that, good you succeeded!), build brand, loyal user base, make some media stir and here you go. It's simple - if I see someone talking about security with $$$ signs in his eyes, that's a sign for me to back off and go elsewhere. That's my personal impression regarding EC-Council as an organization - full stop.

My thoughts on standards and compliance
Chris has raised in his post some really good points about material quality. I would add, that conforming to standards and requirements (be it well known old friend ISO 9001 or any other ISO-based, PCI-DSS, etc - you name it) is just a matter of proper wording in the marketing materials and in some internal paperwork. I used to work in this area for some time (ie. standards, certification, implementation, paperwork - I've been on both sides of the process, from the bottom to quite high in the chain) and I can tell you that there are two ways to achieve so called "compliance" with any "standard" I came across so far - make damn sure you do what you say you do and do it very well and that conforms to requirements... or make sure auditors don't bother reading :-) and "OK" what they got. First impression method, social engineering, etc - great place to apply those!

Paper will accept anything you want, but this doesn't change in a bit what people know, what they do, how they work, use their knowledge (how much are they worth), etc.

Nothing has changed... exactly nothing!