In a recent entry, I mentioned the training program that we conceived at nCircle to take relatively inexperienced engineers and turn them into security rock stars. The genesis of that program was in the search for a certification that actually meant something - even with the huge number of certifications out there, we couldn't find a set of training or testing that would actually move an engineer from a normal level of technical skills to become a real high-octane security engineer in an orderly fashion.
The problem is really the dilemma of a certifying body that requires money to survive - in order to make money, the certification has to get recognized. In order to get recognized, a certain number of people have to have the certification (and be willing to do the work to get it). In order for that number of people to get the certification, the certification has to be sufficiently easy to allow them to get it.
Thus, you're not likely to ever see a certification that actually reflects excellence, simply because the economic incentive isn't there to create it. The same set of economic incentives are out there for anybody creating a training course for security - if their plan is to make money in the mass market, it simply can't push people too far.
So, we realized that we had to move beyond certifications and create our own program, but what to put in it? So, we asked the following question:
If I were to snap my fingers and create the ideal super-star security engineer (SSSE), what skills would they have? What traits would they have? And how would they think?
What would your answer to that question be?