It can be far easier for an employer to rely on certifications, than to do the hard work and heavy thinking about what actually qualifies someone to do the job, or for that matter, what exactly the job is. I by no means wish to imply that certification is useless, or otherwise disparage certifications. Some of them seem to be going the direction of the true university: they mean to demonstrate that you know some of the basics in every area. So, someone with years of specialized experience might fail the exam, because of those areas they have not had occasion to know. In this context, take application and database security (and I don't know if these are part of CISSP). I would not be at all surprised to learn that dot commers know almost nothing about these. OTOH, such certifications favor idiot savants, who can repeat back everything they've read, but don't know how much a candy bar costs. Greg Stigers http://www.cgiusa.com * To join/leave the list, search archives, change list settings, * * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *