The value of your CISSP

scheduleNovember 6, 2016

Declaring the CISSP a “foot in the door” certification is to clearly misunderstand its purpose in todays Information Security Environment. The problem with the CISSP is not the certification per se, but rather the misunderstanding of what it is, what it is for, and what it documents.

The fact that there are people that do not take this certification seriously says more about the people that joke about it, than the people that hold the certification. Is this a certification that should be taken seriously, absolutely. “Average” people study for a year before they take the exam. The test is a grueling 6 hours. When one has taken the test and passed, you feel like you have accomplished something. This is because (after hitting every place I could find on-line) first time failure rates may be as high as 70% to 80%.

There is a claim that the material is worthless to 99% of people involved in information security. I find that claim fascinating as I have actually been responsible for fire extinguishers, fences, and lighting. Here is the first misunderstanding that needs to be corrected. This certification is for MANAGERS in information security. Think operations managers, project managers, or even attorneys. These are the people that need to understand why things work the way they do and the terminology that is used, but do not need to worry about doing it themselves.

The CISSP relies on experience instead of requiring demonstration of hands-on skills. This is because the certification is designed for people that will be leading the implementers. The reason that you need to understand the concepts is so that in communication with those that speak technojargon, you can translate correctly what is meant, and why. Everyone in middle management that is responsible for IT should be required to have a CISSP. Upper management should consider specializations. To claim that tangible “real” skills are the only thing of value is to miss that an army of workers with no direction accomplishes nothing. The CISSP can bridge the gap between an MBA and the IT security team they run.

If you are of the opinion that this cert is not what you want in your IT sec team, then find the one you do want. Select a vendors security certification. Cisco and Juniper have many to choose from. These certifications are outstanding for implementation. Need to certify someones ability to do a vulnerability test? How about an OSCP? Instead of demanding that ISC^2 destroy this test in lieu of another test that already exists, why not correct your view of what this test represents?

Why would someone be proud of their CISSP?

  • Studied for a test instead of watching TV.
  • Took and passed a test that most people fail their first time through
  • You have documented that you have at least five years of related experience
  • It can count as a significant portion of a college degree
  • It documents a standard that you have achieved
  • You can assist people in the same accomplishment

People, your understanding is broken

HR offices know little to nothing about the breadth and scope of information security. The people that work there are not required to understand the intricacies of what a particular certification means. The people that contact HR and request an employee determine what certifications are required. Arguing will not get you much.

As a CISSP keep in mind that you have more to learn. It should not be your only certification. If you earned your certification from a brain dump on line, you are part of what is called the paper tiger brigade. These are people with certifications that do not understand how to apply them. Examples are; Cisco Certified Network Professionals that have never touched a router, CHFI’s that do not know what tool to use to recover a file on a Linux box, Network+ holders that can not even subnet. Paper tigers reduce the value of the certifications they misrepresent.

So do what do I propose?

We need to document people that are paper tigers. When you hire one and discover they can not do the job, there should be a reporting mechanism to identify what the discrepancy was. As this individual moves from employer to employer there would be documentation of issues. If there are enough issues, the certification should be pulled. This way we can eliminate paper tigers that affect all valid certification holders by bringing down the value of the certification. Instead of demanding destruction of certifications, we should make sure we understand what the certification certifies, and be willing to document undeserving candidates.