Why I’m Not a CISSP
Over at the Network Security Blog, Martin’s been doing a great job of putting the CISSP certification (Certified Information Systems Security Professional for you non-security-geeks) in proper context.
I’m not the biggest fan of the CISSP any more; I think it’s outdated and commoditized. It’s no longer the gold standard of security certifications because the world around it has changed too quickly. These days, there’s no “single” security career track, and the CISSP is diluted from attempting to remain the One Ring that Certifies Them All.
Not that it’s worthless. It can give a new security prospect a reasonable grounding in some of the basics. But where it used to be a Master’s (or maybe Bachelor’s) degree, it’s now a high school diploma.
About 4 years ago we didn’t have many CISSPs on our team at work, and my boss suggested I give it a shot for some professional development. I took one of those week-long intensive courses, and walked out realizing that taking the test would be, for me, a waste of time. Not that I didn’t learn anything, but I’d obviously hit the point in my career where it wouldn’t give me any advantages. I wasn’t going to learn anything else by preparing for the test (except how to pass the test), and I was in a position where the CISSP after my name wouldn’t make a difference for any job I’d ever apply for.
If you’re just getting started, or need it for the resume, a CISSP still has some value. In some places we’ve hit the point where not having it is more of a career obstacle than boost. That doesn’t mean it will help you do your job better.
Which is sad.
Edited: Almost missed Rothman’s comments on the subject; one on-point paragraph instead of my drawn out story. Sigh.
Rob Newby Sep 4
The problem with the CISSP is, if you’re good enough to pass it, you’re already too good for anything that requires it. It is just an obstacle, which people like your good self don’t need to take because you’re way over it already. It was more of a curiosity to me, but I haven’t needed it once in any job I’ve had.
My experience is far more relevant than my CISSP, but then again it’s more important than my degree, my A-levels, GCSEs, every other exam I’ve had to take, and yet I wouldn’t say they weren’t worth it. I think it’s always good to set a stake in the ground, for yourself and for others.
rmogull Sep 4
I think it just needs to decide what it wants to be when it grows up- the industry has moved past any single certification being comprehensive enough to cover any security career. Either it needs to become much more in-depth and breadth (month long courses, not a week), or take more of an approach like SANS.
CVJ Nov 14
The CISSP never was a premier security cert for security people its a managerial level security certification, hence the “from the top” viewpoint of things where money/profit are considered and most of the test is non technical.
DO Jan 21
The CISSP was weak years ago and is weaker now. I took it and passed (first time) in October ‘07. It was honestly the easiest certification that I had ever gotten. I finished in 1.5 hours and walked out telling all of my colleges that “either it was the easiest exam I’ve ever taken or I wasn’t even reading any of the questions right”. There were only two questions that I didn’t know and it wasn’t because they were hard, it was because the English made no sense. All of the words made sense, but not put together in a sentence. When I took the bootcamp, I too knew that it would be pointless, but for some reason, DISA requires it… I annoyed everyone in the course because I knew EVERYTHING that the instructor was teaching and he and I were having a great time talking but they didn’t care to learn any sort of depth. Everyone I know who has the CISSP has disappointed me… their knowledge on any subject that I talk about is weak. Oh, and for those who don’t know, the exam is completely wrong concerning application security… buffer overflow protection is more complex than simply checking the offset and range.