Wendy Nather abandons the CISSP—good riddance

By Gal Shpantzer

Mood music: Abandono by Amalia Rodrigues…

Wendy blogged about not renewing her CISSP. I never had one myself, but as Wendy said it is much less important if you’re not going through the cattle call HR process, which is majorly gebrochen in infosec… but that’s another post.

I suppose a CISSP might be useful for people starting out in security, who need to prove that they’ve actually put in a few years at it and know the basics. It’s a handy first sorting mechanism when you’re looking to fill certain levels of positions. But by the time you’re directly recruiting people, you should know why you want them other than the fact that they’re certified. And then the letters aren’t important.

My personal career path has always been about proactively sniping for work (AKA consulting – never had a “real job”) and cultivating relationships and recommendations, so the following is especially true, even though I don’t have ‘decades’ of experience: “After decades of being in IT, I no longer want to bother proving how much I know. If someone can’t figure it out by talking to me or reading my writing, then I don’t want their job. If they feel so strongly about that certification that they won’t waive it for me, then they don’t want me either, and that’s okay.” Bingo. Sometimes, with a little time and attention, you can skip the HR cattle calls altogether and talk about what’s actually important to the hiring organization, beyond the HR robo-screening.

That said, the CISSP has powerful (some say disproportionate) sway over our industry’s hiring practices. As Rich and Jamie said in our chat room today, the HR process is what it is, and many HR shops bounce you in the first round if you don’t have those five magic letters… So the CISSP has ongoing value to anyone going through open application processes, where HR is doing what they do: blindly screening out the best candidates.

End Music: Good Riddance (I Hope You Had The Time Of Your Life) by Green Day

No Related Posts

The argument Wendy makes is similar to saying that degrees such as BS, MBA, or PhD are not relevant if you have industry experience. However, if a candidtate is an unknown quantity, then some baseline of skill or qualification is prudent to verify before they are given access to potentially sensitive systems and data. It is a rare person who is both self-taught and proficient. Its a rarer HR person who can identify a proficient individual without some objective metric.

There are individuals who interview well but don’t perform, and there are great performers who don’t interview well. Which would you want on your team? And since the interview itself cannot ferret out the difference, you need other objective standards such as degrees, certifications, actual job performance and accomplishments, and professional references.

As a comparison, would you be more likely to take financial advice from your nephew who has read investment books, or from a person with an MBA? The customer who needs these services is at the same decision point, so why make it difficult for them to select you?

The CISSP additionally includes an ethics agreement similar to the physician’s “do no harm”. How many self-taught “security experts” will take an oath to follow a high degree of ethics and be verified by another security professional, as does the ISC^2 structure?

If after only 10 years in the field she no longer wants to “kick down the doors” then she is in the wrong field This field requires enjoying the process of constant learning and exploration.

To the point that this is an entry level requirement, that is confusing this with the SSCP. The CISSP requires also having at least 5 years of direct full-time professional experience in security work. And this certification has no comparison at all with entrance tests such as the SAT, since the latter has no ongoing maintenance or continued learning.

Robert J. Caruso, CISSP

By Robert Caruso

I read about people bagging the CISSP all the time. The facts are that many jobs ask for it, and I personally found the exam to be quite tough.

To me it means someone has taken the time to become an IT security professional, just as someone has taken the time to become educated (i.e., go to university).

It doesn’t mean they know everything; it doesn’t mean they’re God’s gift to IT security. I’ve met plenty of people of people without a CISSP (or not marketing it) or without a university degree who are very bright.

Mine is very helpful where I live—in Germany (I’m not German BTW). Everything is about degrees and certifications here when you’re looking for a new job. From that perspective alone, I will continue to plod along with the CPEs.

One thing they need to change about the CISSP (no idea if this has changed since I did mine 4 years ago) is that it’s too Americanised. To be blunt, I don’t care about the law the USA, and there’s no value for me to learn about it other than to pass the exam and to know about the Patriot Act and such things.

By Mark

No Googling necessary, as the intended target audience of my comment was misunderstood.

Gal, do us a favor (and we won’t insult you by asking you to Google it) and name one purveyor of certifications that doesn’t market their paper as “world-renown” or an “industry-wide standard” or try to position their cert as a definitive credential in their targeted industry.  My comment was in reference to the professionals that obtain the certs, not the organization that purvey (and obviously promote) them. 

That said, we can all wish that HR wouldn’t imbue substance into these credentials as a means of filtering through the vast pool of prospective candidates trying to break into security, but reality (just like we see with licensed professionals or graduates from top schools) is that people *need* a barometer for gauging the likelihood that professionals meet some standard, regardless of whether or not said barometer is truly relevant or representative of experience.  Criticizing the CISSP for providing a standard is much akin to criticizing the SATs or a bar exam for imposing standards without truly representing the breadth of one’s talents or aptitude.

That said, I stand by my statement; nobody brags about “being” a CISSP (as opposed to “selling” it), just as nobody brags about their SAT scores from high school.

By JDubsFL

Thanks for the comments, everyone.  The CISSP has a certain value in certain contexts for certain people, for a limited time.  It’s not some cardinal sin to have one if it helps you in a job search or getting a consulting gig. That said, there are major problems with how the HR function treats certifications as well as how ISC(2) itself represents the CISSP.  As commenter JDubs said “No one ever says that the CISSP is the ‘golden standard’ of expertise.” Except ISC(2), right?  Google “CISSP Gold Standard” it’s all over the place, in formal ISC(2) marketing.  I’ll address more of the comments in detail soon.  Thanks again for interacting.

By Gal Shpantzer

Well, most know how *I* feel about this topic. ;) I keep mine, though - as a consultant, I have clients and RFPs that require it, too. That grates on my nerves, sure, but I won’t lose business for something so silly, either.

By Shack

CISSP is like any professional qualification.  When entering a new industry with zero or limited experience, you need some method to prove competence.  Organisations need to de-risk the recruitment process as much as possible when recruiting individuals they don’t know.  It’s a decent qualification, just not enough on its own.  Experience, like in any role is paramount.  Infosec is now becoming big business with loads of avenues of specialism - pen testing, identity, audit etc etc.  CISSP is 15 years old and was just a generic entry into infosec.  I have it, doubt I’ll continue to renew it, but it does get a lot of undeserved bashing.

By Simon Moffatt

I let mine lapse 2 years ago after holding onto it for over 10 years. Simply put, I saw value in “continuing education” but the $100+ annual shakedown was simply ludicrous for the “value” that the ISC2 “added”

By Erik

Empathize except for the following paragraph:

“Besides, it still chafes me to think of paying good money every year to be allowed to do something I don’t want to do anyway: put letters after my name. At this point, CISSPs are so common, they’re like a bachelor’s degree:* if you have to brag about it, you probably don’t have anything else going for you.”

I’m curious as to what constitutes “bragging”.  Who in their experience ever brags about being a CISSP?  Does simply posting letters as a suffix disenfranchise someone from the ranks of “real” security professionals?  If you eschew “real jobs” for “security evangelism” or networking yourself out of the trenches, does that bestow authority to belittle the professionals who pursue the conventional path and therefore, in order to be recruited or have a foot in the door, post their credentials?

The “CISSP is a dime-a-dozen” is a perennial dead horse argument that has been regurgitated since early adopters of the cert began feeling frustrated that other people who qualified and were able to pass the test started swelling the ranks and “diluting” the pool of candidates.  The CISSP is just a baseline; that’s it.  Just as an accountant needs a CPA to demonstrate some competency and a lawyer need to pass the bar and pay legal fees to practice in his/her desired jurisdiction, passing the CISSP demonstrates to recruiters and hiring managers that you have a minimum fundamental understanding of the subject matter.  No one ever says that the CISSP is the “golden standard” of expertise. 

There are those of us who took the test and maintain it not to prove anything but simply because we went through the trouble of certifying and A) don’t want to go through it again and B) want to change jobs (when we don’t always have the luxury of doing independent consulting for clients who know better).

By JDubs

Pet peeve of mine on this particular debate: HR only screens for what hiring managers tell them to screen. The larger point is still true but the animosity is misguided. It is very likely a security person who requests certification as a requirement.

By Max

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.