Mood music: Abandono by Amalia Rodrigues…
Wendy blogged about not renewing her CISSP. I never had one myself, but as Wendy said it is much less important if you’re not going through the cattle call HR process, which is majorly gebrochen in infosec… but that’s another post.
I suppose a CISSP might be useful for people starting out in security, who need to prove that they’ve actually put in a few years at it and know the basics. It’s a handy first sorting mechanism when you’re looking to fill certain levels of positions. But by the time you’re directly recruiting people, you should know why you want them other than the fact that they’re certified. And then the letters aren’t important.
My personal career path has always been about proactively sniping for work (AKA consulting – never had a “real job”) and cultivating relationships and recommendations, so the following is especially true, even though I don’t have ‘decades’ of experience: “After decades of being in IT, I no longer want to bother proving how much I know. If someone can’t figure it out by talking to me or reading my writing, then I don’t want their job. If they feel so strongly about that certification that they won’t waive it for me, then they don’t want me either, and that’s okay.” Bingo. Sometimes, with a little time and attention, you can skip the HR cattle calls altogether and talk about what’s actually important to the hiring organization, beyond the HR robo-screening.
That said, the CISSP has powerful (some say disproportionate) sway over our industry’s hiring practices. As Rich and Jamie said in our chat room today, the HR process is what it is, and many HR shops bounce you in the first round if you don’t have those five magic letters… So the CISSP has ongoing value to anyone going through open application processes, where HR is doing what they do: blindly screening out the best candidates.