Over at the Network Security Blog, Martin’s been doing a great job of putting the CISSP certification (Certified Information Systems Security Professional for you non-security-geeks) in proper context.
I’m not the biggest fan of the CISSP any more; I think it’s outdated and commoditized. It’s no longer the gold standard of security certifications because the world around it has changed too quickly. These days, there’s no “single” security career track, and the CISSP is diluted from attempting to remain the One Ring that Certifies Them All.
Not that it’s worthless. It can give a new security prospect a reasonable grounding in some of the basics. But where it used to be a Master’s (or maybe Bachelor’s) degree, it’s now a high school diploma.
About 4 years ago we didn’t have many CISSPs on our team at work, and my boss suggested I give it a shot for some professional development. I took one of those week-long intensive courses, and walked out realizing that taking the test would be, for me, a waste of time. Not that I didn’t learn anything, but I’d obviously hit the point in my career where it wouldn’t give me any advantages. I wasn’t going to learn anything else by preparing for the test (except how to pass the test), and I was in a position where the CISSP after my name wouldn’t make a difference for any job I’d ever apply for.
If you’re just getting started, or need it for the resume, a CISSP still has some value. In some places we’ve hit the point where not having it is more of a career obstacle than boost. That doesn’t mean it will help you do your job better.
Which is sad.
Edited: Almost missed Rothman’s comments on the subject; one on-point paragraph instead of my drawn out story. Sigh.
Reader interactions
8 Replies to “Why I’m Not a CISS”
If you are going to work for the government, then the CISSP may prove a little helpful. Otherwise, it is a waste of time.
I became a CISSP in August of 2003. Full disclosure: I was unemployed for almost a year after the tech downturn in the Boston area, and during that time, I began preparing for the exam with Shon Harris’’ book (along with my own amassed knowledge and work experience). As an infrastructure guy, the Telecommunications, Network & Internet Security section was a breeze, as was Physical and Operations Security. The rest was a challenge, because I’‘m not a database or software developer, and I’‘d never studied cryptography or lattice-based access methodologies, both of which are interesting, albeit not all that relevant in some areas, as was commented on in this blog.
The kicker for me was when my certs came up for reinstatement in August of 2006; I had been employed for many years as an IT manager, and felt the certification was not worth the time and trouble, so I decided to let it lapse. At that point, the ISC(2) rep called me and gave me a complicated sales pitch to keep the certification, stating that I probably had more CPE credit-worthy experiences than I realized. It sounded like any other sales pitch – the idea was to keep me paying that $85.00 dues every year, not making sure that my CPE was maintained. After finally “fudging” my way through this process with the rep, I was told that “congratulations, you actually have earned all of your 120 required CPE’s to be recertified!” and I was promptly sent a new framable certificate.
Employers that I’‘ve worked with since then never bring up the issue of CISSP certification. The process of learning about all of these aspects of security is interesting from an academic standpoint, and I found the material stimulating to my professional development – however, the certification process is, in my opinion, offers little return on investment.
I did pass the exam in one shot, taking about 2 1/2 to 3 hours to complete. I was the 2nd person out of about 20 to finish.
Peace.
to “DO”
Hmmm, 250 questions in 90 minutes? You’‘re full of it brother. There are so many areas where the questions try to ‘‘trick’’ the person that I find extremely difficult to believe you did it in 1.5 hrs (which averages to 2.77 questions per minute) or about three questions per minute. It’s not just about ‘‘knowing’’ the material but reading the negatives and tricky questions. In fact ISC2 says that there are no double negatives but my experience was different. BTW, I completed the test in a bit over 2 hours and was the first done. There is no way to cut the time down without reading the questions thoroughly. Thanks for the buffer overflow description, but do you think everyone really believes that someone who takes the CISSP knows everything in every single area?
The CISSP was weak years ago and is weaker now. I took it and passed (first time) in October ‘‘07. It was honestly the easiest certification that I had ever gotten. I finished in 1.5 hours and walked out telling all of my colleges that “either it was the easiest exam I’‘ve ever taken or I wasn’‘t even reading any of the questions right”. There were only two questions that I didn’‘t know and it wasn’‘t because they were hard, it was because the English made no sense. All of the words made sense, but not put together in a sentence. When I took the bootcamp, I too knew that it would be pointless, but for some reason, DISA requires it… I annoyed everyone in the course because I knew EVERYTHING that the instructor was teaching and he and I were having a great time talking but they didn’‘t care to learn any sort of depth. Everyone I know who has the CISSP has disappointed me… their knowledge on any subject that I talk about is weak. Oh, and for those who don’‘t know, the exam is completely wrong concerning application security… buffer overflow protection is more complex than simply checking the offset and range.
Why I’m not a CISSP
The CISSP never was a premier security cert for security people its a managerial level security certification, hence the “from the top” viewpoint of things where money/profit are considered and most of the test is non technical.
I think it just needs to decide what it wants to be when it grows up- the industry has moved past any single certification being comprehensive enough to cover any security career. Either it needs to become much more in-depth and breadth (month long courses, not a week), or take more of an approach like SANS.
The problem with the CISSP is, if you’‘re good enough to pass it, you’‘re already too good for anything that requires it. It is just an obstacle, which people like your good self don’‘t need to take because you’‘re way over it already. It was more of a curiosity to me, but I haven’‘t needed it once in any job I’‘ve had.
My experience is far more relevant than my CISSP, but then again it’s more important than my degree, my A-levels, GCSEs, every other exam I’‘ve had to take, and yet I wouldn’‘t say they weren’‘t worth it. I think it’s always good to set a stake in the ground, for yourself and for others.