Over at the Network Security Blog, Martin’s been doing a great job of putting the CISSP certification (Certified Information Systems Security Professional for you non-security-geeks) in proper context.

I’m not the biggest fan of the CISSP any more; I think it’s outdated and commoditized. It’s no longer the gold standard of security certifications because the world around it has changed too quickly. These days, there’s no “single” security career track, and the CISSP is diluted from attempting to remain the One Ring that Certifies Them All.

Not that it’s worthless. It can give a new security prospect a reasonable grounding in some of the basics. But where it used to be a Master’s (or maybe Bachelor’s) degree, it’s now a high school diploma.

About 4 years ago we didn’t have many CISSPs on our team at work, and my boss suggested I give it a shot for some professional development. I took one of those week-long intensive courses, and walked out realizing that taking the test would be, for me, a waste of time. Not that I didn’t learn anything, but I’d obviously hit the point in my career where it wouldn’t give me any advantages. I wasn’t going to learn anything else by preparing for the test (except how to pass the test), and I was in a position where the CISSP after my name wouldn’t make a difference for any job I’d ever apply for.

If you’re just getting started, or need it for the resume, a CISSP still has some value. In some places we’ve hit the point where not having it is more of a career obstacle than boost. That doesn’t mean it will help you do your job better.

Which is sad.

Edited: Almost missed Rothman’s comments on the subject; one on-point paragraph instead of my drawn out story. Sigh.