CISSP is Worthless?
Comments
-
diggitle Member Posts: 118 ■■■□□□□□□□I really don't understand why companies, and IT professionals boast and praise the CISSP so much. Currently I work at a company that performs a multitude of services (managed security, and red team activities) yet 2 of the CISSPs i work with have no scripting, programing, hacking, or network engineering experience. They are constantly coming to me (non cissp) for metasploit, canvas, exploitation, etc help. These are script kiddie programs too. So why is there so much push for a certification that is a mile wide and an inch deep. I've read Keatrons post about the cans and the wrapper but how is that possible? How is it possible to master all the cans? No one person does all 12 domains. This is why I think they should revamp the CISSP and stop treating it like whom ever has it is the "No all" I know 3 CISSPs that have failed other exams i.e CCNA, CEH, OSCP, Security+ (yes they did), etc.c colon i net pub dubdubdub root
-
colemic Member Posts: 1,569 ■■■■■■■□□□My take... The CISSP isn't designed - or intended - to measure technical aptitude or knowledge; it provides a baseline for measuring the ability to bring together security and business requirements in a way that finds the right balance between security and ability to get the job done.
It isn't surprising (to me) that they need help in certain technical areas. You can't expect someone who has those parameters (inch deep, mile wide) to NOT need assistance in technical areas.
It's not a technical cert, has never been marketed as such, and shouldn't be used to gauge technical ability.Working on: staying alive and staying employed -
TeKniques Member Posts: 1,262 ■■■■□□□□□□Agree with Colemic. There seems to be a lot of confusion exactly what the CISSP is geared towards. Of course, it doesn't help that HR posts jobs that ask for a CISSP with a bunch of technical requirements, but it is what it is.I really don't understand why companies, and IT professionals boast and praise the CISSP so much. Currently I work at a company that performs a multitude of services (managed security, and red team activities) yet 2 of the CISSPs i work with have no scripting, programing, hacking, or network engineering experience. They are constantly coming to me (non cissp) for metasploit, canvas, exploitation, etc help. These are script kiddie programs too. So why is there so much push for a certification that is a mile wide and an inch deep. I've read Keatrons post about the cans and the wrapper but how is that possible? How is it possible to master all the cans? No one person does all 12 domains. This is why I think they should revamp the CISSP and stop treating it like whom ever has it is the "No all" I know 3 CISSPs that have failed other exams i.e CCNA, CEH, OSCP, Security+ (yes they did), etc.
This may be true from your everyday experiences so I can reciprocate with one of my own. I know lots of technical people, ones who can do security forensics, setup sophisticated routing, and do all sorts of security scripting ... ask one of them to write up an information security policy, align a security strategy with business objectives, or implement a security awareness training program and none of them will even know where to start. Point is, security is not just a technical job. On the flip side, just being a CISSP doesn't mean you can do those things either; experience and achievements will ultimately determine if someone is capable or not to fulfill a job requirement. -
colemic Member Posts: 1,569 ■■■■■■■□□□Agree with Colemic. There seems to be a lot of confusion exactly what the CISSP is geared towards. Of course, it doesn't help that HR posts jobs that ask for a CISSP with a bunch of technical requirements, but it is what it is.
This may be true from your everyday experiences so I can reciprocate with one of my own. I know lots of technical people, ones who can do security forensics, setup sophisticated routing, and do all sorts of security scripting ... ask one of them to write up an information security policy, align a security strategy with business objectives, or implement a security awareness training program and none of them will even know where to start. Point is, security is not just a technical job. On the flip side, just being a CISSP doesn't mean you can do those things either; experience and achievements will ultimately determine if someone is capable or not to fulfill a job requirement.
A CISSP *should* be able to do those things, though.
And totally, totally agree that not all security is technical! Regardless of what technical security people say.Working on: staying alive and staying employed -
philz1982 Member Posts: 978Much of my experience with Security has been being able to provide a business case to get people to change. If you need to tap folks with certain expertise to build that business case then so be it. A CISSP is looked at as having familiarity with topics so they can make educated business decisions. There are plenty of people who know "Insert your IT Focus here" the people who can coordinate between these disciplines and produce actionable insight that results in business value are the ones who are rare. You usually find either IT focus or business focus, not much of both.Read my blog @ www.buildingautomationmonthly.com
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito -
emerald_octane Member Posts: 613So why is there so much push for a certification that is a mile wide and an inch deep. I've read Keatrons post about the cans and the wrapper but how is that possible? How is it possible to master all the cans? No one person does all 12 domains. This is why I think they should revamp the CISSP and stop treating it like whom ever has it is the "No all" I know 3 CISSPs that have failed other exams i.e CCNA, CEH, OSCP, Security+ (yes they did), etc.
Were the CISSPs that you mentioned hired in Pen test roles? If not, why be surprised when they don't do much pentesting?
Because Security is holistic. Ok, maybe you've met a few CISSPs who couldn't tell a SYN packet from a hot pocket, but i've met very disgustingly smart CISSPs who can be technical from end to end and do it securely as well. Any sec guy can go into a network and start chopping it down with complete disregard for the business, not understanding the whole picture. A CISSP should be knowledgeable enough to go out to his red team and say "I need you to make sure we meet this regulation requirement by showing our infrastructure capability", then they can go back to the suites and say "we're compliant with XYZ, or we're not, but it costs $$$$, the vulnerability is only $, so we're going to accept the risk." -
colemic Member Posts: 1,569 ■■■■■■■□□□^^golf clap^^ to the two posts above. That's it perfectly.Working on: staying alive and staying employed
-
JDMurray Admin Posts: 13,092 AdminA CISSP *should* be able to do those things, though.
-
colemic Member Posts: 1,569 ■■■■■■■□□□write up an information security policy
align a security strategy with business objectives
implement a security awareness training program
I was referring to the examples listed above... I do believe that those tasks fall should fall within the skillset of a CISSP.Working on: staying alive and staying employed -
danny069 Member Posts: 1,025 ■■■■□□□□□□But you guys that got offers were you an "associate" of CISSP or a FULL CISSP? or did it even matterI am a Jack of all trades, Master of None