Who REALLY needs a CISSP?

As much as I love a good argument over the value of CISSP and who should get it, let's get away from the bro science and brofessors for a minute and look at an actual workforce and skill requirements study.

According to the National Initiative for Cybersecurity Careers and Studies (NICCS), the only infosec roles that *require* a CISSP are Information System Security Officers/Managers (ISSO/ISSM), known in the private sector as Security Managers / Info Assurance Managers / Security Program Managers (CISO).

According to NICCS, CISSP is a Level 3 (Advanced) certification for Management Development.

As a frame of reference, SEC+ is a Level 1 (Basic) for Skills Development, and CCNA is Intermediate.

The NICCS framework can be a useful tool in planning your training roadmap or that of your subordinates.

Explore the Framework | National Initiative for Cybersecurity Careers and Studies (NICCS)

Is anyone out there using this as an aid in their professional development planning? I know this board is generally newer folks to the career field, just curious. I get the feeling that a lot of guys who are interested in infosec just scan job ads for certifications to go after, which probably accounts for all the interest in CISSP.

Find more posts tagged with

Comments

chickenlicken09

its all HRs fault

Expect

definitely fits perfect high level managers.
CISSP is by far the most over-rated certification in the market. by completing it myself I realized how true that is.

BlackBeret

I agree those are the people that need it. The problem comes in with companies wanting more and more security personnel, and wanting them to be able to do more things. Where I work pen-testers are required to have a CISSP, as well as a lot of other personnel. They're not managing anyone or in charge of the programs, but they should to know about all of the areas security touches. We have different people for pen-testing, policy reviews, basic assessments, etc so theoretically everyone could focus on their one area and be done with it. A network pentester doesn't need to know about DRP, but having your entire security team know about all of the areas of security doesn't hurt. The CISSP doesn't make anyone an expert in any field, I see it as a general security management cert, so if you want your entire security team to understand all the aspects of security, you have them learn and get a CISSP. That's the real why.

analyst

BlackBeret wrote: »

I agree those are the people that need it. The problem comes in with companies wanting more and more security personnel, and wanting them to be able to do more things. Where I work pen-testers are required to have a CISSP, as well as a lot of other personnel. They're not managing anyone or in charge of the programs, but they should to know about all of the areas security touches. We have different people for pen-testing, policy reviews, basic assessments, etc so theoretically everyone could focus on their one area and be done with it. A network pentester doesn't need to know about DRP, but having your entire security team know about all of the areas of security doesn't hurt. The CISSP doesn't make anyone an expert in any field, I see it as a general security management cert, so if you want your entire security team to understand all the aspects of security, you have them learn and get a CISSP. That's the real why.

I agree with you. Sounds to me like there's a real disconnect between what ISC2 thinks the CISSP is and what people who've taken the CISSP and passed think it is.

impelse

Agree, HR fault.

eSenpai

Expect wrote: »

definitely fits perfect high level managers.
CISSP is by far the most over-rated certification in the market. by completing it myself I realized how true that is.

*Incoming wall of text*

I think that many times people miss the point of tests in general and thus the point of passing certification tests specifically. This is not limited to just the CISSP but all certification discussions where relative worth is being dissected. The point of the certification is not to prove you passed a test...it is to prove that you studied enough, know enough and/or have enough experience about a given topic to be considered proficient...which in turns allows you to pass a test. As with most things human, we deconstruct that down to "I have to pass the test!" and this becomes the sole focus but the value to the person who is relying on your knowledge is not that you passed the test but that you have enough exposure and knowledge such that you could indeed pass the test. The acquiring of the certification is just an attempt to make discerning this point easily digestible for the layperson but the value is not in passing the test...the value is in your studying, exposure and prior immersion in the field.

Most people agree that someone calling themselves a surgeon should have certain training but did you know that a general surgeon does not have to pass a hands-on/practical type of exam?? They are all either multiple choice or oral. (See for yourself.) I bring this up because people like to point to the OSCP or RHCE type of exams as the DEFINITIVE way you should test for IT types of knowledge when this could not be further from the truth for general topics. The OSCP, RHCE, CCNP/IE type of tests are extremely good at testing for specific knowledge and application thereof but, as with specialties in surgery, these specialties can be tested via hands-on practicals; however you generally don't start there. You start in the general topic and move to the specialty. Thus to say the CISSP is overrated is missing the point where the point is to have an across the board way to measure relative security experience and knowledge at the general level vs the specialty. Security is not just pen testing. It is not just vulnerability management. It is not just hardening, perimeter establishment(don't get me started on this), intrusion detection or risk management. Security encompasses a multitude of things. I certainly don't want an OSCP doing risk management and he/she most likely does not want to be involved in all that paper pushing as well. However, I absolutely do want someone with a varied background overseeing my security program because that person can speak in the multiple languages of the silos doing the actual security work.

To the OP's point, which went from avoiding this argument to jumping right back into it at the end, many HR departments do indeed use government ratings for base level skills that should be included in their own job descriptions. More importantly, you have peer-to-peer reviews going on and this is how the required certs get passed from company to company like wildfire. Corporation B constantly checks on Corporation A because they covet their market share. Thus when Corporation A makes the jump to require Certification X then Corporation B will as well. This is no different than in most human activities where we copy those perceived as best in class; a fact any football or basketball fan will tell you is the same for sports.

paul78

IMO - the CISSP is a decent baseline infosec certification which is can aid an individual. But like all certifications, no one really "needs" it. For me personally, I did get a CISSP primarily because of my own curiosity around certifications - I had never held any certifications before. I enjoyed the structured learning process and for that reason, I found obtaining the certification valuable. Additionally, it was a nice self-confidence boast to having accomplished the objective.

The CISSP itself doesn't do anything for my own career development other than to show my interest in infosec.

The value of certifications at an employer varies. I work for a Fortune 500 corporation and even among the various line-of-business and corporate functions, there are different ideas about certifications. The line-of-business security officers (there are about a dozen) who are accountable for infosec in their business areas are all highly seasoned IT professionals who have 15+ years of infosec and general IT experience. Many do not hold any certifications. Infosec officers at my employer are required to be senior technology managers.

Recently, we did have a dialogue about whether it made sense to have some kind of basic industry baseline certification. The reasoning wasn't so much about qualifications but related primarily to be able to demonstrate diligence around infosec officer appointments for our regulators and customers.

Even when I've discussed the concept of certifications among my peers in the industry, it was interesting to hear how others handle infosec certifications. I recall at an industry roundtable about 2 years ago, we chatted about the value of ISC2, ISACA, and IAPP certifications in particular. Many of the group thought that certifications are here to stay and that the industry looks to them primarily as baseline evidence of qualifications.

lsud00d

I'm looking at CISSP as my next cert since I've largely achieved most of what I need to in the technical realm (for the time being). My 5-year plan is to go into independent consulting in security and CISSP is one of those certs that people on the outside will give instant credence to, simply because it is becoming an industry 'standard'. It's a bit of showboating/peacocking, but when you're selling yourself you need certain certs to help sell themselves.

thehayn1

Paul78 nailed it, it basically comes down to the employer. Instead of using NICCS I would just look through linkedin or theladders or indeed and you'll see that almost EVERY Infosec job that pays over $100K requires either CISSP or CISM (inconjuction with a BA or MS/MBA preff). I assume it's because if you get someone in with an MBA and a CISSP, it is safe to assume that they know enough about IT itself and have enough business acumen to correlate how IT, Infosec, and business all work together to other executives who are mainly just concerned with profit margins and productivity.

renacido

I agree with what Paul78 wrote, and agree that no one "needs" any certification, I have had a great career in infosec for 9 years without CISSP (experience and proven ability trumps all), and recently took it as a means of filling in a few knowledge gaps and because I'm bringing my junior security analysts through a development roadmap and so I thought I should "eat my own dog food" first.

The reason I started this thread is that the CISSP is really targeted at a few infosec management roles, but on this forum it gets treated at various times like an entry-level exam equivalent to Sec+, or a cert needed to get your first job in infosec, or a worthless exercise that is a means to an end of getting past the HR filter.

E Double U

When I was in the SOC I noticed the manager, team lead, and a few 3rd level engineers had it. When I started doing bank security the CISO had it. When I saw the CISO was looking for a VP with CISSP and the pay was six figures, I wanted to have it. Having an employer that pays for training and reimburses for books/exams makes me think I would be a fool to not take advantage.

paul78

E Double U wrote: »

Having an employer that pays for training and reimburses ....

Those are certainly nice benefits which hopefully everyone takes advantage of... Good luck in your studies. One comment I wanted to make - which I'm sure you realize - many people confuse the cause and effect of certifications like CISSP.

impelse wrote:

Agree, HR fault.

I'm not sure that I completely agree. One of the things that makes certifications like CISSP helpful to a prospective employer is that it's makes the hiring process more efficient. For a busy hiring manager, it is a convenient way to describe the minimum baseline knowledge of a candidate. And it's usually not HR that sets those requirements, at least not in any company that I've worked.

NetworkNewb

Yeah, I wouldn't blame HR at all... Its the hiring manager's fault. HR doesn't fill out the whole job description. Plus HR isn't choosing the person who actually gets hired.

lsud00d

NetworkNewb wrote: »

Plus HR isn't choosing the person who actually gets hired.

Unfortunately I see this happen more often than it should.

nelson8403

I'm not sure anyone really needs it, however when hiring for a new manager or director level position having that piece of paper be the filter does help get higher quality candidates.. Even though there may be some that slip thoigh.. However if you've spent 600 on the cert you're usually focused on the field and have experience in it.

Mike-Mike

Expect wrote: »

CISSP is by far the most over-rated certification in the market. by completing it myself I realized how true that is.

i dont have the CISSP, so I may not be qualified to comment here, but I have hard time accepting it was more overrated than C|EH

renacido

I actually liked the content of CEH and after I got mine I put it in the development plan for our analysts. It's not advanced pentesting but it's a solid start and may be perfect for someone doing vulnerability assessment and internal pentesting. I don't really want someone dicking around on my production network with a python shell at least not without inspecting their code like we'd inspect anything else in production. Just my thoughts.

beads

I have raised this question numerous times over the years - in particular the role of (ISC)2 and certification inflation. Won't even bother to put into quotes as there is nothing quasi or questionable about the statement.

Roughly three months ago I saw a resume that listed their current position as an administrative assistant (secretary) with a newly minted CISSP complete with certification number. That was easy enough to look up. Yep! There this person was listed as a CISSP in good standing. Hardly the C-suite in waiting.

Another post on this board, probably in IT Jobs/Careers made mention of an Adult Education class on the CISSP with "Professor Gibson". Does this sound like a Senior level course, let alone certification?

The blame really belongs with the (ISC)2 and the membership at large for not policing itself or its own policies. HR doesn't know anything about certifications outside of comp tables, SHRM, GPHR and CEBS - the HR certs - and what hiring managers tell them. In order to be awarded the CISSP you need to both pass the light touch of the application by the (ISC)2 and a sign-off by a current member in good standing. Obviously, we have failed on both and are paying the price for our arrogance.

-b/eads

YouWill787

I understand there's a lot of discussion about lower level career individuals obtaining their CISSP certification and how that devalues the certification in general for everyone else. I recall reading a post recently that basically stated if you're low level, don't get your CISSP, this certification is not for you. But then I read another post on another thread by the same individual that stated a lot of employers are requiring a CISSP for just a lower-end $50k-$60k role. This seems contradictory to me. I feel like it's out of any ones hands for a lot of people what the employment landscape is deeming as necessary to advance. That may not be what ISC2 or any one else intended, but it is what it is. If you don't take the test and pass, someone else will - and unfortunately they will be the one who gets the interview and likely the job (because HR, or because the Hiring Manager, or because the CEO likes the term CISSP and presses to find new associates with that certification, whatever the reason doesn't really matter). So, I think a lot of people are faced with this decision and that's part of what is driving so many lower-level professionals in working to obtain the CISSP specifically in the Information Security field.

In my opinion and from my experience being successful in your career often requires a fine balancing act across multiple aspects: who you know, what you know, what your credentials are. Being fairly young I can say that I've had to shape my goals around a variety of obstacles. For instance, it seems that Bachelor's degrees are a dime a dozen and student loan dues are ridiculously high, so much so that many of my peers have gone immediately for their Master's to avoid the repayment for a bit longer/to make themselves stand out of stacks of resumes where people aren't really people as much as they are a profile number in a database. I want my Master's eventually, but in my opinion a Master's should compliment your experience and is something that I would feel best to pursue later on in my career.

I guess what I'm trying to say is that what you need to stand out in order to follow the career path that you'd like to follow is getting increasingly more difficult. If I were an entry-level security professional and I wanted a better job, obtaining the CISSP may not get me a senior level position but it will probably put my resume at the top of the stack for the lower level positions and if it's a better/higher paying/more opportunistic role, then you have to do what you have to do in my opinion. Even though I may have experience, and education, and work ethic, and noted accomplishments - I may still find myself not getting called back. I don't know who exactly is to blame for this, but unfortunately for the industry, these things are what lots of employers/HR professionals want to see and that's often what gets you the job or at least gives you the opportunity to interview for the job.

I understand that the CISSP exam is very management-based and sculpted for a broader-experienced professional but, the Shon Harris AIO was an in-depth encyclopedia of security information and for me, reading that material provided me with a wealth of knowledge that was extremely beneficial to my position at work, no matter whether I was a first-year newbie or more experienced.

beads

YouWill787 wrote: »

I understand there's a lot of discussion about lower level career individuals obtaining their CISSP certification and how that devalues the certification in general for everyone else. I recall reading a post recently that basically stated if you're low level, don't get your CISSP, this certification is not for you. But then I read another post on another thread by the same individual that stated a lot of employers are requiring a CISSP for just a lower-end $50k-$60k role. This seems contradictory to me. I feel like it's out of any ones hands for a lot of people what the employment landscape is deeming as necessary to advance. That may not be what ISC2 or any one else intended, but it is what it is. If you don't take the test and pass, someone else will - and unfortunately they will be the one who gets the interview and likely the job (because HR, or because the Hiring Manager, or because the CEO likes the term CISSP and presses to find new associates with that certification, whatever the reason doesn't really matter). So, I think a lot of people are faced with this decision and that's part of what is driving so many lower-level professionals in working to obtain the CISSP specifically in the Information Security field.

In my opinion and from my experience being successful in your career often requires a fine balancing act across multiple aspects: who you know, what you know, what your credentials are. Being fairly young I can say that I've had to shape my goals around a variety of obstacles. For instance, it seems that Bachelor's degrees are a dime a dozen and student loan dues are ridiculously high, so much so that many of my peers have gone immediately for their Master's to avoid the repayment for a bit longer/to make themselves stand out of stacks of resumes where people aren't really people as much as they are a profile number in a database. I want my Master's eventually, but in my opinion a Master's should compliment your experience and is something that I would feel best to pursue later on in my career.

I guess what I'm trying to say is that what you need to stand out in order to follow the career path that you'd like to follow is getting increasingly more difficult. If I were an entry-level security professional and I wanted a better job, obtaining the CISSP may not get me a senior level position but it will probably put my resume at the top of the stack for the lower level positions and if it's a better/higher paying/more opportunistic role, then you have to do what you have to do in my opinion. Even though I may have experience, and education, and work ethic, and noted accomplishments - I may still find myself not getting called back. I don't know who exactly is to blame for this, but unfortunately for the industry, these things are what lots of employers/HR professionals want to see and that's often what gets you the job or at least gives you the opportunity to interview for the job.

I understand that the CISSP exam is very management-based and sculpted for a broader-experienced professional but, the Shon Harris AIO was an in-depth encyclopedia of security information and for me, reading that material provided me with a wealth of knowledge that was extremely beneficial to my position at work, no matter whether I was a first-year newbie or more experienced.

Your statement above is a well and good for the most part save the following: First, you need 5 years of experience to sit for the exam as intended. Second, your completely skipping over the ethical considerations you state and many others have repeatedly glossed over as the means to an end. Take the exam regardless if I qualify, types of arguments.

Lastly, I haven't seen these mysterious 50-60k entry level jobs advertised out there. I have been badgered by well meaning, generally brand-spankin'-new recruiters who think I'd "be perfect" for some entry level helpdesk job with "all those certifications..." I think this argument is a bit overplayed and frankly trite to the point of meaningless.

Seen clueless employers want CCIEs for 50-60k as well. How many positions like that were ever filled as well? The exam has become the new Security+ and has become more worthwhile to those who do not have it than those who do. Not worthless but if you continue to market the exam as the baseline of security and stock full of ethically questionable examinees - your going to end up with an exam not worth the paper its printed on and that helps no one.

So by all means YouWill787 pass the exam and have your CISSP buddy sign-off on it. You'll be a fine addition to unethical club known as the (ISC)2 CISSP.

- b/eads

YouWill787

beads wrote: »

Your statement above is a well and good for the most part save the following: First, you need 5 years of experience to sit for the exam as intended. Second, your completely skipping over the ethical considerations you state and many others have repeatedly glossed over as the means to an end. Take the exam regardless if I qualify, types of arguments.

Lastly, I haven't seen these mysterious 50-60k entry level jobs advertised out there. I have been badgered by well meaning, generally brand-spankin'-new recruiters who think I'd "be perfect" for some entry level helpdesk job with "all those certifications..." I think this argument is a bit overplayed and frankly trite to the point of meaningless.

Seen clueless employers want CCIEs for 50-60k as well. How many positions like that were ever filled as well? The exam has become the new Security+ and has become more worthwhile to those who do not have it than those who do. Not worthless but if you continue to market the exam as the baseline of security and stock full of ethically questionable examinees - your going to end up with an exam not worth the paper its printed on and that helps no one.

So by all means YouWill787 pass the exam and have your CISSP buddy sign-off on it. You'll be a fine addition to unethical club known as the (ISC)2 CISSP.

- b/eads

I'm just pointing out what I've seen from my perspective.

I'd like to clarify a couple things from my post. First, I don't at all condone anyone taking the CISSP without fulfilling the requirements. I should have mentioned that I was asserting an ethical stance in all my rambling. If the requirements aren't fulfilled I think it's totally great to go for the Associate and then get the required experience. When I say low-level I am meaning low in the sense of CISSP standards. i.e. having the experience as required by ISC2 for the CISSP but not to the level that one would generally consider senior or even mid-level. Someone could have a degree and 2 years of experience here and 2 years of experience there and not be what many would consider in a position to "need" the CISSP.

Also, my instances were hypothetical. I said I could be this or I could be that and did not mean to leave any confusion as to that being a scenario and not indicative of myself personally. I, entirely referring to myself, would not take the CISSP if I did not fulfill the requirements as set by ISC2. When I started in Information Security I read the AIO and it helped me tremendously in my early career stages. I found that I grasped higher-level concepts that my peers did not. That said, I didn't believe the CISSP to be the cream of the crop and knew that I needed real technical skills as well.

I also wonder how many job descriptions for low level positions asking for CISSP (or others) as a requirement or as desired are actually ever filled. I can see that from the employer's point of view: of course they want a CISSP (or CCIE) - doesn't mean they're ever going to get one.

Thanks for your contribution beads but I feel like sometimes you jump to some conclusions in order to get your points across. This is a forum and it wouldn't be very helpful if no one ever got involved in conversations. However, it also wouldn't be as entertaining if no one ever argued.

YouWill787

I also wanted to comment on the OP's link.

I really like this NICCS Framework. I wish that they also made the job titles clickable so that it would be possible to organize all the information based on those. There's a ton of meaningful info in here. I'm bookmarking this for a reference in my career development. My manager has brought this up before as I recall and I think passed it up the chain as a good reference for what different positions should have as options when funds for training come around. Unfortunately I can't speak of much beyond that.

renacido

Not only do a LOT of security positions that "require CISSP" go unfilled because they can't find someone well qualified at the pay level they offer, but many times positions at this level are filled by guys like me with no CISSP but loads of experience. Point is, it's the level of knowledge and experience that is worth the 6 figure salary, the CISSP is just used to try to determine where to start the interviews.

diggitle

I'm working on my CISSP now. Thats my $0.02 heheheh

ITHokie

Expect wrote: »

definitely fits perfect high level managers.
CISSP is by far the most over-rated certification in the market. by completing it myself I realized how true that is.

Yep and yep.

Cyberscum

Well, like anything else it all depends on how much you want out of it. I know plenty of people that complete certificates and degrees with no intention of learning squat.

I would expect individuals with the CISSP to operate at a level of competence commensurate with the certificate, which is not always the case. You will always have people that just want to squeak by, but in the end the finish last.

If security is what really drives you it will show with or without certs.

beads

@YouWill787;

Your arguments themselves are a compilation of second person observation and speculation, neither of which you clarified. So my interpretation is that your falling in line with the numerous others that passing the exam is the means to a just end - its not. If you live in a large metropolis do yourself a favor and go to a local security practitioner meeting and listen to the stories of people trying to break into the field. Those and the already in the field and working types who will tell you they lied like a rug to get their certs done. Now apply over many years of conversations and you'll begin to feel my frustration. I am of the firm belief most recent CISSP holders have obtained the credential fraudulently.

Don't make assumptions or was that presumptions?

- b/eads

renacido

Beads,

I've learned very quickly there's no benefit to being the Don Quijote of certification integrity here on this forum, as long as CISSP is marketed as a requirement to work in infosec and as the golden ticket to a 6-figure salary, some people will get it any way they can.

What it means for us who interview and hire CISSP-certified applicants for security positions is that we will have to give a more challenging interview and use behavioral interviewing techniques to weed out the fakes.

GoodBishop

As a side note, I love this thread.

Really, you see jobs nowadays that have "CISSP or CISM or CISA required". Show me someone who has experience and has the skillset (and is personable, a good communicator, fits the culture, and a whole bunch of other stuff), and I would say that outweighs the cert.

I view having the CISSP just as a baseline that this person more likely than not has a decent understanding of the 12 domains, and has had the 5 years of experience (really, 4 years and any degree...). You also have to look at motive. Do people get the CISSP because they are required to? Or do they get it because they are interested in the material and want to keep learning. Or do they get it because they want to get xyz security job and then once they get it, that's it.

I can tell you that having just the CISSP and little experience doesn't amount to a hill of beans. And don't call me Shirley.

I kind of want to expand on the frustration that beads has for the people who braindump and devalue the cert. Yeah, I get that. Back in the day (man, I feel like a old timer), I busted my butt for weeks and got it back in 2007. Been maintaining it through CPEs ever since. You just have to see it as it is - one data point on a person to show that they have some ability in the 12 domains. They might have braindumped. They might not have. Is braindumping devaluing the cert? Sure. But there should be some experience requirement, and audit. When I got mine, I was audited.

Even if they do have it, is it the be-all end-all certification to end all certifications? Naaaah. Just a reference on if they know their stuff in general or not.

As a side note, we're not the only industry who has to deal with this. Take a look at the ABIM - I know a lot of doctors and they are really frustrated at their board certification organization due to all of the ethical and financial mismanagement. Fascinating stuff, really, especially the government tie in, the fact that they are a monopoly, and the recent articles about their financial statements.

eSenpai

renacido wrote: »

Beads,

...the Don Quijote of certification integrity here on this forum...

That's gold. Lol.

The topics of "To certify or not to certify", "Is it really worth anything?" or "Does it mean anything if everyone has one?" are frequently brought up by those that don't have them. As someone else stated on these forums somewhere, "This means a lot more to those that don't have them than to those that do.". Stated differently, anybody who has the experience but has not gotten certified: yet goes to the "internet" to complain about those that did certify is simply wasting time. The people who are getting certified are simply responding to the job market and even though some of us do control little pockets of the job market here and there, we do not control all of it. I would advise anyone questioning whether to certify or not (or a certs relative value) to breathe deeply and just get certified already. By holding out on the certification you just hurt yourself in the long run. That's not to say you should get ALL of them but that is to say that one should research for the preeminent one which doesn't conflict with any personal values/issues and just do it already. If the non-certified person is as experienced and as smart as they say they are then the test should be breeze. When/if another cert takes over as the preferred one on the job boards then just get that one too. It is less time to get the cert than to spit in the wind wondering or arguing why you should or should not.