Who REALLY needs a CISSP?

eSenpai

renacido wrote: »

I actually liked the content of CEH and after I got mine I put it in the development plan for our analysts. It's not advanced pentesting but it's a solid start and may be perfect for someone doing vulnerability assessment and internal pentesting. I don't really want someone dicking around on my production network with a python shell at least not without inspecting their code like we'd inspect anything else in production. Just my thoughts.

*Not here to argue. Just to give my experiences. No offense to any CEH is intended*

I had the exact opposite experience. I had an opportunity to take the classes for all of the EC-Council products (have all the class completion certificates to show for it) and came away extremely unimpressed. I was so unimpressed that I pulled every request for them in our group and said they would no longer be reimbursed. Was that decision partially colored by the way I was treated during that time by EC-Council? Yes. However, the shabby treatment was simply an additional reason vs the straw which broke the camel. At the time, most of the requests were for CEH on the security side and for me that class turned out to be nothing more than a listing of tools. On the other hand, I have made Sec+ mandatory, and paid, across the board. I personally feel there is more actual learning and bang for the buck in the Sec+ than the CEH...other than the fact that the latter has the much cooler name.

renacido

eSenpai wrote: »

That's gold. Lol.

The topics of "To certify or not to certify", "Is it really worth anything?" or "Does it mean anything if everyone has one?" are frequently brought up by those that don't have them. As someone else stated on these forums somewhere, "This means a lot more to those that don't have them than to those that do.". Stated differently, anybody who has the experience but has not gotten certified: yet goes to the "internet" to complain about those that did certify is simply wasting time. The people who are getting certified are simply responding to the job market and even though some of us do control little pockets of the job market here and there, we do not control all of it. I would advise anyone questioning whether to certify or not (or a certs relative value) to breathe deeply and just get certified already. By holding out on the certification you just hurt yourself in the long run. That's not to say you should get ALL of them but that is to say that one should research for the preeminent one which doesn't conflict with any personal values/issues and just do it already. If the non-certified person is as experienced and as smart as they say they are then the test should be breeze. When/if another cert takes over as the preferred one on the job boards then just get that one too. It is less time to get the cert than to spit in the wind wondering or arguing why you should or should not.

Yeah...I know. Unless I was high on 2nd-hand crack when I walked out of the exam room a month ago, I'll get good news from ISC2 on Friday and have my "entry level" CISSP plaque on my love-me wall soon after.

My beef is not at all with people getting certified who genuinely and honestly meet the qualifications, regardless of what their role in IT is. And I am fully aware that a cert is just one of what should be many factors to qualify job applicants, and that no one puts a gun to my head and says "I'm a CISSP therefore you must hire me regardless of how hard I sucked in the interviews".

My issue is that many HR recruiters and hiring managers don't seem to know or care that CISSP is targeted at specific infosec roles, and it should not be a barrier to entry for most security jobs, but it is too often believed to be a must-have barrier-to-entry cert.

When a cert that requires a minimum 4 years of experience is considered necessary to get an entry-level position, and at the same time it is marketed as the de facto qualification for a 6-figure salary position, it becomes very likely there are dubiously certified folks who are either ill-suited to take on highly technical, hands-on roles where they need deep technical knowledge not broad managerial knowledge, or far worse, into mid/senior level positions where they're way out of their depth and don't have the real-world experience to perform as needed.

But as I said earlier, no upside to moralizing over it, people will do what they will, especially when money is involved. You can't stop a train, you either get on it or get out of the way.

renacido

eSenpai wrote: »

*Not here to argue. Just to give my experiences. No offense to any CEH is intended*

I had the exact opposite experience. I had an opportunity to take the classes for all of the EC-Council products (have all the class completion certificates to show for it) and came away extremely unimpressed. I was so unimpressed that I pulled every request for them in our group and said they would no longer be reimbursed. Was that decision partially colored by the way I was treated during that time by EC-Council? Yes. However, the shabby treatment was simply an additional reason vs the straw which broke the camel. At the time, most of the requests were for CEH on the security side and for me that class turned out to be nothing more than a listing of tools. On the other hand, I have made Sec+ mandatory, and paid, across the board. I personally feel there is more actual learning and bang for the buck in the Sec+ than the CEH...other than the fact that the latter has the much cooler name.

Whoa. Dang. Is it possible it was the instructors not the curriculum that sucked so bad? Are you able to share who the training provider was so I can avoid sending my analysts through there?

I have read several complaints that C|EH is just a class on some outdated tools, but to me that is a failure to see the forest through the trees. A tool is just a tool. It's understanding how and why it works for the objective at hand, and how that progresses an attacker toward the goal and how it impacts CIA of the victim. If you understand why you need to gather intelligence, recon, enumerate, fingerprint, etc, and you understand how that works with TCP/IP, UDP, etc., then it's Backtrack vs Kali, NMAP vs Core Impact, Nessus vs Retina, Metasploit vs Core Insight, it's Coke vs Pepsi, a tool is just a tool.

Just my thoughts...would be interested in your appraisal of E|CSA because GSEC>GCIA>GCIH might be doable, price of the SANS certs is an obstacle unfortunately.

Sec+ is a great entry-level cert and I put it before C|EH in our professional development roadmap. I selected C|EH mostly to make my guys more savvy with vulnerability management, internal security audit/pentesting, intrusion analysis, and threat assessment. We're enterprise security, not a tiger team. OSCP is on my radar but it is beyond the scope of what we need for the time being, GSEC+GPEN would be a good fit but didn't fit into our training budget this year. C|EH so far seems like it's in the Goldilocks zone for what is in our scope of responsibility.

Good discussion I appreciate your insights.

renacido

I'll also mention my team has a subscription to Hacker Academy, which has online courses and labs for ethical hacking, pentesting, forensics, reverse engineering, etc. It doesn't give you more alphabet soup for your resume but it's cost-efficient and flexible. The value of training ought to be skill acquisition, whoops can I say that on this board? Blasphemy!

eSenpai

I was just looking into them. Good to know someone else sees, and has experienced, value with them. I might just take the plunge now.

eSenpai

renacido wrote: »

Whoa. Dang. Is it possible it was the instructors not the curriculum that sucked so bad? Are you able to share who the training provider was so I can avoid sending my analysts through there?

Good catch. It is indeed entirely possible that the instructors were terrible and that is a point which I neglected to add in my earlier review. I am relatively new here so I would prefer not to start off by bashing vendors publicly which have otherwise treated me well. This is especially true since the rest (most) of the training that was bundled was much better than expected(it was a new medium for us). In hindsight, my perceptions could also be a result of that particular fact. Meaning that my expectations were set pretty high at the time since the video training prior to that proved very useful across all teams but fell noticeably off with the EC-Council stuff because it was indeed all outdated. When EC finally got back to me, they basically confirmed the video material was "appropriate" along with trying to sell me $$$ hacking tool-sets of stuff that was freely available on the web.

Disclosure: I had credits with the parent vendor due to a rather substantial hardware purchase and used those to obtain video training seats which were a relatively new medium for us at the time. On the whole, this proved very popular with the teams and got quite a few well on the way to their relative certifications. It should be noted that we had used the training arm of this vendor previously for both classroom and on-site training so I assumed their video training would be, at worst, slightly less quality than the classroom. In the end, I discovered that they were repackaging another company's video product and that is how I ended up ultimately contacting EC directly. I don't follow them so EC-Council may have indeed updated all of their training materials and pushed those updates downstream by the time your team hit it. All I have to go on is what I experienced in the 2013 time frame. I do know that my vendor seems to have removed EC-Council from their training bundles but I have no idea why that occurred.

eSenpai

renacido wrote: »

...A tool is just a tool. It's understanding how and why it works for the objective at hand, and how that progresses an attacker toward the goal and how it impacts CIA of the victim. If you understand why you need to gather intelligence, recon, enumerate, fingerprint, etc, and you understand how that works with TCP/IP, UDP, etc., then it's Backtrack vs Kali, NMAP vs Core Impact, Nessus vs Retina, Metasploit vs Core Insight, it's Coke vs Pepsi, a tool is just a tool.

Agreed...a tool is a tool and exposure to both sides of the fence is very important. I already had them running elementary red vs blue drills due to most of them never having explored the dark side and that is indeed a huge hole in any security person's education.

renacido wrote: »

Just my thoughts...would be interested in your appraisal of E|CSA because GSEC>GCIA>GCIH might be doable, price of the SANS certs is an obstacle unfortunately.

Whenever this comes up, I just mainly get jealous of anyone with the budget to send entire teams through SANS training. LOL.

I already feel like I am bashing EC-Council when my only intent was to relate my personal experiences when dealing with them so I will simply say that I am unaware if they finally updated this program, along with the others, since my peek into them back in 2013. However, I have no actual insight into the current state of the program. Having said that, there are very few things out there better than SANS training IMHO. SANS is just abominably expensive unless you can do the work-study thing.

eSenpai

renacido wrote: »

Sec+ is a great entry-level cert and I put it before C|EH in our professional development roadmap. I selected C|EH mostly to make my guys more savvy with vulnerability management, internal security audit/pentesting, intrusion analysis, and threat assessment. We're enterprise security, not a tiger team. OSCP is on my radar but it is beyond the scope of what we need for the time being, GSEC+GPEN would be a good fit but didn't fit into our training budget this year.

You bring up something which I find very interesting in security these days and one which I struggle with from a planning perspective.
Is pentesting important? Yes. Yes, it is indeed important. Should I make this an in-house ability???
Since I come from an enterprise background where I reported to the CFO for years, I generally lean toward pentesting being very similar to auditing. Sure, you can create your own auditing department but invariably the only audit that matters is the external one done by a 3rd party. That was my CFO's take on it and I seem to have conflated that with pentesting. Having a team that can do pentesting would be great but ultimately it feels awfully close to home for me when what I really want, at the end of the day, is an independent assessment. Combine that with the facts that the perimeter keeps shifting; that we internally assume that we know how/where it has shifted to/from, and I once again think I need an independent & untainted set of eyes peering into the blind spots we have from being so close to it as the better pentest. This latter point means that the budget dollars would have greater value when spent on said 3rd party vs in-house staff.

renacido

eSenpai wrote: »

You bring up something which I find very interesting in security these days and one which I struggle with from a planning perspective.
Is pentesting important? Yes. Yes, it is indeed important. Should I make this an in-house ability???
Since I come from an enterprise background where I reported to the CFO for years, I generally lean toward pentesting being very similar to auditing. Sure, you can create your own auditing department but invariably the only audit that matters is the external one done by a 3rd party. That was my CFO's take on it and I seem to have conflated that with pentesting. Having a team that can do pentesting would be great but ultimately it feels awfully close to home for me when what I really want, at the end of the day, is an independent assessment. Combine that with the facts that the perimeter keeps shifting; that we internally assume that we know how/where it has shifted to/from, and I once again think I need an independent & untainted set of eyes peering into the blind spots we have from being so close to it as the better pentest. This latter point means that the budget dollars would have greater value when spent on said 3rd party vs in-house staff.

Our board of directors arranges a 3rd-party (black box) pentest of our network annually (we don't know when they are coming until we get their report afterward) and my team does regular security auditing, vulnerability scanning and pentesting on a routine basis.

I think both are important. When given the proper latitude, a 3rd-party pentest can reveal things that would otherwise be blind spots...often physical security issues, users with very bad security habits, users falling hook-line-sinker for social engineering plays, boundary network devices with bad configs/ACLs that haven't been properly audited because they're in some remote little field office with a staff of 5 that the IT department assumes plays Battlefield all day...or systems not properly patched that slip through the cracks of the vulnerability management process...you pretty much always get some good actionable info.

Internal vulnerability assessment, auditing, inspection, and pentesting is very important too IMO. A 3rd-party pentest will expose one or a few attack paths and usually just an equal number of exploitable vulnerabilities. Routine internal assessment and testing, done well with the proper tools you can minimize the attack surface, ID vulnerabilities, prioritize which ones to mitigate first based on the available exploits and available attack paths for those vulnerabilities, and harden the **** out of your network.

We're not yet at the stage where we feel we need to develop our own custom exploit code for our internal pentesting, but I could see us doing that down the road in the future.

Matt2

Good discussion here. In the end I opted to get the CISSP for the same reason I chose to get the MCSE many moons ago. To show at some level I know what I'm doing, including getting past some of the HR requirements.

I hope that the CISSP remains meaningful, is a challenge for people to take, and isn't cheapened further.

gphalpin

Many IT and IT Security professionals need the CISSP or other security cert for federal\Department of Defense jobs, or positions with DoD contractors.

The DoD Approved 8570 Baseline Certifications is a list of the certifications needed for different position levels. Contractors have to prove their IT pros have the required certs to obtain government contracts. So that's why so many positions require those certs. It's not up to HR. It's often a requirement to get a federal contract.

I'm new to the DoD contractor world and hadn't heard of the CISSP until about a year ago. Everyone in my department is supposed to have one of the DoD approved certs so I decided to pursue the CISSP. I've been in IT for 15 years and am working on a master's degree in InfoSec so it fit with my studies and with my new job. Obtaining the CISSP has already helped me at work. I'm eligible to advance into positions that require the higher certs.

Does the CISSP cert mean a person is an IT Security expert and can walk into any job? Of course not. There are a lot of people with all kinds of certs who can't do the work in the real world. If you have the cert, it really comes down to you are eligible for more opportunities.

It may seem like getting the CISSP or other cert is BS. But so many things in life are BS and you just have to roll with it.

And, honestly, after you take the test, you wonder what the big fuss was all about. Like others have said, it's a big deal if you don't have the CISSP and think you need it. But once you have it, you don't have to worry about it anymore.

John-John

I am doing work for the DoD and see that the CASP fulfills a lot of those higher end requirements. However the CISSP has more cachet in the private sector, much more in fact, and if I stop doing stuff for the DoD then getting the CASP seems like a waste of time. If it is way easier than the CISSP than I will do it because I really don't want to waste money failing and I don't know if I can convince my employer that I really need it right now.

renacido

gphalpin wrote: »

Many IT and IT Security professionals need the CISSP or other security cert for federal\Department of Defense jobs, or positions with DoD contractors.

The DoD Approved 8570 Baseline Certifications is a list of the certifications needed for different position levels. Contractors have to prove their IT pros have the required certs to obtain government contracts. So that's why so many positions require those certs. It's not up to HR. It's often a requirement to get a federal contract.

I'm new to the DoD contractor world and hadn't heard of the CISSP until about a year ago. Everyone in my department is supposed to have one of the DoD approved certs so I decided to pursue the CISSP. I've been in IT for 15 years and am working on a master's degree in InfoSec so it fit with my studies and with my new job. Obtaining the CISSP has already helped me at work. I'm eligible to advance into positions that require the higher certs.

Does the CISSP cert mean a person is an IT Security expert and can walk into any job? Of course not. There are a lot of people with all kinds of certs who can't do the work in the real world. If you have the cert, it really comes down to you are eligible for more opportunities.

It may seem like getting the CISSP or other cert is BS. But so many things in life are BS and you just have to roll with it.

And, honestly, after you take the test, you wonder what the big fuss was all about. Like others have said, it's a big deal if you don't have the CISSP and think you need it. But once you have it, you don't have to worry about it anymore.

I retired from the US Air Force in 2012 and according to 8570 I was in IAT-III and IAM-II/III positions requiring CISSP for my last 5 years in uniform. I was an ISSM and enterprise admin on DoD networks and was even the DAA-rep for an AF enclave, was the lead certifying official for a DIACAP accreditation of a network, and managed an IT dept in the Pentagon. And I just took the CISSP for the first time a month ago (awaiting results like everyone who took the new exam Apr 15 - May 21...long story but short version is Pearson Vue has a LOT of explaining to do). Moral of the story..."everything is waiverable"...and as you say certs are proof of nothing more than passing an exam.

CASP, CISM, CISA, and GSLP are accepted for the positions that accept CISSP, but yeah they don't have the same marketability. As you say, it's not a big deal unless you don't have it. That's why knocked it out (pending my f***ing results !!!)...*deep breath*.

CISSP is the MacBook Pro of Infosec certs. Yes, there are suitable alternatives, and depending on the use case better and cheaper alternatives, but not with the same brand cachet.

!nf0s3cure

CISSP is the MacBook Pro of Infosec certs. Yes, there are suitable alternatives, and depending on the use case better and cheaper alternatives, but not with the same brand cachet.

Here we go again. CISSP MacBook Pro.....perhaps also call it Rambo..just kidding...but this argument does not hold weight at all, comparing it to a Notebook nah.

DoD 8570 has been updated many times and every time they change wording from qualification or certification...they are still making their mind....

I can see you have lot of experience but little bit of OPSEC used in everyday life would go far ...my 2c.

renacido

!nf0s3cure wrote: »

CISSP is the MacBook Pro of Infosec certs. Yes, there are suitable alternatives, and depending on the use case better and cheaper alternatives, but not with the same brand cachet.

Here we go again. CISSP MacBook Pro.....perhaps also call it Rambo..just kidding...but this argument does not hold weight at all, comparing it to a Notebook nah.

DoD 8570 has been updated many times and every time they change wording from qualification or certification...they are still making their mind....

I can see you have lot of experience but little bit of OPSEC used in everyday life would go far ...my 2c.

OPSEC for what? I really don't see your point. Nothing I've discussed on this board reveals anything remotely sensitive.

If I'd said CISSP is the Coca-cola of certs, you'd get that I was not making a literal comparison between a certification and a soft drink, right?

!nf0s3cure

renacido....

calm down sunshine.....

I said OPSEC in daily life and OPSEC does not have to relate to sensitive things......it is a way to keep things out of sight...its a way to keep low profile even after you have left your work....at least that is what I practice....

If you are adamant to call CISSP the best and the greatest, then go the hardest....if that achieves anything for you..good luck to you.....enjoy your position on this issue.

renacido

!nf0s3cure wrote: »

renacido....

calm down sunshine.....

I said OPSEC in daily life and OPSEC does not have to relate to sensitive things......it is a way to keep things out of sight...its a way to keep low profile even after you have left your work....at least that is what I practice....

If you are adamant to call CISSP the best and the greatest, then go the hardest....if that achieves anything for you..good luck to you.....enjoy your position on this issue.

Meh... my position on this issue is I'm over it. I realized early into this that money talks. As long as good-paying jobs ask for CISSP, whether it fits the job description or not, people will do what they have to do to get their CISSP, whether they deserve it or not. Trying to change it is like trying to put toothpaste back in the tube.

The key takeaway is this doesn't matter to anyone who has the cert, only to those who don't. So if you can't beat 'em, join 'em. Just go certify and move on. Hopefully I finally get my results today from my exam a month ago and soon after I'll have my de facto entry-level infosec cert and ne'er speak of CISSP here again.

renacido

I just found out that I passed the CISSP exam, so barring a serious Charlie Foxtrot in my endorsement process I've got my plaque coming. And with that, I bid you all adieu.

beads

Who needs the cert? Hard core, experienced computer security practitioners in senior level positions ("Engineers, Architects") and InfoSec Management. Other than that - Consultants.

The rest are wasting there time looking for senior level positions when they aren't qualified.

- b/eads

renacido

beads wrote: »

Who needs the cert? Hard core, experienced computer security practitioners in senior level positions ("Engineers, Architects") and InfoSec Management. Other than that - Consultants.

The rest are wasting there time looking for senior level positions when they aren't qualified.

- b/eads

+10000000 thanks for keepin it real

eSenpai

Meanwhile over in CCIE land....they are having a very similar discussion

N2IT wrote: »

I'm no network guru at all. I was wondering if you could explain something to me. How are people getting the CCIE with less than a year of experience or just right at a year? I was doing some LinkedIn reviewing and I noticed a several CCIE with very few years of networking, in fact one person had less than a year documented, their last job was medical related, nothing to do with IT or networking.

Is it something you can power through if you are dedicated or have the resources ($) to pay for a course?

dmarcisco wrote: »

I'm not to sure now due to the changes made with the lab retakes. But I know people were dumping the lab as well. I read an article how in the Asia regions CCIE's went from being paid $65k which is considered high to $30k since everyone was dumping the exam. It only works out for Cisco partners to pay 30K for someone with that title just so they can get the discounts.

This the article:
Cisco CCIE salaries in India have plunged -50%

They have been having the same discussion in PMP & ISACA forums for years. I hear even the HR types have questioned their various certification menagerie and those that get them as career changers. Should we now bash all CCIE's??? I am sure those that have passed it would not think so but those that are thinking about taking it may now question it and continue the cycle of haves vs have-nots and the people in both groups who take the path of least resistance to the cert du jour.

What is most distressing to me is those with the certifications bashing it from within. I believe our job is to hold I]insert cert of choice[/I up to a higher standard by working to strengthen it from within rather than tearing it down by bemoaning publicly those that did not do all the work we did. There will always be cheats. There does not always need to be external viewing of internal devaluing since this really devalues us all vs just the people who cheated/lied and shouldn't get past the interview anyway. If the interviewer doesn't have enough experience to know some I]insert cert of choice[/I are paper tigers and others are the real deal then that points to an institutional issue where we all know many interviewers need more interview education anyway as bad interviewers far outnumber good interviewers. If we should routinely complain about anything publicly it is the atrocious state of the interview skill-set and the dumb/meaningless questions leading either nowhere or directly to the interviewers ability to use Google right before the interview to pull out something obscure but irrelevant.

YouWill787

If the interviewer doesn't have enough experience to know some [insert cert of choice] are paper tigers and others are the real deal then that points to an institutional issue where we all know many interviewers need more interview education anyway as bad interviewers far outnumber good interviewers.

I think that's a great statement. As far as getting a job with any certification it all comes down to the interviewer/hiring manager. If they can't distinguish BS from legitimacy then they're doomed regardless.

renacido

Biometric identification of test takers (to eliminate proxies), camera recording of exams (to prevent use of spy cameras), and SaaS exam delivery using encrypted session providing one question at a time (to prevent piracy of the question pool) are needed for all these certs to maintain integrity. Due diligence is needed for staffing the testing centers as well to deal with the corruption especially in places where this has been found such as India and China.

fullcrowmoon

beads wrote: »

Who needs the cert? Hard core, experienced computer security practitioners in senior level positions ("Engineers, Architects") and InfoSec Management. Other than that - Consultants.

The rest are wasting there time looking for senior level positions when they aren't qualified.

- b/eads

I got the CISSP because it was required for my current position as a cybersecurity auditor at a Fortune 15 company. I don't think I would have passed if I hadn't had the technical experience from being a UNIX/Linux admin for 15 years, and a network infrastructure planner after that. Studying my ass off and topping it all with a boot camp is what helped me pass, in my opinion.

Do you really think the cert has lost its usefulness? I see your posts a lot and you're pretty negative about the CISSP.

beads

@Fullcrowmoon First like me say thank-you for achieving the proper background and experience before sitting for an exam. You are exactly what was intended to be considered CISSP ready.

My firm belief that where there is money there will be cheating. Its not the individual cert, in this case the CISSP, that has been compromised but any once difficult certificate. See above: CCIE, PMP, CISSP, etc. Understand this is also business tolerating bad behavior to get ahead and just turn a blind eye. We have so many consultants with yourcerthere that they become meaningless.

Another thread pointed to a brand new kindle book: Amazon.com: CISSP In 3 Weeks: The Only Step-by-Step CISSP - DIY Instruction Manual eBook: Nichel James: Kindle Store If people are seriously getting a mid level certificate in just a few weeks or less - we as current holders are really in trouble.

Personally I make a comparison to the certification number. I pretty much know the ranges of when these exams have changed. Put it this way - lower is better and below 200,000 is best. After that the number of books and materials skyrocketed and the exam became fairly easy to obtain.

- b/eads

E Double U

beads wrote: »

Another thread pointed to a brand new kindle book: Amazon.com: CISSP In 3 Weeks: The Only Step-by-Step CISSP - DIY Instruction Manual eBook: Nichel James: Kindle Store

Now you tell me

beads

@E Double E;

Dude, its easy now. Take a month off and get yourself certified! LOL. I've meet these people too! (*Poof!*) Instant CISSPs!

-b/eads