Why do people hate the CISSP?

I have been reading a variety of blogs relating to the CISSP and the opinions that range from distaste to a downright hatred for the certification. I'm wondering where this is stemming from exactly? It's not as if ISC2 made any false claims of what the CISSP is or represents. A couple of anti-cissp reasons I have seen are:

1. HR using it as a benchmark for infosec. How dare they use a standard test to assume subject knowledge!
2. Infosec "Consultants" who flash it around and claim expert-level knowledge. How does this affect you?
3. The CISSP is waaay non-technical. It has no real-world applications. ...I don't think we want to get into another theory vs. real-world debate.

Overall, I don't even see the "reasons" to be anything more than surface level at most. They certainly do not validate the energy used to post the numerous blogs across the internet. So, if you truly love or hate the CISSP, I'd love to hear from you.

Find more posts tagged with

Comments

impelse

Those who normally hate CISSP it is because two things are happening:

1. They do not hold the cert or got bad experience failing.
2. They do not get it, this is what ISC2.ORG says about CISSP:

"The CISSP draws from a comprehensive, up-to-date, global common body of knowledge that ensures security leaders have a deep knowledge and understanding of new threats, technologies, regulations, standards, and practices."

it is common body or knowledge and understanding, never claim to be fully technical, you get the technical part through your experience and other certifications. Just to get the big picture.

Now the job market (HR full on it), needs a parameter to know if a candidate have any standard/base knowledge/experience to work in the security position and CISSP is one of them that help them, some times they mix it with CEH or GIAC

Now in the interview is where you show your real knowledge and experience, that part is not HR.

Eburon

It's a common pattern of behaviour of those followers of negativism. They simply hate what they are not, not able to become, or do not fully comprehend. You know that guy from the IT operations who hates auditors (CISA), that girl from the service desk hating CISM-certified managers, and that MBA dude who loathes everyone in the IT architecture unit talking in TOGAF jargon. And of course, I hate CPAs and other accountants! But only after they failed to detect the onset of the financial bubble in 2008.

gespenstern

The exam is very good, there's no real reason to hate. I recently passed ISSAP and, once again, questions struck me as very well-thought and well-worded. Unlike some other exams.

I see two reasons (which are essentially one on a deeper level):

1) Hate comes from web application pentesters and similar type of infosec people (hackers) who don't know much about physical and electronic security and often rant about how ISC2 dares to ask them, high-level gurus who penetrated this and that, about fire extinguishers?

2) Again, hate comes from the same type of people who don't know much and don't want to know about non-practical for a "hacker" concepts such as BCP, DRP and, sometimes, crypto.

Often, this type of people praises OSCP (I don't have anything agains OSCP BTW and will pass it when I have time for that). I prefer to hate CEH, lol.

the_Grinch

I think it's not so much a hate as much as it is a dislike of the test. It is a bear of an exam and I tend to think the dislike comes from having to think like ISC2 for most questions. When you work in the real world, their answers are always the best way to go, but it's their test. Ultimately those who have it know that it is definitely worth having and taking the time to get it.

rfra

I haven't heard of many people who really "hate" it. I think the criticisms are that it's a significant investment in time and money to pass, yet it tests to a level that is of questionable value. By design the test covers a huge amount of information and to do that it barely scratches the surface of all those areas - you know a few facts about encryption algorithms yet might not know how to send SMIME email, you can talk about software development processes yet might not know what Eclipse is, you can talk about types of smart cards but have no idea how they are implemented. For people who are used to IT certifications that test some more targeted technical knowledge, the CISSP can seem a bit pointless. Yet, it's designed for a different purpose.

You need to set appropriate expectations to get anything out of it. A good way to think of the CISSP is a test to ensure that a manager can not only "talk the talk" to have the foundation for more technical discussions in a particular area, but also maintain the big-picture view that often gets missed by more technically-focused individuals. Technical people often want to apply technical solutions before thinking through the big picture. The CISSP is designed to help people think at a business value and policy level while balancing priorities.

There is also the distaste for the test itself due to the nature of its questions being very fuzzy with many seemingly correct answers. This again is by design, if you think of the manager who is trying to balance competing requirements and needs to learn to identify and prioritize.

With the right mindset, the CISSP fits its purpose even while being a pain to prepare for. Like any certification it's nothing more than a test (and experience validation for the CISSP), and no certification by itself totally prepares someone for a job role, its just another tool and shouldn't be over-emphasized.

!nf0s3cure

My favorite dislike was Crypto. It was just not relevant. They have chopped and moved Crypto to other parts. I have heard it is very low significance on the test these days.

havoc64

really? Sure seems like a lot about it in all the books and on the practice test.

E Double U

I hated losing money on failing the exam twice. That is all.

apr911

havoc64 wrote: »

really? Sure seems like a lot about it in all the books and on the practice test.

The emphasis within a book rarely matches the emphasis in the actual exam.

There may be a lot of information on a particular section because the author feels its necessary or because it may well be relevant but the exam is pulled from a pool of questions from the 10 domains and they are not always equally weighted.

There might be 1000 questions in the pool (oversimplification) and 250 of those might be related to encryption but on your quiz you might get only 5 crypto questions (again an oversimplification) out of 250 total on the exam. In this scenario although crypto might make up 25% of the pool thus being the "largest" domain with the most required knowledge, it only makes up 2% of the exam.

As for the dislike of the CISSP, I think it comes from the requirements to get it. It's a beast of an exam, its expensive, it has a relatively low first-pass ratio compared to most IT certs, its more policy oriented than technical and even when you pass the exam you're still not done as you have to get endorsed, audited, etc plus keep the cert up-to-date with CPEs and AMFs.

All of that for an exam that has a dubious relevance to most positions (especially those that are non-management and/or technical) and its easy to see the hate. Though as others have pointed out most of that hate is directed at it because the person hating it doesnt possess it themselves and has thus been excluded from a position. There is also the fact that DOD8570 and its future replacement DOD8140 place the CISSP (or other exams) as a requirement again excluding those who dont have it.

Robicus

I think although the test may be "standard", the experience from one person to another is far from standard. I put a lot of time into the CISSP and got a lot in return. In other words, I probably could have studied less and still passed.

If earning a CISSP helps get one's foot in the door, then great. But it will really shakes down to how effectively one articulates his or her knowledge as a security professional.

Make the journey worth it!

Mike7

!nf0s3cure wrote: »

My favorite dislike was Crypto. It was just not relevant. They have chopped and moved Crypto to other parts. I have heard it is very low significance on the test these days.

Yes to history lessons on hieroglyphics, caesar cipher and vigenere cipher.

Unfortunately, modern crypto is very much related to security.
Some of the high-profile security vulnerabilities in recent years are related to crypto. Examples include BEAST, HeartBleed, POODLE, FREAK, LogJam. Some of us have to explain to management why HeartBleed was a serious vulnerability and why we need to revoke existing certs and issue new certs. Key management was a pain for some. Those who did PCI DSS have to look at cipher selection.

I guess they probably reduce the crypto portion and move it to ISSAP concentration.

Mike7

Robicus wrote: »

I put a lot of time into the CISSP and got a lot in return.
Make the journey worth it!

Yes, what we get is knowledge that is applicable to your infosec career.
How you study for it determines what you get in return.

As someone put it in another thread on CISSP-ISSMP.

hermit84 wrote: »

It is not hard if you study CISSP well.
I passed CSSLP, ISSMP and ISSAP exams within 3 weeks.

cwelber

I agree that people who dislike it probably didn't pass or understand it. Going through the endorsement phase myself which meant having to find a CISSP who would vouch for me (one of my mentors), and then now waiting for my managers to verify my work experience I realize more and more the value; no one ever had to vouch for me on Security+. A+ or all the CompTIA +'s, I have (most of them). This plus the value of the ethics we all need to sign off on I think means something.

I learned a lot studying my butt off for almost a year and passing on 9-25-2015. I think the information is broad and not super deep, but then you need to decide what to specialize in, for me it's going to be management and blue-team defense. I would bet a lot of folks who say are pure pen testers actually don't know a lot of this stuff. I would prefer a pen tester with a CISSP over one who wasn't with all other things being equal because they would have a better understanding of what management is up against. I have also noticed that most folks who hate the cert, actually didn't pass the test.

Love or hate the CISSP is an exclusive community that takes some amount of effort to join.

Thanks to all in this forum who helped me pass the first time. I imagine it does suck to study hard, pay your $600 and fail; keep on trying and eventually we'll all get to where we want to be. I think helping others is a great way to learn too.

TeKniques

My interpretation of the people who are vocal about the CISSP certification stems from the ISC2 apparently "flooding" the market with more CISSPs and not holding their audit process with much integrity. As with simple economics, the more there is of anything in the market the less valuable it becomes. I can only speak for myself and the value the CISSP appears to bring to me, and I would suggest that everyone do the same when deciding if it is beneficial to obtain or not.

beads

Scottdt wrote: »

I have been reading a variety of blogs relating to the CISSP and the opinions that range from distaste to a downright hatred for the certification. I'm wondering where this is stemming from exactly? It's not as if ISC2 made any false claims of what the CISSP is or represents. A couple of anti-cissp reasons I have seen are:

1. HR using it as a benchmark for infosec. How dare they use a standard test to assume subject knowledge!
2. Infosec "Consultants" who flash it around and claim expert-level knowledge. How does this affect you?
3. The CISSP is waaay non-technical. It has no real-world applications. ...I don't think we want to get into another theory vs. real-world debate.

Overall, I don't even see the "reasons" to be anything more than surface level at most. They certainly do not validate the energy used to post the numerous blogs across the internet. So, if you truly love or hate the CISSP, I'd love to hear from you.

Long time cert holders are likely to resent not so much the exam - its an easy exam by the way - as much as hating the (ISC)2.

No one cares about passing a non-technical multiple-guess exam as much as HAVING TO PASS the non-technical multiple-guess exam for any number of superficial reasons. HR does not generally write the job descriptions posted on boards. If they are - stay away from the post in the first place. Just means the hiring manager hasn't a clue as to what they are looking for in the first place. Why is it an easy exam to pass in the first place? Simple. Go to Amazon and pick any of the 900 sources of information available. The information or knowledge is hardly the esoteric/occult wisdom of the ages it once was. A decade ago earning the CISSP felt like you actually knew what you were talking about. Today, no more.

Second. Anyone practicing security for more than six months feels obligated to carry the card. Like a right of passage or dues to club that's seen its better days. Builds resentment for an organization that promotes the number of successful passes over the quality of those who have past the exam. See my comment about a decade before. The (ISC)2 has removed any and all barriers to obtaining the paper at the cost of credibility. Still its all we have to work with in the community as "the gold standard".

Believe gpensten hit the nail on the head about theory vs reality. Just knowing there might not be the perfect fire extinguisher available might make the difference between panicking and death by using the only fire extinguisher available. Whew! That was a close one! I almost used this A-B-C on a liquids fire! But its the only thing available in the building. Yeah buddy!

Your lack of contempt shows your still new to the CISSP field or haven't been intimately involved with (ISC)2 politics. Give it time and you too will lament that the cert is either only good for starting larger fires (thick paper) or that its still more worthwhile to those without it than to those with it.

For now, we are stuck having to renew a cert for which there is little equal. Save for that which is best buried immediately.

Third cycle cert holder

- b/eads

Scottdt

Thank you for the responses!

What I summarize is the "techs" think it has no real-world application in the (cough, manager-run) organization they are a part of. Those that do have the CISSP have a strong distaste for the organization (ISC2) that runs it, and while the information it contains may not have changed in difficulty, the massive amount of resources available has inadvertently caused the test to become a shadow of what it once was. Finally, those that don't have the CISSP are just a bunch of player haters. Hah.

beads

The CISSP is more valuable to those without than for those with the credential. Or if you wish: the grass is greener because HR says so.

- b/eads

Mike7

Good one.

HR use the CISSP cert as a filter for security jobs. This generates demand and high expectation.
So everyone including hard-core security techies expect CISSPs to walk on water; they were disappointed and disillusioned after finding out the truth

apr911

beads wrote: »

Just knowing there might not be the perfect fire extinguisher available might make the difference between panicking and death by using the only fire extinguisher available. Whew! That was a close one! I almost used this A-B-C on a liquids fire! But its the only thing available in the building. Yeah buddy!

Very confused by what you're trying to say here... So because it's the internet and somebody is bound to read that and do something stupid as a result (seriously, just google darwin awards) here is an important safety advisory...

SAFETY NOTE: It is important to understand the fire protocol in place at your home/office/datacenter and it is actually important to use the correct fire extinguisher. Using the wrong one, even if its the only one in the building, may cause "death by using the only fire extinguisher available." For example, even if its the only one available, using a water-based class A extinguisher on an electrical fire may result in your electrocution or on a kitchen fire may result in the spread of the fire.

Thankfully, you dont need to know any of the the theory of what class is good for what type of fire (and frankly it wouldnt do you any good since the class and colors vary between the Europe, Australia, Asia, the UK and the US); Fire extinguishers have pictograms that easily show you what types they can be used on and most are equipped to handle the 3 of the 4 most common classes (ABC) with the last one (K - kitchen) usually having a special extinguisher found... in the kitchen

As for fire protocol... I dont care what type of fire extinguisher you have in the building; if a fire breaks out in your DC and an inert gas suppression system is deployed, using the only fire extinguisher in the building, even if it is the correct one, to try and put out the fire will get you killed when the gas system activates.

So yes, in a fire using a fire extinguisher is better than panicking and doing nothing but panicking and using the wrong fire extinguisher because its the only one available is worse than using nothing and evacuating the building. END SAFETY NOTE

Again, sorry for the divergence but it's the internet and you never know who's going to come along read that, internalize it and then get themselves killed.

TeKniques wrote: »

My interpretation of the people who are vocal about the CISSP certification stems from the ISC2 apparently "flooding" the market with more CISSPs and not holding their audit process with much integrity. As with simple economics, the more there is of anything in the market the less valuable it becomes. I can only speak for myself and the value the CISSP appears to bring to me, and I would suggest that everyone do the same when deciding if it is beneficial to obtain or not.

Sort of true... Im not happy with ISC2's policy of flooding the market. Personally, I didn't like when they went to computer-based testing for the exam. I understand why they did it, when I got mine 5 years ago I had to schedule 3 months in advance and drive 90 miles to the test site because the local sites held the exam infrequently and were booked almost immediately as they weren't able to accommodate the high demand (I was in San Antonio, TX at the time so lots of military people going for the CISSP or SSCP) but the security of the test took a hit. (not that the paper exam was perfectly secure either but it was a least more difficult)

Ultimately though, even with ISC2 actively inflating the ranks, positions requiring CISSPs still out number the actual number of CISSPs in the world. The diminishing effect is certainly there, it used to be a CISSP got you a minimum of 100k and now its dropped to 90-95k but by the same token, the end salary negotiation is on you. Companies might be starting the pay bracket lower but if you have the skills, knowledge and experience you can still get top dollar far in excess of 100k without major issue. It's not the golden ticket it used to be but it still opens doors.

beads wrote: »

haven't been intimately involved with (ISC)2 politics.

This right here. I havent been intimately involved with (ISC)2 politics but I went to the conference and Member Meeting at the 2012 Security Congress in Philadelphia and went only to the Member Meeting at the 2015 Security Congress in Anaheim... On both occasions there were people asking members to sign a petition to the board asking them to permit one thing or another (2012 was to permit certain members to run for board spots)

That left a particularly bad taste in my mouth for 2 reasons:
1) We have people who WANT to do the job to the extent they're actively asking for it but they're being turned away
2) The board should be chosen entirely by members. The current system allows the board to select the candidates to be presented to the members.

Scottdt wrote: »

Thank you for the responses!

What I summarize is the "techs" think it has no real-world application in the (cough, manager-run) organization they are a part of. Those that do have the CISSP have a strong distaste for the organization (ISC2) that runs it, and while the information it contains may not have changed in difficulty, the massive amount of resources available has inadvertently caused the test to become a shadow of what it once was. Finally, those that don't have the CISSP are just a bunch of player haters. Hah.

Spot on summary.

beads

@apr911;

As far as fire extinguishers are concerned I have seen many that were either out of place (wrong type), empty, broken or questionably place. Nowhere did I indicate a Data Center with or without proper fire suppression. I currently work with a DC and its backup with very lax attention if any confidently working system in place. It happens. Point being you use the tools in an emergency that you have in hand. Fire extinguishers are pretty low on my risk over time radar. Perhaps it's more important in your experience but off hand. I couldn't begin to even tell you where the closest fire extinguisher is in this building. I've seen more building flood on the second floor than commercial building fires. Nice strawman though. Shall we light it up?

(ISC)2 politics. No, you don't begin to complain about an organization unless you've been beat down trying to improve said organization from the inside out. Details will not be discussed but it happens every year for one group or another. Many in the organization believe in quantity over quality but as the organization has gotten larger the need to switch to a standing ethics committee should tell you something. Its all about the marketing.

CISSP.jpg

dustervoice

I think people bash cissp because its not a "hacking" exam. Security is deeper than hacking..why worry about some script kiddie in china when an org doesn't have a risk/change/DR program in place? more outages are caused by bad change management processes than hacking incidents. if an e-com site like amazon goes offline because of bad change management vs hacking do you really think a customer cares? at the end of the day consumers want a site up and running to order products and thats all they care about geeks worry too much about hacks!!

Tuningislife

For me, it is a checkbox.

I have my B.S. in Cyber Security, working on a M.S in Cyber Security. I have my Sec+ because it was required for a job. Any security related job I look at in this area require the CISSP. Some places don't even know really what it is, they just want to use it as a buzzword. Like this:

"* Preference will be given to candidates with Security+ and/or CEH certifications and experience or knowledge or CISSP best practices"

vs those who are trying to fill a requirement:

"Preferred Qualifications:
* DoD 8570 IAM Level II/III certification (CISM, CISSP or CASP) * Master's Degree in a related field"

(Mind you, you have up to 6 months after hire to get the cert.)

So CompTIA makes the CASP to "compete" with the CISSP, but the CASP is supposed to me more technical than the CISSP, which is considered more managerial in nature.

But when I go on interviews, the technical interviewers always go..... "So... when are you going to get your CISSP?" I always reply... "Soon. It is on my list of things to do." Last interview I went on, that I have a CJO for, the manager said, "we kinda use the CISSP as a baseline, so all of our guys have it." So I have to re-look at getting it.

Last time I looked at getting it, my manager discouraged me saying, "we couldn't afford to pay two CISSPs", then when the one guy left, and I was interested in his job that I had been his backup for, I was told, "sorry, we want someone with a CISSP." *head desk*

One of my co-workers has his CISSP, he works as a Linux Admin. Doesn't even use it. I asked him about it, he was like, "oh, well my company paid for me to get it, so why not!"

This versus the guy who works as the Security guy who has no certs, and no degree, he just happened to work for a security software company for several years.

So that is why I particularly dislike the cert. The same way I don't much care for the C|EH or Microsoft certs, hell any of them. I am more of a fan of practical certs, that show if you can perform a certain task, not how well you can memorize information and take a test. But I will be getting it. Only because I have to.

Robertf969

My company wants us to have an alphabet soup at the end of our name because clients think they mean more than they do.

Ryston

It's the requirement that you have someone sign off on your 5+ years of experience for me.

IT Security is an asymmetrical competition in critical thinking skills, and that certification (a token of ability to perform a set of tasks competently) is basically:
A moderately impressive memorization check combined with...
A reference check?

I don't want to understate the scope of the memorization check, it's pretty broad. I give it some credit - but to artificially inflate the scarcity of the credential with a good o'l boys club mechanic is pretty unimpressive, and the fact that it's being used as a water mark in an industry built on critical thinking skills... it's pretty laughable.

mgeoffriau

Most of the negative comments I've seen (both elsewhere as well as in this thread) boil down to one thing - a disconnect between what the CISSP is expected or believed to be, and what it actually is.

The old-school CISSP holders are disappointed that the artificial barriers to entry (paper tests, scheduling difficulty, travel, etc.) have been lowered.
The newly-passed CISSP takers are disappointed that it wasn't the silver-bullet for career advancement they've been told it would be.
The newly-failed CISSP takers are disappointed that it was too managerial, or just rote memorization, or the questions were too confusing, or whatever.
The disinclined-to-study are disappointed that HR departments use the CISSP as an applicant filter instead of reviewing their actual work experience and skills.

If you take it for what it is -- a broad, reasonably difficult but ultimately straightforward exam, that carries some weight with HR departments but isn't going to turn you from a zero into a hero -- you're less likely to be disappointed.

ThePawofRizzo

Most of the time, the biggest critics I meet of a specific certification or degree, generally are critics of any certification or degree. Most IT admins or managers that I've spoken with that deride certs and degrees, either never bothered to try to earn any, so have no idea what one can learn in the process and the work that can be involved, or they tried a couple and failed. Period. They usually try the "You can learn all that on the job. Experience is the only true teacher!" I agree, work experience certainly is important, and one can learn from it a lot. However, the education process also is useful and certifications and degrees are a culmination of that education.

I work with about two dozen techs and admins. Most have no degree at all, in IT or otherwise. Most have no certifications. Of the two dozen, there may be 4 that seem to have actually learned a lot on the job, and are really talented techs or admins. The rest have years and years on the job, and they only know the repetitive day-to-day that they do on the job. When a new issue arises, one of the 4 or 5 techs who is actually willing to learn and get stressed learning something new on the job is the one who has to solve the new issue. So, yes one can learn from experience, but even those with 20 years experience don't always really know what they are doing. Sure, I've also worked a couple certified and/or educated techs and admins who seemed to have stopped learning early in their career, but for those who have continued to certify or seek education they usually seem to learn about IT in the process....but if they learn on the job or in a class, they generally have an attitude to learn.

With IT, and ever changing technology (and IT security threats), to me, everyone in IT needs to always be learning. To some learning on the job works well. To others earning certifications and degrees works well. I think CISSP, like any other degree or certification, has to be thought of as someone showing they've had some exposure to some training, and learned some key concepts around IT security, just like someone earning other education paperwork. Employers want people who will hit the ground running when they start, and the more education and experience someone has the more likely this prospective employee will be able to perform. It's up to the employer to determine which people are bluster, and which ones understand.

I've been studying for CISSP, and I'm learning a lot of general IT Security principles. It isn't heavy on the technical processes, but studying for it certainly has introduced me to a lot of concepts that I can, and will, use in any IT capacity I work within. I do think some employers give it too much emphasis, but it does provide at least some measure for an employer to evaluate if a prospective, or current, employee is trying to keep their skills current. I'm certainly pursuing CISSP because it is better known, and I have no desire to be an IT Security Manager at this point. I am pursuing it lest I find myself unemployed ever, so that it - with my other education and experience - will hopefully get an employer to give me a closer look. Also, any education requires discipline, and the ability to attain goals, so even those qualities may help tip an employers decision when choosing between candidates.

jeremywatts2005

I think it is a great certification. Myself I just have not needed to go for it. I work in Digital Forensics and IR side of the house and a CISSP is not going to do much for you over here in most cases. An EnCe, CySA, GCIH, ACE or other DFIR certs are more valuable since this is what you are doing on a daily basis. We have some guys with CISSP and they make the same as everyone else who doesn't. I can remember some of the first CISSP holders and it was a huge deal and still is on the security side outside of DFIR and Red Teams. All depends on where you are working within security. Still a great cert just with so many variations of roles in security it doesn't apply as directly to some as others.

ITHokie

Scottdt said:

I have been reading a variety of blogs relating to the CISSP and the opinions that range from distaste to a downright hatred for the certification. I'm wondering where this is stemming from exactly? It's not as if ISC2 made any false claims of what the CISSP is or represents. A couple of anti-cissp reasons I have seen are:

1. HR using it as a benchmark for infosec. How dare they use a standard test to assume subject knowledge!
2. Infosec "Consultants" who flash it around and claim expert-level knowledge. How does this affect you?
3. The CISSP is waaay non-technical. It has no real-world applications. ...I don't think we want to get into another theory vs. real-world debate.

Overall, I don't even see the "reasons" to be anything more than surface level at most. They certainly do not validate the energy used to post the numerous blogs across the internet. So, if you truly love or hate the CISSP, I'd love to hear from you.

It's an entry level cert that is somehow perceived to be something more. I studied for less than 3 weeks and found the exam to be pretty easy. I probably shouldn't have studied at all. Yes, the exam is long and obtuse at times, and it covers a high volume of basic information, but it wasn't challenging. I don't think I learned anything of value that I didn't already know.

Just about every post like this contains some form of "it's not as if ISC2 made any false claims." No one cares. ISC2's description has 0 impact on hiring practices and staffing models in the industry. Its ratio of required knowledge to perceived gravitas is wildly out of whack.

It's fine as far as it goes. Which is to say, not very far.

https://community.infosecinstitute.com/discussion/105191/passed-cissp-10-24-disappointing-as-expected/p1

ITHokie

dustervoice said:

Security is deeper than hacking..why worry about some script kiddie in china when an org doesn't have a risk/change/DR program in place?

I know, right? I mean, we all know that the only threat actor is some script kiddie in China. Why worry about losing customer PII/NPI, millions in civil suits, significant brand damage, theft of trade secrets (or national security secrets), etc?

Ryston

ITHokie said:

Scottdt said:

I have been reading a variety of blogs relating to the CISSP and the opinions that range from distaste to a downright hatred for the certification. I'm wondering where this is stemming from exactly? It's not as if ISC2 made any false claims of what the CISSP is or represents. A couple of anti-cissp reasons I have seen are:

1. HR using it as a benchmark for infosec. How dare they use a standard test to assume subject knowledge!
2. Infosec "Consultants" who flash it around and claim expert-level knowledge. How does this affect you?
3. The CISSP is waaay non-technical. It has no real-world applications. ...I don't think we want to get into another theory vs. real-world debate.

Overall, I don't even see the "reasons" to be anything more than surface level at most. They certainly do not validate the energy used to post the numerous blogs across the internet. So, if you truly love or hate the CISSP, I'd love to hear from you.

It's an entry level cert that is somehow perceived to be something more. I studied for less than 3 weeks and found the exam to be pretty easy. I probably shouldn't have studied at all. Yes, the exam is long and obtuse at times, and it covers a high volume of basic information, but it wasn't challenging. I don't think I learned anything of value that I didn't already know.

Just about every post like this contains some form of "it's not as if ISC2 made any false claims." No one cares. ISC2's description has 0 impact on hiring practices and staffing models in the industry. Its ratio of required knowledge to perceived gravitas is wildly out of whack.

It's fine as far as it goes. Which is to say, not very far.

<link deleted because it seems I am too new to include links>

jeremywatts2005 said:

I think it is a great certification. Myself I just have not needed to go for it. I work in Digital Forensics and IR side of the house and a CISSP is not going to do much for you over here in most cases. An EnCe, CySA, GCIH, ACE or other DFIR certs are more valuable since this is what you are doing on a daily basis. We have some guys with CISSP and they make the same as everyone else who doesn't. I can remember some of the first CISSP holders and it was a huge deal and still is on the security side outside of DFIR and Red Teams. All depends on where you are working within security. Still a great cert just with so many variations of roles in security it doesn't apply as directly to some as others.

ITHokie that's actually EXACTLY my problem with it, but to illustrate it I have to first make a point:

IT Security is an adversarial challenge in critical thinking skills. Compliant != Secure, and the CISSP teaches you to memorize compliant posture.

It's like a science text book that tells you all of the facts we know and doesn't discuss why we think we know them or anything about the scientific method.

It's useful... but it's just... lacking, in a way that is vital to the industry.

This brings me to what you just said, that it is an Entry Level certificate. That is a widely held view, but it requires five years of experience in two or more of eight domains...

The obvious non sequitur of this statement just underlines the fact that critical thinking skills are NOT an emphasized part of the CISSP. It is regarded as the industry standard and yet it is largely devoid of the mindset which steers the sector.

Jeremywatts, for what it's worth I study Red Teaming and CISSP material because some day if/when I get a job on a red team my job will be to report to a CISSP holder how to improve their security. Understanding their paradigm will help me effectively communicate findings to them. Maybe I'm going overkill, I don't know.