CISSP Reputation
I just had a conversation with a friend who made a comment that people should not get their CISSP. He actually passed the exam a while ago but didn't have the years of experience quit yet so he is an associate. I didn't go into detail as to why, other than I told him that it has opened some doors for me and that I feel more well rounded as a security professional from what I learned in my studies. He is a VERY smart guy with an excellent understanding in the more technical areas such as penetration testing and forensics. Among many other certifications, he just got his OSCP and is working on his OSCE.
My questions is, what are other hearing about the value and reputation of the CISSP? I know that Dave Kennedy is now on the board which I believe is a good sign. I studied extremely hard for the CISSP and it was very difficult so I guess I am just hoping the hard work wasn't wasted. I know it has helped me get my new job and is assisting me down the road of building a new security program, bringing my organization into compliance, and completing risk assessments. When I first started down the road of security I never knew the importance of GRC. I was alway tantalized by the sexy world of penetration testing.
Thoughts??
My questions is, what are other hearing about the value and reputation of the CISSP? I know that Dave Kennedy is now on the board which I believe is a good sign. I studied extremely hard for the CISSP and it was very difficult so I guess I am just hoping the hard work wasn't wasted. I know it has helped me get my new job and is assisting me down the road of building a new security program, bringing my organization into compliance, and completing risk assessments. When I first started down the road of security I never knew the importance of GRC. I was alway tantalized by the sexy world of penetration testing.
Thoughts??
Comments
BTW I voted for Kennedy, Wim Remes and a japanese granddaddy last year. Was very glad to see them all winning.
For me it didn't give much in terms of knowledge, most of new things I've learned while preparing were government things (TCSEC, Bell-LaPadula, etc) that I never or barely use in real life anyways. But for passing HR barriers this cert is second to none.
No matter what the cert says we are aren't professionals by any stretch of the imagination, we are analysts. A profession requires governmental sponsored licensing and a few other requirements you can feel free to educate yourself, if you wish.
@gespenstern
I have great expectations of change, each and every election but year settle for small incremental changes. Happy to see the standing ethics committee. Haven't read the minutes to see what has transpired but will hope to see something more positive in the future.
- b/eads
I equate the CISSP certification to a college degree. Was it difficult to get? Not really. Did it cost me money and time? Yes. I don't think this certification is as exclusive or as highly regarded as some think, and this is the same with someone with a MS or BS degree. Just because you have these things it doesn't mean that you are better than everyone else. It just means you put effort and time into making yourself better and were rewarded with a degree or a certification.
In the IT field, you see people who talk about getting it and people who actually do it. In a sense, I will differentiate someone who has spent time and money for experience but I understand that there are some who go with the experience route that doesn't require time and money.
In short, this certification will separate you from the masses but stay humble.
It has been discussed and will continue to be discussed a "million" more times on this board because of the interest in this or any other get rich scheme. Then again there are others on this board who insist that if you can pass the exam you should be able to ignore any requirement to any exam.
Not pointing fingers but you know who you are.
I'll stick by my guns on the weekend comment. Been there - done that. Now, I don't update my cert list.
- b/eads
I like this comment!
What I've heard from those I respect in the field is what you do after you obtain your certifications is what matters. There were domains on the exam I had little experience and areas where I spent most of my career. Knowing this and the demands of my current job, I have taken on this challenge and have expanded my knowledge in the domains where I need work. The main reason why I got into this field is because there is always something new to learn, which keeps me humble.
You DON'T need CISSP to get any infosec job (outside of DoD8570), and the role it is best suited for is Security Manager for a medium-large enterprise.
The reason the average salary of a CISSP is high is because the average CISSP has 14 years of infosec experience. Having this certification does not by itself qualify you for positions paying 6 figures.
Please copy and paste this on all the 793,827,374 other threads asking this same question.
Interesting. I see plenty of infosec jobs outside of DoD require the CISSP (especially contractor positions). Usually, Federal positions states that they highly desire the CISSP.
In summary, just get the CISSP
You're in Maryland I see. That explains a lot.
So, they are "Federal" positions (so GS positions for FedGov) and contractor positions. I'd bet many if not most of those positions you are seeing are under DoD-8570 (NSA, DIA, DISA, NRO, mil contractors, contrators with mil clients, GS employees under DoD or working on DoD sites such as the Pentagon, Andrews, Bolling, Meade, etc).
If you were in NYC, SF, Chicago, or anywhere else where you're not surrounded by military bases and military contractors, you'd have a very different perspective.
Some may feel that it's a HR check box during the hiring process, but let me put it this way. Many of you would not have the jobs you do now if you didn't have your CISSP, Would you have your new car, your house, that nice watch, etc etc etc?
Secondly, since it has become a world wide certification, look at the number of non-US people that have posted in these threads about taking the test. That only reinforces the fact that it's reputation is still strong.
Does it have value=Yes
Is it worth the effort=Yes
Is it's reputation still good=Yes
I was told that obtaining the CISSP within a year was a requirement when I got this job last July, so I am very much aligned with this statement.
I would also note that the CISSP has value outside the government umbrella, in the financial world.