Looks like ISC2 does not mind about needing experience for there certificatons

rob1234rob1234 Banned Posts: 151
CCSP Spotlight: James Simonetti - (ISC)2 Blog

Years in IT: 8
Years in cybersecurity: 1
[FONT=Arial, sans-serif]Cybersecurity certifications: CCSP, CISSP, Security+[/FONT]

[FONT=Arial, sans-serif]How you get the CISSP and CCSP with only 1 years security experience??
Assuming the 8 years in IT covered him but then why say only 1 year in cybersecurity?
[/FONT]

Comments

  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Maybe a case like mine. I've been doing security related functions forever but 100% dedicated cyber security stuff for just 4 years.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    Is normal. Most infosec folks come from network, infrastructure or development backgrounds where they did IT for years. All of these backgrounds have something to do with security and corresponding knowledge is an essential part of the CISSP CBK.

    I come from physical/electronic security background and while, unlike network or infrastructure, it has this magic word "security" in it, I can tell that it has less to do with the CISSP than network or infrastructure.
  • beadsbeads Member Posts: 1,531 ■■■■■■■■■□
    The definition as to what is or is not acceptable changed many years ago under Tipton who demanded we increase the number of certified members over having more "purity" of experience. It was quite the shouting match between camps.

    - b/eads
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    The CISSP requirement is for 5 or more years of accumulated experience. Some of the cybersecurity folks I know have years of experience in network engineering, system engineering and/or application development. The knowledge and understanding helps.

    Reminds me of this saying by Lesley Carhart
    - To hack something (or defend it from hacking), you must have a solid understanding of how that thing works.
  • 636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    All you need is a boss to sign the paperwork, the bar for proving your skillset is based primarily on the honor system, or at least it was way back in the day when I took it
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    Technically resetting passwords would count towards security experience. Heck, I worked as a security guard for a year and that should qualify as experience also.
  • beadsbeads Member Posts: 1,531 ■■■■■■■■■□
    Has anyone heard of someone post they were denied on any board, at anytime? Ever?

    Doubtful. icon_thumright.gif

    - b/eads
  • dhay13dhay13 Member Posts: 580 ■■■■□□□□□□
    I wondered about that myself. I worked in law enforcement for 6 years but also did armed security for 10 years. One of the contracts our company had was to watch the local water treatment plant after 9/11. we secured the perimeter and manned the gate but they also had a computer system and I'm sure a SCADA system. We didn't specifically secure the computer system but we indirectly did by securing the perimeter
  • ivx502ivx502 Member Posts: 61 ■■■□□□□□□□
    Before I sat for the CISSP I served in the military for four years. I did four years physical security and auditing before I transitioned to information security. I have heard of someone getting their experience declined, but that was only one person out of I don't know how many.
  • tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    beads wrote: »
    Has anyone heard of someone post they were denied on any board, at anytime? Ever?

    Doubtful. icon_thumright.gif

    - b/eads


    I wasn't denied, but I was audited. I've known a few others who were audited. Just a temporary setback. You just have to resubmit your experience.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    rob1234 wrote: »
    How you get the CISSP and CCSP with only 1 years security experience??
    Assuming the 8 years in IT covered him but then why say only 1 year in cybersecurity?
    The CISSP certification requires "professional information security" experience, of which "cybersecurity" is only a subset. The blog author calling the CISSP (and CSSLP and Security+) a "cybersecurity certification" is inaccurate. All of these certs cover areas of InfoSec not found in cybersecurity.
  • rob1234rob1234 Banned Posts: 151
    JDMurray wrote: »
    The CISSP certification requires "professional information security" experience, of which "cybersecurity" is only a subset. The blog author calling the CISSP (and CSSLP and Security+) a "cybersecurity certification" is inaccurate. All of these certs cover areas of InfoSec not found in cybersecurity.

    Never knew there was a known definition for cybersecurity?
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    rob1234 wrote: »
    Never knew there was a known definition for cybersecurity?

    It's a US Gov term; Google Search is your friend ;)

    https://www.dhs.gov/topic/cybersecurity
  • JockVSJockJockVSJock Member Posts: 1,118
    tedjames wrote: »
    I wasn't denied, but I was audited.

    Its too bad that ISC doesn't audit the ethics of CISSP holders once they obtain the cert, since test taker are required to know and understand the code of ethics. I know of one CISSP that took part in domain squatting in order to make some cash and another that falsified their experience in order to test.
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • JockVSJockJockVSJock Member Posts: 1,118
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    The (ISC)2 doesn't actively monitor the public activities of it's cert holders for ethics violations. They rely mostly on verifiable reports of unethical behavior from their membership and other sources. Probably the same for SANS/GIAC too.

    The auditing is random and normal for ensuring the quality and integrity of the (ISC)2 exam results.
  • beadsbeads Member Posts: 1,531 ■■■■■■■■■□
    There is now a standing ethics committee but haven't heard of who is on it or of any proceedings.

    - b/eads
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    My guess is that it privately investigate reports of unethical behavior within the (ISC)2 membership and is not a public-facing body.
  • JockVSJockJockVSJock Member Posts: 1,118
    JDMurray wrote: »
    The (ISC)2 doesn't actively monitor the public activities of it's cert holders for ethics violations. They rely mostly on verifiable reports of unethical behavior from their membership and other sources. Probably the same for SANS/GIAC too.

    The auditing is random and normal for ensuring the quality and integrity of the (ISC)2 exam results.

    Then why test for a code of ethics?

    It going thru the motions to make as much money as possible...
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    Ethics is one of the topics in the Security and Risk Management domain of the CISSP CBK, so it is tested for. Also, if you are expecting your membership to follow a specific body of rules, you need to determine if they understand how they are expected to act and not to act. This does not come into play until after the CISSP exam is passed, but before endorsement is completed.

    As for steering this discussion to "IT'S ALL A MONEY GRAB!!", there are much easier ways to make much more money as a USA business than offering InfoSec education and certification to the global community.
  • JockVSJockJockVSJock Member Posts: 1,118
    JDMurray wrote: »
    Ethics is one of the topics in the Security and Risk Management domain of the CISSP CBK, so it is tested for. Also, if you are expecting your membership to follow a specific body of rules, you need to determine if they understand how they are expected to act and not to act. This does not come into play until after the CISSP exam is passed, but before endorsement is completed.

    As for steering this discussion to "IT'S ALL A MONEY GRAB!!", there are much easier ways to make much more money as a USA business than offering InfoSec education and certification to the global community.


    Its a question of honesty and integrity, which leads us down a twisted and narrow path of "IT'S A MONEY GRAB!!!"

    Why does ISC have rules, along with ethics part that is tested on, if they aren't enforced to those who have successfully passed?

    They should just forgo the rules and ethics and let anybody and everybody test, who has the money, because a customer with money is a customer with money.
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    JockVSJock wrote: »
    They should just forgo the rules and ethics and let anybody and everybody test, who has the money, because a customer with money is a customer with money.
    I think you need to take up this issue directly with the (ISC)2.
  • JockVSJockJockVSJock Member Posts: 1,118
    JDMurray wrote: »
    I think you need to take up this issue directly with the (ISC)2.

    I have a better chance of winner the lottery, then successfully discussing this issue with (ISC)2.

    Admin it, these certs companies are a business, and their only goal is to make alot of money
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    JockVSJock wrote: »
    Admin it, these certs companies are a business, and their only goal is to make alot of money
    They are education businesses, but if their goal is to make a lot of money then they choose the wrong product.
  • rob1234rob1234 Banned Posts: 151
    JDMurray wrote: »
    It's a US Gov term; Google Search is your friend ;)

    https://www.dhs.gov/topic/cybersecurity

    Do not see anywhere where they define cybersecurity? Just see the use of the buzzword a lot.

    Also not being US I tend to prefer a more global definition, if you have one of them it would be great.
  • E Double UE Double U Member Posts: 2,228 ■■■■■■■■■■
    JockVSJock wrote: »
    these certs companies are a business, and their only goal is to make alot of money

    Primary goal maybe, but not the only goal.
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
  • JockVSJockJockVSJock Member Posts: 1,118
    JDMurray wrote: »
    They are education businesses, but if their goal is to make a lot of money then they choose the wrong product.

    IT certs must be a profitable product,

    CompTIA Executive Compensation: Big Profits From Nonprofits - Page: 1 | CRN
    Computing Technology Industry Association, better known as CompTIA, was paying high salaries to its top executives, including a controversial $1 million bonus to then-CEO John Venator in 2006, despite the association's status as a nonprofit and tax-exempt organization.

    If other companies, like ISC2, could have a little light shined on them too, there are probably details like this as well.

    And education is a big business with big profits, just spend some time Googling around and you'll see.

    I rest my case.
    ***Freedom of Speech, Just Watch What You Say*** Example, Beware of CompTIA Certs (Deleted From Google Cached)

    "Its easier to deceive the masses then to convince the masses that they have been deceived."
    -unknown
Sign In or Register to comment.