Looks like ISC2 does not mind about needing experience for there certificatons

rob1234

CCSP Spotlight: James Simonetti - (ISC)2 Blog

Years in IT: 8
Years in cybersecurity: 1
[FONT=Arial, sans-serif]Cybersecurity certifications: CCSP, CISSP, Security+[/FONT]

[FONT=Arial, sans-serif]How you get the CISSP and CCSP with only 1 years security experience??
Assuming the 8 years in IT covered him but then why say only 1 year in cybersecurity?[/FONT]

cyberguypr

Maybe a case like mine. I've been doing security related functions forever but 100% dedicated cyber security stuff for just 4 years.

gespenstern

Is normal. Most infosec folks come from network, infrastructure or development backgrounds where they did IT for years. All of these backgrounds have something to do with security and corresponding knowledge is an essential part of the CISSP CBK.

I come from physical/electronic security background and while, unlike network or infrastructure, it has this magic word "security" in it, I can tell that it has less to do with the CISSP than network or infrastructure.

beads

The definition as to what is or is not acceptable changed many years ago under Tipton who demanded we increase the number of certified members over having more "purity" of experience. It was quite the shouting match between camps.

- b/eads

Mike7

The CISSP requirement is for 5 or more years of accumulated experience. Some of the cybersecurity folks I know have years of experience in network engineering, system engineering and/or application development. The knowledge and understanding helps.

Reminds me of this saying by Lesley Carhart
- To hack something (or defend it from hacking), you must have a solid understanding of how that thing works.

636-555-3226

All you need is a boss to sign the paperwork, the bar for proving your skillset is based primarily on the honor system, or at least it was way back in the day when I took it

markulous

Technically resetting passwords would count towards security experience. Heck, I worked as a security guard for a year and that should qualify as experience also.

beads

Has anyone heard of someone post they were denied on any board, at anytime? Ever?

Doubtful.

- b/eads

dhay13

I wondered about that myself. I worked in law enforcement for 6 years but also did armed security for 10 years. One of the contracts our company had was to watch the local water treatment plant after 9/11. we secured the perimeter and manned the gate but they also had a computer system and I'm sure a SCADA system. We didn't specifically secure the computer system but we indirectly did by securing the perimeter

ivx502

Before I sat for the CISSP I served in the military for four years. I did four years physical security and auditing before I transitioned to information security. I have heard of someone getting their experience declined, but that was only one person out of I don't know how many.

tedjames

beads wrote: »

Has anyone heard of someone post they were denied on any board, at anytime? Ever?

Doubtful.

- b/eads

I wasn't denied, but I was audited. I've known a few others who were audited. Just a temporary setback. You just have to resubmit your experience.

JDMurray

rob1234 wrote: »

How you get the CISSP and CCSP with only 1 years security experience??
Assuming the 8 years in IT covered him but then why say only 1 year in cybersecurity?

The CISSP certification requires "professional information security" experience, of which "cybersecurity" is only a subset. The blog author calling the CISSP (and CSSLP and Security+) a "cybersecurity certification" is inaccurate. All of these certs cover areas of InfoSec not found in cybersecurity.

rob1234

JDMurray wrote: »

The CISSP certification requires "professional information security" experience, of which "cybersecurity" is only a subset. The blog author calling the CISSP (and CSSLP and Security+) a "cybersecurity certification" is inaccurate. All of these certs cover areas of InfoSec not found in cybersecurity.

Never knew there was a known definition for cybersecurity?

JDMurray

rob1234 wrote: »

Never knew there was a known definition for cybersecurity?

It's a US Gov term; Google Search is your friend

https://www.dhs.gov/topic/cybersecurity

JockVSJock

tedjames wrote: »

I wasn't denied, but I was audited.

Its too bad that ISC doesn't audit the ethics of CISSP holders once they obtain the cert, since test taker are required to know and understand the code of ethics. I know of one CISSP that took part in domain squatting in order to make some cash and another that falsified their experience in order to test.

JockVSJock

Look at what I found:

https://www.isc2.org/ethics-complaint-procedures.aspx

JDMurray

The (ISC)2 doesn't actively monitor the public activities of it's cert holders for ethics violations. They rely mostly on verifiable reports of unethical behavior from their membership and other sources. Probably the same for SANS/GIAC too.

The auditing is random and normal for ensuring the quality and integrity of the (ISC)2 exam results.

beads

There is now a standing ethics committee but haven't heard of who is on it or of any proceedings.

- b/eads

JDMurray

My guess is that it privately investigate reports of unethical behavior within the (ISC)2 membership and is not a public-facing body.

JockVSJock

JDMurray wrote: »

The (ISC)2 doesn't actively monitor the public activities of it's cert holders for ethics violations. They rely mostly on verifiable reports of unethical behavior from their membership and other sources. Probably the same for SANS/GIAC too.

The auditing is random and normal for ensuring the quality and integrity of the (ISC)2 exam results.

Then why test for a code of ethics?

It going thru the motions to make as much money as possible...

JDMurray

Ethics is one of the topics in the Security and Risk Management domain of the CISSP CBK, so it is tested for. Also, if you are expecting your membership to follow a specific body of rules, you need to determine if they understand how they are expected to act and not to act. This does not come into play until after the CISSP exam is passed, but before endorsement is completed.

As for steering this discussion to "IT'S ALL A MONEY GRAB!!", there are much easier ways to make much more money as a USA business than offering InfoSec education and certification to the global community.

JockVSJock

JDMurray wrote: »

Ethics is one of the topics in the Security and Risk Management domain of the CISSP CBK, so it is tested for. Also, if you are expecting your membership to follow a specific body of rules, you need to determine if they understand how they are expected to act and not to act. This does not come into play until after the CISSP exam is passed, but before endorsement is completed.

As for steering this discussion to "IT'S ALL A MONEY GRAB!!", there are much easier ways to make much more money as a USA business than offering InfoSec education and certification to the global community.

Its a question of honesty and integrity, which leads us down a twisted and narrow path of "IT'S A MONEY GRAB!!!"

Why does ISC have rules, along with ethics part that is tested on, if they aren't enforced to those who have successfully passed?

They should just forgo the rules and ethics and let anybody and everybody test, who has the money, because a customer with money is a customer with money.

JDMurray

JockVSJock wrote: »

They should just forgo the rules and ethics and let anybody and everybody test, who has the money, because a customer with money is a customer with money.

I think you need to take up this issue directly with the (ISC)2.

JockVSJock

JDMurray wrote: »

I think you need to take up this issue directly with the (ISC)2.

I have a better chance of winner the lottery, then successfully discussing this issue with (ISC)2.

Admin it, these certs companies are a business, and their only goal is to make alot of money

JDMurray

JockVSJock wrote: »

Admin it, these certs companies are a business, and their only goal is to make alot of money

They are education businesses, but if their goal is to make a lot of money then they choose the wrong product.

rob1234

JDMurray wrote: »

It's a US Gov term; Google Search is your friend

https://www.dhs.gov/topic/cybersecurity

Do not see anywhere where they define cybersecurity? Just see the use of the buzzword a lot.

Also not being US I tend to prefer a more global definition, if you have one of them it would be great.

E Double U

JockVSJock wrote: »

these certs companies are a business, and their only goal is to make alot of money

Primary goal maybe, but not the only goal.

JockVSJock

JDMurray wrote: »

They are education businesses, but if their goal is to make a lot of money then they choose the wrong product.

IT certs must be a profitable product,

CompTIA Executive Compensation: Big Profits From Nonprofits - Page: 1 | CRN

Computing Technology Industry Association, better known as CompTIA, was paying high salaries to its top executives, including a controversial $1 million bonus to then-CEO John Venator in 2006, despite the association's status as a nonprofit and tax-exempt organization.

If other companies, like ISC2, could have a little light shined on them too, there are probably details like this as well.

And education is a big business with big profits, just spend some time Googling around and you'll see.

I rest my case.