Is the CISSP still the pièce de résistance on resumes for security management roles?

This is not meant to be a certification vs. experience poll. From what I hear both internal to my organziation and external, the general consensus still seems to be that CISSP is the way to go if you want to move into security management/architecture/advisory type roles.
Feel free to add an opinion in the comments, but let's keep it relevant, civil, and objective.

Find more posts tagged with

Comments

JDMurray

Perception is reality; the perception by HR and hiring managers is that the CISSP is (still) something to highly value.

UnixGuy

I hold CISM and I don't have CISSP. I'm in management, no one seem to care about certs in management roles (in Australia, things may be different at your end).

I dont recall being rejected from a role for not having CISSP

E Double U

I voted other because at the level of jobs I look at I always see both. I think the people creating these vacancy descriptions have been instructed to simply list any (ISC)2 and ISACA credential they can think of.

JDMurray

UnixGuy said:
I dont recall being rejected from a role for not having CISSP

If the CISSP is required for a role and you do not have it, you will not be invited to interview for the position and therefore never know you were "rejected." Having the CISSP will increase your chances of being invited to a first-round interview.

UnixGuy

JDMurray said:

UnixGuy said:
I dont recall being rejected from a role for not having CISSP

If the CISSP is required for a role and you do not have it, you will not be invited to interview for the position and therefore never know you were "rejected." Having the CISSP will increase your chances of being invited to a first-round interview.

yeah I thought that should be case. In all honesty I interviewed for and got jobs where they had certain skills and certs as required and I didn't have them so there is that, I personally wouldn't reject a candidate for a management role based on a certificate, but maybe I'd require something like OSCP for pentest as an example.

JDMurray

UnixGuy said:
I personally wouldn't reject a candidate for a management role based on a certificate, ...

You may have to if you needed to conform to the compliance rules of a project contract. For example, if a project required that the manager of a security team have a CISSP or CISM then you'd need to hire to that requirement.

E Double U

UnixGuy said:

I don't recall being rejected from a role for not having CISSP

Maybe you are just blocking out the memory lol.

This makes me wonder though, has anyone ever been asked to show proof of their certifications let alone asked about them in the interview? Interviewed with NATO some years back and was required to bring physical copies of the certs. Even more years back I had a manager ask if I had obtained the CCNA yet. Outside of those two experiences I have not had any other remarks about any certifications during the hiring process in my 18 year career.

SteveLavoie

CISSP is still a thing I think if you want to work in IT Security. It is broadly recognized and it is worth the effort to get it and maintain it.

Info_Sec_Wannabe

What worked for me was the CISA (even though I'm not in Management). While CISSP is listed in the JDs of the positions I applied for, I don't think not having it results in an employee not being interviewed so long as he has other certs or credentials to boost his resume or his chances of getting interviewed.

And agree with @E Double U on employers not really verifying the authenticity of certs you put in your resume. While ISC2 and ISACA offers a way to verify those, no employer has asked me for my certificate number thus far.

UnixGuy

E Double U said:

UnixGuy said:

I don't recall being rejected from a role for not having CISSP

Maybe you are just blocking out the memory lol.

This makes me wonder though, has anyone ever been asked to show proof of their certifications let alone asked about them in the interview? Interviewed with NATO some years back and was required to bring physical copies of the certs. Even more years back I had a manager ask if I had obtained the CCNA yet. Outside of those two experiences I have not had any other remarks about any certifications during the hiring process in my 18 year career.

Honestly, no one has ever asked for proof for anything. I had one Defence engagement where they needed two certs for a specific accreditation but thats about it.

The only time when a cert made a difference was the GCFA for a SOC analyst role, the skills were needed but that's about it.

Now they look at my experience/certs/skills as a combination (management), but a single cert - I don't think so. An exception may be a service provider that's submitting a proposal where they need certain number of certified people, but I can't see this happening with CISSP. Maybe for some technical certs...who knows.

I'm not trying to persuade people to not do CISSP, I think it has one of the best return on investment as far as certs go, but in my case it didn't make a difference that's all. At the management level things are different, they prefer to see evidence that you managed certain environments for a number of years, that you are familiar with certain frameworks/technologies. I'm sure exceptions exist when it's more a technical team management (SOC/forensic/pentest) for example. The vast majority of managers/Directors/C-level have zero or one certs (in Australia...)

SteveLavoie

CISSP is a good cert to help you transition from a technical position to a more management or infosec job.

Mike7

CISSP, CISM and other ISC2/ISACA certs help get me into security field, it was a preferred job requirement. They also provide credibility when interacting with customers. I list the certs on my LinkedIn profile and link them to Credly digital badges; it attracts recruiters.

Understand CISSP is a requirement under DOD 8570 for govt roles in US.