Don't put much value in the CISSP

jadedsecurityjadedsecurity Registered Users Posts: 7 ■□□□□□□□□□
Take a read at this, and if your still not convinced there is an interesting article posted there as well on what their chief counsel thinks about security

JadedSecurity Who is to blame for the success of the latest round of attacks?
«1

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I like the blog. Bookmarked. And I'm surprised they don't support Black Hat or Defcon. After all, attending Black Hat is supposed to support them CPEs, right?
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • GAngelGAngel Member Posts: 708 ■■■■□□□□□□
    I don't think I know anyone who's passed the exam that would consider it technical. Its a management exam for experienced techie's looking to make the transition nothing more or less.
  • jadedsecurityjadedsecurity Registered Users Posts: 7 ■□□□□□□□□□
    GAngel wrote: »
    I don't think I know anyone who's passed the exam that would consider it technical. Its a management exam for experienced techie's looking to make the transition nothing more or less.

    It's not supposed to be technical, my argument is that it shouldn't assure competency. I'm all for experienced technical guys taking the exam and breaking into the security piece. What I'm not for, is auditors who aren't technical and don't understand technology doing the same.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I think this point can be argued for practically any certification. I don't have a CISSP, so I can't comment on its difficulty nor its potential to make me more relevant as a practitioner. However, I do have several GIAC certs and GIAC is generally well-respected in the infosec community. So does this mean I'm competent? Yeah, right...

    Part of the problem lies in how the certification is accepted at a higher level. I know many management types who look for the CISSP on a candidate's resume. It's the only infosec cert with "safe" brand recognition that they're aware of and don't understand what it really is. To them, it's a pinnacle of achievement and they weigh it accordingly. From their eyes, there's the assumption of technical competency, and perhaps this is a failure (or success depending on how you look at it) on the part of the certification authority in providing an understanding of what the cert really measures.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • jadedsecurityjadedsecurity Registered Users Posts: 7 ■□□□□□□□□□
    docrice wrote: »
    I think this point can be argued for practically any certification. I don't have a CISSP, so I can't comment on its difficulty nor its potential to make me more relevant as a practitioner. However, I do have several GIAC certs and GIAC is generally well-respected in the infosec community. So does this mean I'm competent? Yeah, right...

    Part of the problem lies in how the certification is accepted at a higher level. I know many management types who look for the CISSP on a candidate's resume. It's the only infosec cert with "safe" brand recognition that they're aware of and don't understand what it really is. To them, it's a pinnacle of achievement and they weigh it accordingly. From their eyes, there's the assumption of technical competency, and perhaps this is a failure (or success depending on how you look at it) on the part of the certification authority in providing an understanding of what the cert really measures.

    That's exactly my point cert with experience is competency without its worthless. isc2 is a cash machine with a huge conflict of interest in how they run their business. Security practioners need to change the perception associated with the CISSP.
  • SephStormSephStorm Member Posts: 1,731 ■■■■■■■□□□
    Unfortunately theres not much chance of that happening. Even people who hate the CISSP with a passion for that reason, will end up taking it because they cant get through HR without it.
  • jadedsecurityjadedsecurity Registered Users Posts: 7 ■□□□□□□□□□
    SephStorm wrote: »
    Unfortunately theres not much chance of that happening. Even people who hate the CISSP with a passion for that reason, will end up taking it because they cant get through HR without it.

    Mine is going up on Ebay in line with a security conference I'm presenting at. Their code of ethics has nothing in terms of "Transferable"
  • onesaintonesaint Member Posts: 801
    SephStorm wrote: »
    Even people who hate the CISSP with a passion for that reason, will end up taking it because they cant get through HR without it.

    I know a respected data forensics engineer who tells me getting the CISSP is a waste because its too broad and doesnt really state you can do anything. Looking into the best certs to have though, finds the CISSP at the top of many lists. Go figure.
    Work in progress: picking up Postgres, elastisearch, redis, Cloudera, & AWS.
    Next up: eventually the RHCE and to start blogging again.

    Control Protocol; my blog of exam notes and IT randomness
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    The CISSP like what was already mentioned is a higher level security cert. You can hire a bunch of super hacker white hat techies and your security will still suffer because somebody has to know how to design, manage, organize your security. I used to think the CISSP was just a way to get through the HR wall but realize now it taught me pretty solid foundation that allows me to explain the importance of security during an interview rather than throw out a bunch of techno babble.
  • onesaintonesaint Member Posts: 801
    tpatt100 wrote: »
    The CISSP like what was already mentioned is a higher level security cert. You can hire a bunch of super hacker white hat techies and your security will still suffer because somebody has to know how to design, manage, organize your security. I used to think the CISSP was just a way to get through the HR wall but realize now it taught me pretty solid foundation that allows me to explain the importance of security during an interview rather than throw out a bunch of techno babble.

    tpatt, did you get the CISSP, last out of your certs? It sounds like you have found it to be the binding that holds the six pack together (the cans being your other certs). What did you feel your needed prereq. wise before attaining the cert?
    Work in progress: picking up Postgres, elastisearch, redis, Cloudera, & AWS.
    Next up: eventually the RHCE and to start blogging again.

    Control Protocol; my blog of exam notes and IT randomness
  • Chris:/*Chris:/* Member Posts: 658 ■■■■■■■■□□
    I have noticed that after studying for the CISSP I can relate my technical knowledge to decision makers in a language they can understand.

    That being said since the DOD now views the CISSP as a IAT level III cert the problem will only get worse. The CISSP is not equivalent to a GSE but DoD views it in that light which causes all companies that work with the DoD to do the same to meet the compliance requirements of 8750.1M.
    Degrees:
    M.S. Information Security and Assurance
    B.S. Computer Science - Summa Cum Laude
    A.A.S. Electronic Systems Technology
  • JDMurrayJDMurray Admin Posts: 13,092 Admin
    It's not supposed to be technical, my argument is that it shouldn't assure competency.
    Please supply a link or reference to official (ISC)2 documentation that states their certifications "assure competency." I've never seen that direct claim made by any major certification organization.
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    This is where the broadness of the CISSP comes into play. What you are defining as 'competency' is only one aspect of the information security spectrum. I am good example - I couldn't do malware analysis/reverse engineering to save my life. But I know policies and federal regulations, which are just as important in the IS sphere.

    You probably wouldn't call me competent, but that's ok. I know what I do, and I am good at it. I am very competent in my little corner of IS.
    Working on: staying alive and staying employed
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    In all honesty i have read over the topics that the CISSP covers and i believe all IT managers should have such a skill set. I liked many of the topics for my own personal use but the vast amount of topics and studying that it contains is to much for my interest in getting the cert. Anyhow, CISSP has great information, in all honesty i do not know of any other cert that comes close to it. In that said, i cant see how hiring personnel of IT managers, cannot look forward in having interests in individuals with such a skill set. I see it as the CCIE of security theory and management. The world of IT is less chaotic with more CISSPs behind management decisions IMO.

    Look at the topics how can you not value such a skill set for managing an enterprises network?

    Access Control
    Application Development Security
    Business Continuity and Disaster Recovery Planning
    Cryptography
    Information Security Governance and Risk Management
    Legal, Regulations, Investigations and Compliance
    Operations Security
    Physical (Environmental) Security
    Security Architecture and Design
    Telecommunications and Network Security
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    JDMurray wrote: »
    Please supply a link or reference to official (ISC)2 documentation that states their certifications "assure competency." I've never seen that direct claim made by any major certification organization.

    competence (ˈkɒmpɪtəns) dictionary_questionbutton_default.gif n 1. the condition of being capable; ability 2. a sufficient income to live on 3. the state of being legally competent or qualified 4. embryol the ability of embryonic tissues to react to external conditions in a way that influences subsequent development 5. linguistics performance langue Compare parole (in transformational grammar) the form of the human language faculty, independent of its psychological embodiment in actual human beings
    Notice number 1 and 3.

    I am sorry but this is a very weak argument. A certifying body isn't going to come out and say "Our certs don't mean you know anything" because no one would take the time to get the cert at all and no one would require it for their current and potential employees. The marketing department of the certifying body is going to push that cert until the market thinks it "means something". If the CCNA didn't have a "worth" and didn't prove a perceived compantancy, would anyone go after it? No not all. The CISSP is pushed by ISC2 as being the "ultimate" security cert and a lot of people in high places believe that. ISC2 makes it seems that if you have a CISSP you can secure pretty much anything and the market believes that. They make it seem that passing the exams proves ability and thus makes you competent.

    The bottom line is this: Certs are only as good as the people who hold them. There are probably CCIE's who know less than folks with CCNAs or Network+. Individual knowledge cannot be gauged from what certs a person has but unfortunately that is what hiring people do, that is why they want CCNP's instead of CCNA and CISSPs instead of security+ holders. I honestly have no idea why people defend or attack it so much. It is just a cert and like all the others suffers from the same problems as all certs. I guess maybe because a lot of CISSP certified people believe their own hype. Many of them are great but a lot aren't and they walk around like smiling bob. But again that isn't the fault of ISC2, that's the markets fault for believing them. ISC2 just wants to push a product and they need for that product to be looked at as the primeo. Just like cisco does with its certs and Microsoft does with their certs.
    chrisone wrote: »
    . The world of IT is less chaotic with more CISSPs behind management decisions IMO.

    You just proved my point entirely and you should like marketing for ISC2. You assume a CISSP can make better decisions because they are a CISSP (circular reasoning).

    And none of these are meant to be attacks on anyone who has the cert, wants the cert or anyone period. I respect all of you and I also respect ISC2 (mostly their hustle but they also seem to be giving back to the community which is good) . But it is just the truth. All certs only mean what the market says they mean. If the market says that the CCIE is no longer the top network cert and say the Network+ becomes the big dog, then having the network+ will make you an expert (IN THEIR EYES). In practice, that is a totally different story.
  • cabrillo24cabrillo24 Member Posts: 137
    ISC2 never has touted the CISSP as an all emcompassing security certificaiton that by achieving this certification that all your networks and technologies will be secure.

    #1. This is a vender neutral exam. This is not a technical exam utilizing technical solutions.

    #2. This exam is to test the competencies with regards to the exam objectives. Passing the exam along with the certification process shows that you meet their requirements to hold the certification and you show competency.

    #3. This exam is probably more appropriate for those who are part of the life cycle of a system or part of a steering committee. For those who are trying to find the best security choices with regards to business objectives.

    #4. Just because you have a CISSP doesn't make you an expert. This combined with your experience gives you credibility. For each person this will vary.

    These are just some of the points I wanted to bring across. I've been in multiple roles throughout my 10 year career, from a systems administrator, information assurance officer, vulnerability management, incident handling, auditing and systems management.
    Next Up...
    CCNA: Security (210-260)
    Date: TBD
  • cabrillo24cabrillo24 Member Posts: 137

    Notice number 1 and 3.

    I am sorry but this is a very weak argument. A certifying body isn't going to come out and say "Our certs don't mean you know anything" because no one would take the time to get the cert at all and no one would require it for their current and potential employees. The marketing department of the certifying body is going to push that cert until the market thinks it "means something". If the CCNA didn't have a "worth" and didn't prove a perceived compantancy, would anyone go after it? No not all. The CISSP is pushed by ISC2 as being the "ultimate" security cert and a lot of people in high places believe that. ISC2 makes it seems that if you have a CISSP you can secure pretty much anything and the market believes that. They make it seem that passing the exams proves ability and thus makes you competent.

    The bottom line is this: Certs are only as good as the people who hold them. There are probably CCIE's who know less than folks with CCNAs or Network+. Individual knowledge cannot be gauged from what certs a person has but unfortunately that is what hiring people do, that is why they want CCNP's instead of CCNA and CISSPs instead of security+ holders. I honestly have no idea why people defend or attack it so much. It is just a cert and like all the others suffers from the same problems as all certs. I guess maybe because a lot of CISSP certified people believe their own hype. Many of them are great but a lot aren't and they walk around like smiling bob. But again that isn't the fault of ISC2, that's the markets fault for believing them. ISC2 just wants to push a product and they need for that product to be looked at as the primeo. Just like cisco does with its certs and Microsoft does with their certs.



    You just proved my point entirely and you should like marketing for ISC2. You assume a CISSP can make better decisions because they are a CISSP (circular reasoning).

    And none of these are meant to be attacks on anyone who has the cert, wants the cert or anyone period. I respect all of you and I also respect ISC2 (mostl there hustle but they also seem to be giving back to the community which is good) . But it is just the truth. All certs only mean what the market says they mean. If the market says that the CCIE is no longer the top network cert and say the Network+ becomes the big dog, then having the network+ will make you an expert (IN THEIR EYES). In practice, that is a totally different story.

    I think the point the person was trying to make is that at the very least, someone with a CISSP certification would be in a position to align strategic alignment to the objectives of management vice someone who's never had the training or education or the exposure to this.

    Remember, it wasn't too long ago where security was just considered an IT thing, and system administrators did as they please. Now security is baked in to all aspects of the organization and our security professionals need to have that understanding. Security is simply not about applying patches, but understanding cost-benefit analysis, continuity, RPO, RTO, law and regularity compliance, user aware-ness etc.

    I'm not saying that the CISSP wil give you that knowledge, rather, it gives you a foundation of understanding the 30,000 foot view of security within an organization.
    Next Up...
    CCNA: Security (210-260)
    Date: TBD
  • JDMurrayJDMurray Admin Posts: 13,092 Admin
    The CISSP is pushed by ISC2 as being the "ultimate" security cert and a lot of people in high places believe that.
    Once again, you will need to supply me a reference to official (ISC)2 documentation that makes this claim. Simply saying "their marketing literature makes people believe this" is is a subjective opinion and not a definitive fact.
    The bottom line is this: Certs are only as good as the people who hold them.
    And when you make this judgement for the CISSP, be sure to consider all 70,000+ people that hold the certification. All too often people will judge a cert based on only a few cert holders, or on some second-hand information (or rumor) they they were told. People tend to retain negative information more than positive information, so negative stories are always present. Judgements based on extremely small sample sizes, and biased opinion, are not likely to be an accurate representation of the true situation.
    All certs only mean what the market says they mean. If the market says that the CCIE is no longer the top network cert and say the Network+ becomes the big dog, then having the network+ will make you an expert (IN THEIR EYES). In practice, that is a totally different story.
    If the only purpose of certification was to impress other people to get a job then this might be true. Certification, however, overlaps with education and experience. Pursuing certification is an excellent way to study new fields of learning, provide instruction in a classroom setting, engage in an intellectual hobby, or understand just what the heck the people you manage do for a living. Certs must have a meaning to the cert holder first to be of any value.
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    cabrillo24 wrote: »
    I think the point the person was trying to make is that at the very least, someone with a CISSP certification would be in a position to align strategic alignment to the objectives of management vice someone who's never had the training or education or the exposure to this.

    Remember, it wasn't too long ago where security was just considered an IT thing, and system administrators did as they please. Now security is baked in to all aspects of the organization and our security professionals need to have that understanding. Security is simply not about applying patches, but understanding cost-benefit analysis, continuity, RPO, RTO, law and regularity compliance, user aware-ness etc.

    I'm not saying that the CISSP wil give you that knowledge, rather, it gives you a foundation of understanding the 30,000 foot view of security within an organization.

    This is exactly why there is certs and education. You hit the nail right on the spot. It is all about proving you have the training and education. It is better to be educated and have the skills necessary to make decisions.

    Lets face it, everyone here if we had our own multi-million or billion dolar companies, knowing what we know, since I assume we all work in IT here, we would hire those individuals with he high end certs. I wouldnt trust my company's security with anyone that doesnt have those high end certs IMO.

    JDMurray wrote: »
    If the only purpose of certification was to impress other people to get a job then this might be true. Certification, however, overlaps with education and experience. Pursuing certification is an excellent way to study new fields of learning, provide instruction in a classroom setting, engage in an intellectual hobby, or understand just what the heck the people you manage do for a living. Certs must have a meaning to the cert holder first to be of any value.

    Exactly! i dont believe certs are made to make a profit.
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    JDMurray wrote: »
    Once again, you will need to supply me a reference to official (ISC)2 documentation that makes this claim. Simply saying "their marketing literature makes people believe this" is is a subjective opinion and not a definitive fact.
    CISSP certification is not only an objective measure of excellence, but a globally recognized standard of achievement.

    The Certification That Inspires Utmost Confidence
    The CISSP credential demonstrates competence
    icon_lol.gif

    Just thought that was funny
    JDMurray wrote: »
    And when you make this judgement for the CISSP, be sure to consider all 70,000+ people that hold the certification. All too often people will judge a cert based on only a few cert holders, or on some second-hand information (or rumor) they they were told. People tend to retain negative information more than positive information, so negative stories are always present. Judgements based on extremely small sample sizes, and biased opinion, are not likely to be an accurate representation of the true situation.

    I have spoken to idk maybe 40 CISSP certified people. I will not go out and survey 70k people. I can tell you without doing that any cert is only as good as the person that holds them. I don't need to go and talk to every CISSP to determine that.

    JDMurray wrote: »
    If the only purpose of certification was to impress other people to get a job then this might be true. Certification, however, overlaps with education and experience. Pursuing certification is an excellent way to study new fields of learning, provide instruction in a classroom setting, engage in an intellectual hobby, or understand just what the heck the people you manage do for a living. Certs must have a meaning to the cert holder first to be of any value.

    For those people who use certs as a hobby, sure maybe certs have a different meaning. But for those of us trying to get/keep jobs, certifications are about that skrilla. Nothing else applies. I can assure you that the vast majority of CISSPs (or X certification) holders aren't going after those certs for fun or for interest. Certs are an investment and you expect to get something out of them and most of the time, that something is money.


    I think you are taking everything I say about the CISSP personally which was not my intention. It's not like I am saying "JD you don't know security" because I'm not. I am also not saying all CISSPs are stupid. I am not saying that either. BUT what I am saying is that those people need to be measured individually and just because you have X cert doesn't mean you are an expert and it doesn't mean you know more than someone else who doesn't have that cert. It doesn't mean you know less either.

    Maybe it took you a while to get that cert and you are proud of it, which I can understand, I feel the same way about the CCNA. But seriously it is just a cert, nothing to get all religious about. Maybe if I get the CISSP I will understand why people get on here and fight tooth and nail over it, but probably not.



    chrisone wrote: »
    Lets face it, everyone here if we had our own multi-million or billion dolar companies, knowing what we know, since I assume we all work in IT here, we would hire those individuals with he high end certs. I wouldnt trust my company's security with anyone that doesnt have those high end certs IMO.

    Why? Because you assume that a person with a particular cert is has certain skills and knowledge right? :)
  • onesaintonesaint Member Posts: 801
    chrisone wrote: »
    Exactly! i dont believe certs are made to make a profit.


    Chris, I respect certs because I am studying for one and know what kind of work goes into it. Additionally, the folks I personally know who have certs are well qualified to be certified in whatever area they are certified in.

    That all said, I must respectfully disagree. As much as an organization desires to ensure a candidate is qualified, there in it to make a buck as well. Otherwise tests wouldnt cost so much, nor would there be upkeep cost. Really, organization and proctoring isnt that expensive.
    Work in progress: picking up Postgres, elastisearch, redis, Cloudera, & AWS.
    Next up: eventually the RHCE and to start blogging again.

    Control Protocol; my blog of exam notes and IT randomness
  • cabrillo24cabrillo24 Member Posts: 137
    icon_lol.gif

    Just thought that was funny



    I have spoken to idk maybe 40 CISSP certified people. I will not go out and survey 70k people. I can tell you without doing that any cert is only as good as the person that holds them. I don't need to go and talk to every CISSP to determine that.




    For those people who use certs as a hobby, sure maybe certs have a different meaning. But for those of us trying to get/keep jobs, certifications are about that skrilla. Nothing else applies. I can assure you that the vast majority of CISSPs (or X certification) holders aren't going after those certs for fun or for interest. Certs are an investment and you expect to get something out of them and most of the time, that something is money.


    I think you are taking everything I say about the CISSP personally which was not my intention. Maybe it took you a while to get that cert and you are proud of it, which I can understand, I feel the same way about the CCNA. But seriously it is just a cert, nothing to get all religious about. Maybe if I get the CISSP I will understand why people get on here and fight tooth and nail over it, but probably not.

    If and when you obtain this certification, please refer back to this topic, will be pretty interesting to see what your views are then after you're introduced to the material. I think we've given you plenty of examples of the value of this certification and what its intended for and what its not intended for.
    Next Up...
    CCNA: Security (210-260)
    Date: TBD
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    cabrillo24 wrote: »
    If and when you obtain this certification, please refer back to this topic, will be pretty interesting to see what your views are then after you're introduced to the material. I think we've given you plenty of examples of the value of this certification and what its intended for and what its not intended for.


    I thought this was interesting:

    The CISSP credential is ideal for mid- and senior-level managers who are working
    toward or have already attained positions as CISOs, CSOs or Senior Security Engineers.
    CISSP professional work experience will typically include:
    • Work requiring special education or intellectual attainment,
    usually including a liberal education or college degree.
    • Work requiring habitual memory of a body of knowledge shared
    with others doing similar work.
    • Management of projects and/or other employees.
    • Supervision of the work of others while working with a
    minimum of supervision of one’s self.
    • Work requiring the exercise of judgment, management
    decision-making, and discretion.
    • Creative writing and oral communication.
    • Teaching, instructing, training and the mentoring of others.
    • Research and development.
    • The specification and selection of controls and mechanisms (i.e. identification and
    authentication technology, not the mere operation of these controls).
  • cabrillo24cabrillo24 Member Posts: 137
    That's exactly my point cert with experience is competency without its worthless. isc2 is a cash machine with a huge conflict of interest in how they run their business. Security practioners need to change the perception associated with the CISSP.

    Youre required to hold a certain number of years of experience related to the domains of the exam. Once you apply for certification, you must be validated by another person holding the certification or audited by ISC2 to validate your experience.
    Next Up...
    CCNA: Security (210-260)
    Date: TBD
  • cabrillo24cabrillo24 Member Posts: 137
    I thought this was interesting:

    Ok? Your point? I do realize you have a contrarian attitude on these boards, but I'm really trying to understand your point of view. It just seems as if you're reaching and almost makes me not want to reply anymore, because you're pretty much stuck with your view no matter how much we explain things to you. Best of luck if and when you decide to go after that certification, maybe then you'll have a better understanding when you've been exposed to the material and the certification process. By no means an attack on your character. Just didn't want to make this a never ending discussion.
    Next Up...
    CCNA: Security (210-260)
    Date: TBD
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    I'll throw my two cents in just for funsies. I don't hold the CISSP to a very high standard either. It is the gold standard of security certifications for whatever reason, but personally I just don't see it. I see too many people with the certification that really don't impress me, especially with all the requirements needed to get it. I'm not saying everyone with a CISSP is an idiot or anything, but it seems that certification draws them in because it's the cert to have. With that being said, I will probably end up taking it at some point just because everyone wants it. It would be more of a check box for me than anything else.
    I bring nothing useful to the table...
  • cabrillo24cabrillo24 Member Posts: 137
    I'll throw my two cents in just for funsies. I don't hold the CISSP to a very high standard either. It is the gold standard of security certifications for whatever reason, but personally I just don't see it. I see too many people with the certification that really don't impress me, especially with all the requirements needed to get it. I'm not saying everyone with a CISSP is an idiot or anything, but it seems that certification draws them in because it's the cert to have. With that being said, I will probably end up taking it at some point just because everyone wants it. It would be more of a check box for me than anything else.

    It's the most recognized and popular security certification, but by no means does it make you an expert in anything. You do require a certain amount of experience that ties in with domain objectives, and the test is definitely a challenge.

    As with any vender neutral certification, it merely serves a foundation when combined with your experience gives you a certain amount of credibility.

    I think the people that don't grasps the importance of this certification or appreciate its difficulty tend to be those who serve in engineering/systems administration roles or tend to believe security is an IT thing. The CISSP gives you that 30,000 foot view.

    By no means does this certification make anyone an expert, but it is a difficult exam, requires a certain amount of experience and is costs a pretty penny to obtain. You personally may not be impressed with certain CISSP's; however, they were able to pass the exam. Granted, their certification status may not be applicable to their job, but people need to get out of the mantra of "well if you have your CISSP you should be good in this..." It doesn't work like that.

    Just as with any certification, there are those who make you scratch your head, but in my line of work, there are nothing but talented CISSPs who are doing very well for themselves.

    But it often seems that the people who critique the CISSP certification, often are the ones who don't have the certification. To me it's an extremely valuable certification, and has really been applicable to what I do career wise and has set a foundation for my other studies. Not to mention the monetary compensation.

    As the saying goes...don't knock it, until you try it.
    Next Up...
    CCNA: Security (210-260)
    Date: TBD
  • L0gicB0mb508L0gicB0mb508 Member Posts: 538
    cabrillo24 wrote: »
    I think the people that don't grasps the importance of this certification or appreciate its difficulty tend to be those who serve in engineering/systems administration roles or tend to believe security is an IT thing. The CISSP gives you that 30,000 foot view.

    I don't work in engineering or systems administration. I am however experienced in managing/performing security testing, audits, and compliance efforts. I also have done hands on packet level security work. To be honest I actually respected the cert more when I was a sysadmin.
    cabrillo24 wrote: »
    By no means does this certification make anyone an expert, but it is a difficult exam, requires a certain amount of experience and is costs a pretty penny to obtain. You personally may not be impressed with certain CISSP's; however, they were able to pass the exam. Granted, their certification status may not be applicable to their job, but people need to get out of the mantra of "well if you have your CISSP you should be good in this..." It doesn't work like that.

    I'm sorry, but passing an exam doesn't really earn my respect. I have no doubt its a difficult exam, as I have read CISSP study material. I know it doesn't make you particularly good at one thing or the other, however the perception that the CISSP is the best security certification out there is getting old.
    cabrillo24 wrote: »
    But it often seems that the people who critique the CISSP certification, often are the ones who don't have the certification. To me it's an extremely valuable certification, and has really been applicable to what I do career wise and has set a foundation for my other studies. Not to mention the monetary compensation.

    As the saying goes...don't knock it, until you try it.

    I chose not to take the exam. I read material to even possibly take the exam at one point. To get my DoD IA Tech III certification I chose GCIH over CISSP.

    I'm just sharing my opinion on why I think the CISSP is overhyped beyond belief. I realize you have the certification, and I'm glad you find value in it. I actually mentioned in my post I will end up taking it at some point.
    I bring nothing useful to the table...
  • cabrillo24cabrillo24 Member Posts: 137
    I don't work in engineering or systems administration. I am however experienced in managing/performing security testing, audits, and compliance efforts. I also have done hands on packet level security work. To be honest I actually respected the cert more when I was a sysadmin.



    I'm sorry, but passing an exam doesn't really earn my respect. I have no doubt its a difficult exam, as I have read CISSP study material. I know it doesn't make you particularly good at one thing or the other, however the perception that the CISSP is the best security certification out there is getting old.



    I chose not to take the exam. I read material to even possibly take the exam at one point. To get my DoD IA Tech III certification I chose GCIH over CISSP.

    I'm just sharing my opinion on why I think the CISSP is overhyped beyond belief. I realize you have the certification, and I'm glad you find value in it. I actually mentioned in my post I will end up taking it at some point.

    Based of what you say your duties are the CISSP is more applicable to what you do than the GCIH.

    You stated your opinion as to why it's over hyped but yet you haven't gone through the process or sat the exam. I'm not saying you should respect the person who has the CISSP, but respect the fact that they passed a difficult exam. It's not a walk in the park.

    There is no "best security certification" out there as every environment is different when it comes to security, security tolerance and the different threats to business or operations. The reason why the CISSP is popular is because it lays a very solid foundation with core concepts of security ideologies.

    Once you go through it, study and earn your CISSP certification, you'll certainly appreciate it more and understand what its really all about. I don't believe the certification is over-hyped, rather its not understood for what it is.

    And just for fun, I know people with GCIH that I wouldn't trust to work on an incident response team ;) but as we all know, some people hold certifications and it makes us scratch are head, but I don't dismiss the validity or importance of the GCIH or any certification for that matter.
    Next Up...
    CCNA: Security (210-260)
    Date: TBD
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    This is my last post on this subject
    cabrillo24 wrote: »
    Ok? Your point? I do realize you have a contrarian attitude on these boards..

    My point is this: Certs are only as good as the people who have them and the thing is, I think you agree because of what you said here:

    cabrillo24 wrote: »
    some people hold certifications and it makes us scratch are head

    That is my point entirely. CISSP or otherwise there are some dumbasses that hold the cert. Period.

    Also you cannot say that it is a managers cert since ISC2 itself says that it is a cert for senior technical folks as well.
    The CISSP credential is ideal for mid- and senior-level managers who are working
    toward or have already attained positions as CISOs, CSOs or Senior Security Engineers.
    For you to say that it isn't understood is at best, simply bad wording and at worse a snob appeal argument. It is clear what it is for, ISC2 says it is. These are the most important parts to me:
    Work requiring the exercise of judgment, management
    decision-making, and discretion.
    • Creative writing and oral communication.
    • Teaching, instructing, training and the mentoring of others.
    • Research and development.
    • The specification and selection of controls and mechanisms (i.e. identification and
    authentication technology, not the mere operation of these controls).
    Look at the 3rd and 4th bullet points. Understanding the theory behind X isn't enough, you need to have the nitty gritty knowledge that can only be obtained by through labbing, experience, and hard work. That's how I feel about it.
    cabrillo24 wrote: »
    You're required to hold a certain number of years of experience related to the domains of the exam. Once you apply for certification, you must be validated by another person holding the certification or audited by ISC2 to validate your experience.

    When I see this, I say as I have said so many times before, what about the Associate of CISSP/ISC2? What about those folks with a year of experience sitting the exam? It is highly unlikely that they mean bullet points three and four from above or the others from my previous post. I know those people are putting associate of ISC2 on their resume and getting their resumes in with those CISSPs that have 5 years of experience and more. If ISC2 was trying to be the binding that holds the coke cans together, they wouldn't let people who were a few coke cans short of a six pack take their test. They are about scrilla. Point blank.

    Idk I am pretty much done with this conversation. Not because it isn't interesting or anything just because until I get the CISSP you (and everyone else) are going to filter my opinion through the fact that I don't have the CISSP. I probably won't be thinking about that for a while. Probably another year until I even think about taking it. And the only reason why I would take that cert is simply because HR folks want it. Not for any other reason besides that.
This discussion has been closed.