Is too many CISSP a bad thing?

Bokeh

(ISC)2 at a crossroads: CISSP value vs. security industry growth

Everyone

I don't think more is bad as long as the standard required to obtain it isn't made easier.

If they make it too easy to get just to boost numbers, then the cert will certainly lose its value. If they can increase numbers without making it any easier to get, it should still be held in the same high regard it has been.

colemic

Net-to-last sentence of the article sums it up best (IMO):
“They’re concentrating more on reaching out to new people than serving the people they’ve already got,” McKeay said.

I think in the future, ISC(2) will have to implement more technical aspects to the tests, if for no other reason to counter paper tigers.

badrottie

In comparison, in the US there are approximately (Using Google, so the accuracy of these numbers is by no means guaranteed, and therefore just used for illustration purposes):

• 100,000 architects
• 370,000 CPAs
• 800,000 physicians
• 1,200,000 lawyers
• 1,500,000 engineers

My thoughts are that if the CISSP is to become as well recognized and viewed as a legitimate career choice as the above professions, it needs to increase the number of practitioners while not to decreasing the underlying requirements. If they stay true to the existing standards, the credential will still hold value.

JDMurray

colemic wrote: »

“They’re concentrating more on reaching out to new people than serving the people they’ve already got,” McKeay said.

This is an apple-and-oranges comparison. Recruitment must always be aggressive to continue attracting new members, while offering resources must be carefully planned to determine what the membership needs and the cost-effective way to supply it. You can make the same "complaint" about any organization that looks for new customers to provide services to, such as retail Web sites, membership grocery stores, and media and telecommunications providers.

For example:

"Verizon is more concerned with getting new customers than it is serving the customers it has!"

Does that statement really make sense?

colemic

But if you take good care of the members, wouldn't the whole marketing piece require considerably less effort? I get that ISC(2) has to promote their brand, but not at the expense of alienating members, and leading them to think that the brand itself is not worth the cost. That word-of-mouth goes a lot further than all the marketing dollars you can throw at it.

JWit

I'm by no means an expert or do I claim to be, but I am someone who is extremely interested in becoming a CISSP. I agree that word of mouth is the most powerful marketing tool ISC2 has. What has drawn me to the CISSP is the high regard it carries throughout the infosec world and that regard is held because of the sheer difficulty of obtaining the cert. If they were to "dumb" the cert down or lower there standards that regard is lost. The old saying holds true here "if it were easy everyone would get it", the difficulty of the cert is what will ultimately keep its value.

powerfool

Well, the DoD 8570 really mixed things up, too. (ISC)2 really envisioned a greater number of SSCPs, in the ballpark of 5:1 with the CISSP. I see people going for the concentrations to separate themselves from others.

JDMurray

powerfool wrote: »

(ISC)2 really envisioned a greater number of SSCPs, in the ballpark of 5:1 with the CISSP.

I've never seen a marketing campaign for the SSCP that could produce anywhere near that ratio. I haven't looked at the numbers lately, but I would guess the current CISSP-to-SSCP ratio is around 80:1. The (ISC)2 better start spending the advertising dollars if they want the SSCP to look more attractive to new candidates than it has.

Chivalry1

Very good article. I must admit that some of the opinions expressed here are valid concerns. I often think that ISC should look more into investing into current CISSP members. You pay the yearly membership fee to maintain an active status, but what are my returns? Im of the opinion that ISC should be weary of this campaign to obtain more CISSP members. I understand the business need to generate revenue for an organization. But it can have a negative backlash. I was recently on a certain job site and saw a posting for an Information Security Analyst 1. "Requirements CISSP AND CISA, 1 year of information security experience at a annual pay rate of $45,000." Simply ridiculous!

Must maintain the difficulty of the exam and the qualifications of obtaining the cert. I have heard of some 'clueless' CISSP's out there, but can't say I have ever meet one.

JDMurray

Chivalry1 wrote: »

I was recently on a certain job site and saw a posting for an Information Security Analyst 1. "Requirements CISSP AND CISA, 1 year of information security experience at a annual pay rate of $45,000." Simply ridiculous!

This job posting was written by someone who had no clue of what InfoSec certifications are or what InfoSec people are worth. I don't see how the (ISC)2 can be held responsible for unreasonable job requisitions that can be written by anyone who doesn't understand the market. It's likely the job req's author doesn't even know (or care) what the (ISC)2 is.

Chivalry1

JDMurray wrote: »

This job posting was written by someone who had no clue of what InfoSec certifications are or what InfoSec people are worth. I don't see how the (ISC)2 can be held responsible for unreasonable job requisitions that can be written by anyone who doesn't understand the market. It's likely the job req's author doesn't even know (or care) what the (ISC)2 is.

I agree (ISC)2 is not at fault. My point was (ISC)2 should do there best to ensure that they certifying qualified individuals. The more unqualified/least experienced individuals whom (ISC)2 may certify will cheapen the certification and drive the qualification down. And in turn those individual will accept Level 1 analyst ,such as the above, consequently setting a new standard. As more unqualified CISSP's are produced, the more common these posting will become. Which is the reason now every Help Desk/PC Technician job requires a MCSE.

If there aim is to educate the technology community on the importance of Info Sec, I am all for it. But if this is an attempt to generate massive revenue to satisfy the ego's of greedy (ISC)2 executives then that will be there downfall. Because in that process of rolling out more CISSP's with Tipton's "High-Growth strategy" the focus will shift from education to profitability. This is type of business model most hospitals are applying. (I will save that story for another post) In short there is a reason why Lamborghini does not make an economy model.

JWit

Are you saying that they should do away with the ability to become an Associate CISSP?

JDMurray

Chivalry1 wrote: »

But if this is an attempt to generate massive revenue to satisfy the ego's of greedy (ISC)2 executives then that will be there downfall.

Where on Earth do you see evidence that this type of attitude is embodied by the (ISC)2? Are you sure that you aren't just transferring past baggage you have from somewhere else on to the (ISC)2--and possibly other organizations--too?

ptilsen

Chivalry1 wrote: »

Which is the reason now every Help Desk/PC Technician job requires a MCSE.

Sorry, but in my six years of working in this industry I've never even heard of an entry-level Helpdesk or DST job that actually required even MCSA. Yes, I've seen ads that list MCSE as a cert to have, but I've never actually seen an entry-level job like that require a high-level Microsoft cert. And I don't know of many MCSEs working in helpdesk or DST positions -- most MCITP:EAs/MCSEs, in my opinion, are not bootcampers or braindumpers who lack the actual knowledge to do the server admin/engineer jobs they have.

I don't have much to say on CISSP, but I have to reject the notion that MCSE has been cheapened to the extent you claim. MCSA, MCSE, MCITP:SA/EA still means something to a lot of employers for mid-to-high level systems job. They're not bare-minimum-to-work certs like A+ (for example).

Edit: Actually, I do have something to say. A big part of the value of CISSP, to me, comes from the work experience requirement. I will say CISSP probably shouldn't get any easier, because it's already "a mile wide and an inch deep", but it doesn't need to get any harder, either. It seems like a good collection of material and the work experience requirement sifts out those who are not qualified to be CISSPs. If anything, they should probably be doing more work experience audits. This is coming from someone who can't even pursue CISSP due to not being able to meet the experience requirement without some pretty big exaggerations.

joshmadakor

Chivalry1 wrote: »

I was recently on a certain job site and saw a posting for an Information Security Analyst 1. "Requirements CISSP AND CISA, 1 year of information security experience at a annual pay rate of $45,000." Simply ridiculous!

Except it's theoretically impossible for someone to have only 1 year of experience and a CISSP. HR

I know I don't need to post this but, source: https://www.isc2.org/cissp-professional-experience.aspx

tpatt100

Don't know what ISC2 has to do for its current "customers" that it cannot work on expanding its numbers. I pretty much only use the ISC2 site to enter in my training records for CPE and pay my annual dues. Besides the certs are only a multiplier to experience and other achievments. So if somebody has to fudge their way to qualifying to take the exam and actually pass it, oh well I don't consider them too much of a threat to me since I had more than enough experience to qualify and work accomplishments.

afcyung

Every Cert suffers from inflation. The more people that are certified the more common it becomes and the value can decrease. However that doesn't have to happen to the CISSP. The CISSP is sold as a management level cert, or at least the veteran Info Sec Professional. What I pulled out of the article is that there is a lack of certified Info Sec people to fill the growing need. What I didn't see was that ISC2 was only going to try and swell the CISSP ranks specifically. They should try and elevate the SSCP to a similar status as the CISSP. Its not really feasible to swell the CISSP ranks without either targeting people who already have the experience or lessening the requirement.I don't believe that ISC2 will lessen the experience requirement because that is one of the defining things about the CISSP cert. It would be nice if ISC2 offered other certs that targeted different areas of Info Sec land, similar to SANS.

ptilsen

afcyung wrote: »

Every Cert suffers from inflation. The more people that are certified the more common it becomes and the value can decrease.

Yes and no. A cert that almost no one has will not achieve as much name recognition, and therefore not increase one's value. For example, GIAC certs are high-level, expensive, and well respected by infosec professionals, the DoD, etc. However, they are not commonly held, and not well known outside of specific verticals, and as such only have vertical-specific value. More GIAC holders would, definitely enhance the value of the certification for existing holders.

I feel like CISSP is more well known, and the same is not true, or at least not true to the same extent.

tpatt100

ISC2 should focus on creating a couple of mid level security certs that are administrative and technical in nature. Leave the CISSP for upper level administration and management rather than its current status as a "must have security cert" no matter what your role is.

ptilsen

tpatt100 wrote: »

ISC2 should focus on creating a couple of mid level security certs that are administrative and technical in nature. Leave the CISSP for upper level administration and management rather than its current status as a "must have security cert" no matter what your role is.

I feel like the SSCP should cover this, but it doesn't seem very popular. I feel like both from administrative and technical sides, there is a huge gap between Security+ (entry-level) and CISSP and GIAC's lineup (high-level). SSCP and CASP should fill this gap, but CASP is still pretty much unknown and SSCP just isn't that popular with professionals or employers, from what I've seen.

Chivalry1

JDMurray wrote: »

Where on Earth do you see evidence that this type of attitude is embodied by the (ISC)2? Are you sure that you aren't just transferring past baggage you have from somewhere else on to the (ISC)2--and possibly other organizations--too?

Not at all. Only that attempting to saturate the market with a certification brand will only cheapen the certification and produce more unqualified individuals. (ISC)2 should focus its efforts on there current members to whom which pay an annual fee vs attempting to produce more CISSP pods.

Chivalry1

ptilsen wrote: »

Sorry, but in my six years of working in this industry I've never even heard of an entry-level Helpdesk or DST job that actually required even MCSA. Yes, I've seen ads that list MCSE as a cert to have, but I've never actually seen an entry-level job like that require a high-level Microsoft cert. And I don't know of many MCSEs working in helpdesk or DST positions -- most MCITP:EAs/MCSEs, in my opinion, are not bootcampers or braindumpers who lack the actual knowledge to do the server admin/engineer jobs they have.

I don't have much to say on CISSP, but I have to reject the notion that MCSE has been cheapened to the extent you claim. MCSA, MCSE, MCITP:SA/EA still means something to a lot of employers for mid-to-high level systems job. They're not bare-minimum-to-work certs like A+ (for example).

Edit: Actually, I do have something to say. A big part of the value of CISSP, to me, comes from the work experience requirement. I will say CISSP probably shouldn't get any easier, because it's already "a mile wide and an inch deep", but it doesn't need to get any harder, either. It seems like a good collection of material and the work experience requirement sifts out those who are not qualified to be CISSPs. If anything, they should probably be doing more work experience audits. This is coming from someone who can't even pursue CISSP due to not being able to meet the experience requirement without some pretty big exaggerations.

I hear and see them all the time requiring MCSE. Check out this job:

Search Jobs | Crystal Equation

ptilsen

I have little doubt they will almost certainly A. Hire someone who doesn't have an MCSE, or B. Not fill the position. Heck, it's not even just about skill level. That position has almost no correlation with the materials covered on any exam you can take to get MCSA, and absolutely none with the exams you can take to get MCSE.

MCSE has big name recognition, so HR departments use it. That doesn't mean they actually want it or even know what it is. As I've said and I've seen others say in so many "jobs" threads on this site, most job ads say "requirements" but mean "it would be amazing if you had all of this." The same problem may start to occur with CISSP, but that's only bad to the extend that it makes finding the right job difficult at times.

JDMurray

afcyung wrote: »

Every Cert suffers from inflation. The more people that are certified the more common it becomes and the value can decrease.

"Certification" is an assuance that a person possesses a certain level of knowledge/skill in specific areas of learning. The worth of a certification is in how well it measures the knowledge/skills of a person and how valuable (marketable) the area of learning is, not in how many people do or don't have the certification. Making a certification difficult to achieve doesn't automatically make it desirable or worthwhile to obtain.

afcyung

Absolutely agree JD. I think this article explains my thoughts best.

Academic inflation - Wikipedia, the free encyclopedia

Replace degree with certification and you can see the my thinking. Its also something that can be avoided. I don't believe that swelling the ranks of the CISSP will cause a sudden devaluation of the cert, but if you have 200k CISSPs chasing 180K infosec jobs it no long becomes a cert that can be used to weed people out. Do I think we are there yet? No.

JDMurray wrote:

Making a certification difficult to achieve doesn't automatically make it desirable or worthwhile to obtain

I agree and disagree, making a cert super easy to achieve doesn't automatically desirable either. I think its important for ISC2 to keep the integrity of the cert in place, it should be difficult, but not impossible. What I like about the CISSP is the experience requirement, it isn't something that can be brain dumped.

JDMurray

afcyung wrote: »

but if you have 200k CISSPs chasing 180K infosec jobs it no long becomes a cert that can be used to weed people out.

Even if that were the case, there's still no problem. Having--or not having--a particular certification is only one of many criteria used to determine who to hire. Having too many available hiring candidates with a desirable cert is a good thing for employers, because it means there is a large selection of (potentially) qualified candidates from which to choose. Having only a few available candidates with a desirable cert makes the likelihood of hiring one small, and therefore other criteria must be used to determine the best candidate.

colemic

ptilsen wrote: »

I have little doubt they will almost certainly A. Hire someone who doesn't have an MCSE, or B. Not fill the position. Heck, it's not even just about skill level. That position has almost no correlation with the materials covered on any exam you can take to get MCSA, and absolutely none with the exams you can take to get MCSE.

MCSE has big name recognition, so HR departments use it. That doesn't mean they actually want it or even know what it is. As I've said and I've seen others say in so many "jobs" threads on this site, most job ads say "requirements" but mean "it would be amazing if you had all of this." The same problem may start to occur with CISSP, but that's only bad to the extend that it makes finding the right job difficult at times.

The problem is they use it to screen applicants, and perpetuate the problem, thus ensuring a market for paper MCSEs.

JDMurray

colemic wrote: »

The problem is they use it to screen applicants, and perpetuate the problem, thus ensuring a market for paper MCSEs.

But most of those "paper MCSEs" won't make it past the second interview, so the hiring managers will rethink their weighting of the MCSE so highly in their consideration of candidates to interview. Every business that starts to include certifications in it consideration of job candidates must go through the same cycle of learning not to weigh certs so highly.

tpatt100

I think any HR person worth a dang will be able to weed out a so called "paper MCSE" based on the experience level also. If candidate A has 10 years sys admin experience vs candidate B who has two years and both have a MCSE its a no brainer to give a preference to candidate A.

Now a days you will be able to find plenty of candidates with the required experience and can use certs to thin the pile out a bit. Only a fool would knock out candidates with more experience over somebody with less and a MCSE. I think anybody with half a brain would realize in todays market you need to get a couple of certs that specialize in your field to get an edge over candidates with similar experience levels.

UnixGuy

tpatt100 wrote: »

I think any HR person worth a dang will be able to weed out a so called "paper MCSE" based on the experience level also. If candidate A has 10 years sys admin experience vs candidate B who has two years and both have a MCSE its a no brainer to give a preference to candidate A.

Now a days you will be able to find plenty of candidates with the required experience and can use certs to thin the pile out a bit. Only a fool would knock out candidates with more experience over somebody with less and a MCSE. I think anybody with half a brain would realize in todays market you need to get a couple of certs that specialize in your field to get an edge over candidates with similar experience levels.

To save money, many would hire the MCSE with 2-5 yrs of experience. The MCSE with 10+ yrs of experience should go to management/architect type of positions IMHO...