Is too many CISSP a bad thing?
Bokeh
Member Posts: 1,636 ■■■■■■■□□□
Comments
-
Everyone Member Posts: 1,661I don't think more is bad as long as the standard required to obtain it isn't made easier.
If they make it too easy to get just to boost numbers, then the cert will certainly lose its value. If they can increase numbers without making it any easier to get, it should still be held in the same high regard it has been. -
colemic Member Posts: 1,569 ■■■■■■■□□□Net-to-last sentence of the article sums it up best (IMO):
“They’re concentrating more on reaching out to new people than serving the people they’ve already got,” McKeay said.
I think in the future, ISC(2) will have to implement more technical aspects to the tests, if for no other reason to counter paper tigers.Working on: staying alive and staying employed -
badrottie Member Posts: 116In comparison, in the US there are approximately (Using Google, so the accuracy of these numbers is by no means guaranteed, and therefore just used for illustration purposes):
- 100,000 architects
- 370,000 CPAs
- 800,000 physicians
- 1,200,000 lawyers
- 1,500,000 engineers
-
JDMurray Admin Posts: 13,101 Admin“They’re concentrating more on reaching out to new people than serving the people they’ve already got,” McKeay said.
For example:
"Verizon is more concerned with getting new customers than it is serving the customers it has!"
Does that statement really make sense? -
colemic Member Posts: 1,569 ■■■■■■■□□□But if you take good care of the members, wouldn't the whole marketing piece require considerably less effort? I get that ISC(2) has to promote their brand, but not at the expense of alienating members, and leading them to think that the brand itself is not worth the cost. That word-of-mouth goes a lot further than all the marketing dollars you can throw at it.Working on: staying alive and staying employed
-
JWit Registered Users Posts: 7 ■□□□□□□□□□I'm by no means an expert or do I claim to be, but I am someone who is extremely interested in becoming a CISSP. I agree that word of mouth is the most powerful marketing tool ISC2 has. What has drawn me to the CISSP is the high regard it carries throughout the infosec world and that regard is held because of the sheer difficulty of obtaining the cert. If they were to "dumb" the cert down or lower there standards that regard is lost. The old saying holds true here "if it were easy everyone would get it", the difficulty of the cert is what will ultimately keep its value.
-
powerfool Member Posts: 1,668 ■■■■■■■■□□Well, the DoD 8570 really mixed things up, too. (ISC)2 really envisioned a greater number of SSCPs, in the ballpark of 5:1 with the CISSP. I see people going for the concentrations to separate themselves from others.2024 Renew: [X] AZ-204 [X] AZ-305 [X] AZ-400 [X] AZ-500 [ ] Vault Assoc.
2024 New: [X] AWS SAP [ ] CKA [X] Terraform Auth/Ops Pro -
JDMurray Admin Posts: 13,101 Admin(ISC)2 really envisioned a greater number of SSCPs, in the ballpark of 5:1 with the CISSP.
-
Chivalry1 Member Posts: 569Very good article. I must admit that some of the opinions expressed here are valid concerns. I often think that ISC should look more into investing into current CISSP members. You pay the yearly membership fee to maintain an active status, but what are my returns? Im of the opinion that ISC should be weary of this campaign to obtain more CISSP members. I understand the business need to generate revenue for an organization. But it can have a negative backlash. I was recently on a certain job site and saw a posting for an Information Security Analyst 1. "Requirements CISSP AND CISA, 1 year of information security experience at a annual pay rate of $45,000." Simply ridiculous!
Must maintain the difficulty of the exam and the qualifications of obtaining the cert. I have heard of some 'clueless' CISSP's out there, but can't say I have ever meet one."The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
JDMurray Admin Posts: 13,101 AdminI was recently on a certain job site and saw a posting for an Information Security Analyst 1. "Requirements CISSP AND CISA, 1 year of information security experience at a annual pay rate of $45,000." Simply ridiculous!
-
Chivalry1 Member Posts: 569This job posting was written by someone who had no clue of what InfoSec certifications are or what InfoSec people are worth. I don't see how the (ISC)2 can be held responsible for unreasonable job requisitions that can be written by anyone who doesn't understand the market. It's likely the job req's author doesn't even know (or care) what the (ISC)2 is.
I agree (ISC)2 is not at fault. My point was (ISC)2 should do there best to ensure that they certifying qualified individuals. The more unqualified/least experienced individuals whom (ISC)2 may certify will cheapen the certification and drive the qualification down. And in turn those individual will accept Level 1 analyst ,such as the above, consequently setting a new standard. As more unqualified CISSP's are produced, the more common these posting will become. Which is the reason now every Help Desk/PC Technician job requires a MCSE.
If there aim is to educate the technology community on the importance of Info Sec, I am all for it. But if this is an attempt to generate massive revenue to satisfy the ego's of greedy (ISC)2 executives then that will be there downfall. Because in that process of rolling out more CISSP's with Tipton's "High-Growth strategy" the focus will shift from education to profitability. This is type of business model most hospitals are applying. (I will save that story for another post) In short there is a reason why Lamborghini does not make an economy model."The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
JWit Registered Users Posts: 7 ■□□□□□□□□□Are you saying that they should do away with the ability to become an Associate CISSP?
-
JDMurray Admin Posts: 13,101 AdminBut if this is an attempt to generate massive revenue to satisfy the ego's of greedy (ISC)2 executives then that will be there downfall.
-
ptilsen Member Posts: 2,835 ■■■■■■■■■■Which is the reason now every Help Desk/PC Technician job requires a MCSE.
I don't have much to say on CISSP, but I have to reject the notion that MCSE has been cheapened to the extent you claim. MCSA, MCSE, MCITP:SA/EA still means something to a lot of employers for mid-to-high level systems job. They're not bare-minimum-to-work certs like A+ (for example).
Edit: Actually, I do have something to say. A big part of the value of CISSP, to me, comes from the work experience requirement. I will say CISSP probably shouldn't get any easier, because it's already "a mile wide and an inch deep", but it doesn't need to get any harder, either. It seems like a good collection of material and the work experience requirement sifts out those who are not qualified to be CISSPs. If anything, they should probably be doing more work experience audits. This is coming from someone who can't even pursue CISSP due to not being able to meet the experience requirement without some pretty big exaggerations. -
joshmadakor Member Posts: 495 ■■■■□□□□□□I was recently on a certain job site and saw a posting for an Information Security Analyst 1. "Requirements CISSP AND CISA, 1 year of information security experience at a annual pay rate of $45,000." Simply ridiculous!
I know I don't need to post this but, source: https://www.isc2.org/cissp-professional-experience.aspxWGU B.S. Information Technology (Completed January 2013) -
tpatt100 Member Posts: 2,991 ■■■■■■■■■□Don't know what ISC2 has to do for its current "customers" that it cannot work on expanding its numbers. I pretty much only use the ISC2 site to enter in my training records for CPE and pay my annual dues. Besides the certs are only a multiplier to experience and other achievments. So if somebody has to fudge their way to qualifying to take the exam and actually pass it, oh well I don't consider them too much of a threat to me since I had more than enough experience to qualify and work accomplishments.
-
afcyung Member Posts: 212Every Cert suffers from inflation. The more people that are certified the more common it becomes and the value can decrease. However that doesn't have to happen to the CISSP. The CISSP is sold as a management level cert, or at least the veteran Info Sec Professional. What I pulled out of the article is that there is a lack of certified Info Sec people to fill the growing need. What I didn't see was that ISC2 was only going to try and swell the CISSP ranks specifically. They should try and elevate the SSCP to a similar status as the CISSP. Its not really feasible to swell the CISSP ranks without either targeting people who already have the experience or lessening the requirement.I don't believe that ISC2 will lessen the experience requirement because that is one of the defining things about the CISSP cert. It would be nice if ISC2 offered other certs that targeted different areas of Info Sec land, similar to SANS.
-
ptilsen Member Posts: 2,835 ■■■■■■■■■■Every Cert suffers from inflation. The more people that are certified the more common it becomes and the value can decrease.
I feel like CISSP is more well known, and the same is not true, or at least not true to the same extent. -
tpatt100 Member Posts: 2,991 ■■■■■■■■■□ISC2 should focus on creating a couple of mid level security certs that are administrative and technical in nature. Leave the CISSP for upper level administration and management rather than its current status as a "must have security cert" no matter what your role is.
-
ptilsen Member Posts: 2,835 ■■■■■■■■■■ISC2 should focus on creating a couple of mid level security certs that are administrative and technical in nature. Leave the CISSP for upper level administration and management rather than its current status as a "must have security cert" no matter what your role is.
-
Chivalry1 Member Posts: 569Where on Earth do you see evidence that this type of attitude is embodied by the (ISC)2? Are you sure that you aren't just transferring past baggage you have from somewhere else on to the (ISC)2--and possibly other organizations--too?
Not at all. Only that attempting to saturate the market with a certification brand will only cheapen the certification and produce more unqualified individuals. (ISC)2 should focus its efforts on there current members to whom which pay an annual fee vs attempting to produce more CISSP pods."The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
Chivalry1 Member Posts: 569Sorry, but in my six years of working in this industry I've never even heard of an entry-level Helpdesk or DST job that actually required even MCSA. Yes, I've seen ads that list MCSE as a cert to have, but I've never actually seen an entry-level job like that require a high-level Microsoft cert. And I don't know of many MCSEs working in helpdesk or DST positions -- most MCITP:EAs/MCSEs, in my opinion, are not bootcampers or braindumpers who lack the actual knowledge to do the server admin/engineer jobs they have.
I don't have much to say on CISSP, but I have to reject the notion that MCSE has been cheapened to the extent you claim. MCSA, MCSE, MCITP:SA/EA still means something to a lot of employers for mid-to-high level systems job. They're not bare-minimum-to-work certs like A+ (for example).
Edit: Actually, I do have something to say. A big part of the value of CISSP, to me, comes from the work experience requirement. I will say CISSP probably shouldn't get any easier, because it's already "a mile wide and an inch deep", but it doesn't need to get any harder, either. It seems like a good collection of material and the work experience requirement sifts out those who are not qualified to be CISSPs. If anything, they should probably be doing more work experience audits. This is coming from someone who can't even pursue CISSP due to not being able to meet the experience requirement without some pretty big exaggerations.
I hear and see them all the time requiring MCSE. Check out this job:
Search Jobs | Crystal Equation"The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
ptilsen Member Posts: 2,835 ■■■■■■■■■■I have little doubt they will almost certainly A. Hire someone who doesn't have an MCSE, or B. Not fill the position. Heck, it's not even just about skill level. That position has almost no correlation with the materials covered on any exam you can take to get MCSA, and absolutely none with the exams you can take to get MCSE.
MCSE has big name recognition, so HR departments use it. That doesn't mean they actually want it or even know what it is. As I've said and I've seen others say in so many "jobs" threads on this site, most job ads say "requirements" but mean "it would be amazing if you had all of this." The same problem may start to occur with CISSP, but that's only bad to the extend that it makes finding the right job difficult at times. -
JDMurray Admin Posts: 13,101 AdminEvery Cert suffers from inflation. The more people that are certified the more common it becomes and the value can decrease.
-
afcyung Member Posts: 212Absolutely agree JD. I think this article explains my thoughts best.
Academic inflation - Wikipedia, the free encyclopedia
Replace degree with certification and you can see the my thinking. Its also something that can be avoided. I don't believe that swelling the ranks of the CISSP will cause a sudden devaluation of the cert, but if you have 200k CISSPs chasing 180K infosec jobs it no long becomes a cert that can be used to weed people out. Do I think we are there yet? No.
JDMurray wrote:Making a certification difficult to achieve doesn't automatically make it desirable or worthwhile to obtain -
JDMurray Admin Posts: 13,101 Adminbut if you have 200k CISSPs chasing 180K infosec jobs it no long becomes a cert that can be used to weed people out.
-
colemic Member Posts: 1,569 ■■■■■■■□□□I have little doubt they will almost certainly A. Hire someone who doesn't have an MCSE, or B. Not fill the position. Heck, it's not even just about skill level. That position has almost no correlation with the materials covered on any exam you can take to get MCSA, and absolutely none with the exams you can take to get MCSE.
MCSE has big name recognition, so HR departments use it. That doesn't mean they actually want it or even know what it is. As I've said and I've seen others say in so many "jobs" threads on this site, most job ads say "requirements" but mean "it would be amazing if you had all of this." The same problem may start to occur with CISSP, but that's only bad to the extend that it makes finding the right job difficult at times.
The problem is they use it to screen applicants, and perpetuate the problem, thus ensuring a market for paper MCSEs.Working on: staying alive and staying employed -
JDMurray Admin Posts: 13,101 AdminThe problem is they use it to screen applicants, and perpetuate the problem, thus ensuring a market for paper MCSEs.
-
tpatt100 Member Posts: 2,991 ■■■■■■■■■□I think any HR person worth a dang will be able to weed out a so called "paper MCSE" based on the experience level also. If candidate A has 10 years sys admin experience vs candidate B who has two years and both have a MCSE its a no brainer to give a preference to candidate A.
Now a days you will be able to find plenty of candidates with the required experience and can use certs to thin the pile out a bit. Only a fool would knock out candidates with more experience over somebody with less and a MCSE. I think anybody with half a brain would realize in todays market you need to get a couple of certs that specialize in your field to get an edge over candidates with similar experience levels. -
UnixGuy Mod Posts: 4,570 ModI think any HR person worth a dang will be able to weed out a so called "paper MCSE" based on the experience level also. If candidate A has 10 years sys admin experience vs candidate B who has two years and both have a MCSE its a no brainer to give a preference to candidate A.
Now a days you will be able to find plenty of candidates with the required experience and can use certs to thin the pile out a bit. Only a fool would knock out candidates with more experience over somebody with less and a MCSE. I think anybody with half a brain would realize in todays market you need to get a couple of certs that specialize in your field to get an edge over candidates with similar experience levels.
To save money, many would hire the MCSE with 2-5 yrs of experience. The MCSE with 10+ yrs of experience should go to management/architect type of positions IMHO...