Is this an industry-wide problem?

BroodmdhBroodmdh Member Posts: 10 ■□□□□□□□□□
I've been working as a programmer for a little over 7 years. I want to move into InfoSec, and I've met with several people in the local industry about what they look for in applicants. They have all told me that the CISSP is a requirement for all new hires, regardless of the position being filled or the experience of the applicant. This doesn't sit well with me, but I've decided to study for the cert (as an associate) since it seems that I have no choice if I want to move into InfoSec. Do employers in other regions have the same expectation? I've always thought that requiring everyone to have what is essentially a management cert would devalue that cert. Is it unreasonable to expect a front-line pen tester to have a cert like the CISSP? Are employers in my region just misguided?


  • dmoore44dmoore44 Member Posts: 646
    That's a really good question...

    I know that if an individual is looking for an InfoSec job in the US in the public sector (i.e. Federal Government, Military, etc...), that individual is required to achieve a certain certification level (i.e. get Security+, CEH, CISSP) within a certain number of months of being hired. In the defense sector, the policy that explains this is DoD 8570 ( - the civilian agencies usually follow along DoD guidelines.

    I don't really know much about the private sector... so I'll not comment on that area.
    Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Good question - and it's a topic that is also being debated in the US. As @dmoore44 - in US defense sector, there is Department of Defense mandate which requires certification.

    In the U.S. private section - this debate has continued for some time and most recently (to my knowledge) as part of the proposed Senate Rockefeller-Snowe bill in the CyberSecurity Act of 2010. In this bill, there was language that information security professionals were required to be licensed and certified. That section was struck out but the concept remains.

    Copy of the bill for those interested - Full Text of S. 773 (111th): Cybersecurity Act of 2010 -

    Why do you consider this a problem? For private-sector organizations that process confidential financial and healthcare information, for example, having a minimum baseline seems appropriate.
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    My only problem with this is the catch-22 in requiring experience to get a cert that is required to get experience. Fortunately, the experience requirements are lax enough that people who have security as a part of their job can still get it.

    The reality is, from what I've seen, that entry-level, full-time security positions are almost non-existent. The few I do see that are truly entry-level and attainable without CISSP or similar-level certifications are either based around repetitive, menial tasks, are low-paying, or both.

    ISC(2) added specializations to the CISSP for just the reason OP described. I have no problem with CISSP being the de facto or even de jure bar exam for security, regardless of security specialization. Having a more advanced certification for different tracks/specialization makes sense, to me.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • JDMurrayJDMurray Admin Posts: 12,905 Admin
    In some cases, the CISSP is being used to "separate the wheat from the chaff" to determine who to interview for a position, who to promote, what salary level to assign, etc. Other criteria used in this way includes having a Bachelors or Master degree or 10+ years of industry experience. The idea is that there are a lot of people looking to break into the security industry, and an employer does not want to interview dozens of people just to fill one or two open positions. Some criteria must be established for a minimum level of professional competency to narrow the field of likely candidates.

    Is it fair to prospective job candidate to have the CISSP (or any cert) used in this way? This is exactly one of the reasons certifications were created--to identify (possibly) qualified candidates for hire. The CISSP is a general InfoSec cert that has been tarred with the labels "managerial" and "business-oriented," and that's not accurate (IMHO). The CISSP is not very technical, true, but it is not that management-oriented either (not as compared to the CISM). The CISSP is labeled so by people who only see the way business works as either technical or managerial, but business is much more than the sum of those two categories.

    The CISSP is really the kind of cert that would be obtained by someone who considers themselves an overall InfoSec professional and not just someone who specialized in one or two areas of InfoSec. I think employers want InfoSec people who are more broad and well-rounded with regards to the security of their organization--even those that do specialty jobs, like pen testing. This is why the CISSP has had such success lately in becoming the ultimate (certification) criteria for InfoSec professionals.
  • BroodmdhBroodmdh Member Posts: 10 ■□□□□□□□□□
    Those are all really good points. I guess my frustration stems from hearing the hiring managers complain about a lack of qualified candidates while at the same time creating barriers to entry that only a small portion of the industry can meet. I like to think that I've done a lot in my 7 years of development, but only a (very) small percentage of that has had even a remote association with the CISSP domains. There are not many programming jobs (in my area, at least) that do.

    I don't think that the standards should be lowered just to fill positions, but I think an intermediate step would make things easier for those of us just starting out. Since that isn't the case, though, I'll pursue my CISSP and see where it lands me.
Sign In or Register to comment.