Is this an industry-wide problem?
I've been working as a programmer for a little over 7 years. I want to move into InfoSec, and I've met with several people in the local industry about what they look for in applicants. They have all told me that the CISSP is a requirement for all new hires, regardless of the position being filled or the experience of the applicant. This doesn't sit well with me, but I've decided to study for the cert (as an associate) since it seems that I have no choice if I want to move into InfoSec. Do employers in other regions have the same expectation? I've always thought that requiring everyone to have what is essentially a management cert would devalue that cert. Is it unreasonable to expect a front-line pen tester to have a cert like the CISSP? Are employers in my region just misguided?
I know that if an individual is looking for an InfoSec job in the US in the public sector (i.e. Federal Government, Military, etc...), that individual is required to achieve a certain certification level (i.e. get Security+, CEH, CISSP) within a certain number of months of being hired. In the defense sector, the policy that explains this is DoD 8570 (http://www.eccouncil.org/portals/0/images/AP3-Table.jpg) - the civilian agencies usually follow along DoD guidelines.
I don't really know much about the private sector... so I'll not comment on that area.
In the U.S. private section - this debate has continued for some time and most recently (to my knowledge) as part of the proposed Senate Rockefeller-Snowe bill in the CyberSecurity Act of 2010. In this bill, there was language that information security professionals were required to be licensed and certified. That section was struck out but the concept remains.
Copy of the bill for those interested - Full Text of S. 773 (111th): Cybersecurity Act of 2010 - GovTrack.us
Why do you consider this a problem? For private-sector organizations that process confidential financial and healthcare information, for example, having a minimum baseline seems appropriate.
The reality is, from what I've seen, that entry-level, full-time security positions are almost non-existent. The few I do see that are truly entry-level and attainable without CISSP or similar-level certifications are either based around repetitive, menial tasks, are low-paying, or both.
ISC(2) added specializations to the CISSP for just the reason OP described. I have no problem with CISSP being the de facto or even de jure bar exam for security, regardless of security specialization. Having a more advanced certification for different tracks/specialization makes sense, to me.
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
Is it fair to prospective job candidate to have the CISSP (or any cert) used in this way? This is exactly one of the reasons certifications were created--to identify (possibly) qualified candidates for hire. The CISSP is a general InfoSec cert that has been tarred with the labels "managerial" and "business-oriented," and that's not accurate (IMHO). The CISSP is not very technical, true, but it is not that management-oriented either (not as compared to the CISM). The CISSP is labeled so by people who only see the way business works as either technical or managerial, but business is much more than the sum of those two categories.
The CISSP is really the kind of cert that would be obtained by someone who considers themselves an overall InfoSec professional and not just someone who specialized in one or two areas of InfoSec. I think employers want InfoSec people who are more broad and well-rounded with regards to the security of their organization--even those that do specialty jobs, like pen testing. This is why the CISSP has had such success lately in becoming the ultimate (certification) criteria for InfoSec professionals.
Forum Admin at www.techexams.net
I don't think that the standards should be lowered just to fill positions, but I think an intermediate step would make things easier for those of us just starting out. Since that isn't the case, though, I'll pursue my CISSP and see where it lands me.