Read this article and lets discuss.....
Bachelors of Science in Technical Management - Devry University
Masters of Information Systems Management with Enterprise Information Security - Walden University
Masters of Science in Information Assurance - Western Governors University
Masters of Science Cyber Security/Digital Forensics - University of South Florida
Masters of Information Systems Management with Enterprise Information Security - Walden University
Masters of Science in Information Assurance - Western Governors University
Masters of Science Cyber Security/Digital Forensics - University of South Florida
Comments
Has there always been this much rage surrounding CISSP? Those of you on the Yahoo board saw that mega thread about the defcon anti CISSP talk. Now this? Ok everyone turn ur badges in and go home.
- InfoSec Analyst
- IT Manager
- Compliance Analyst
- IT Auditor
- Sr. Information Storage Engineer
- Application Security Engineer
It doesn't take a genius to figure out that those positions are as different as day and night. The CISSP happens to cover domains related to all of them. It is unrealistic to expect every CISSP to be a master or networking, appsec, compliance, and all of the other domains. Whoever doesn't understand that shouldn't be complaining about the certification.
That's a big problem. Broad theory certs should have the type of influence in the industry that Security+ has, not CISSP, which has come to be seen as some sort of gold standard for security practitioners. I realize that DoD and HR have led the charge in creating this misperception, but the result is that there alot of folks and even companies out there in security roles that know little about the technologies behind the assets they are trying to protect.
This is absurd, but very much a reality. There is way too much emphasis placed on a cert that tells me little to nothing about someone's ability to secure a network.
So much emphasis, in fact, that I grudgingly decided to get it even though I don't really need it. My position requires a DoD IAT III cert, and I have one - the GCIH. I orginally began studying for the CISSP, but found the material to be lame. So I dropped CISSP studies in favor of GCIH even though I knew how "in demand" it was. I don't need it, and I don't expect to learn much helpful information from it, but I'm going to get it anyway simply because (1) it's pretty much expected if you are in Infosec, and (2) future earning potential.
There are plenty of goods technical certs for Infosec, including these -> GIAC Forensics, Management, Information, IT Security Certifications.
If a company wants somebody to get it for a job get it or don't get it nobody is "forcing" you. Some of the really technical security types I worked with before could not manage an information security program. They know how to do "security" but lack the organizational skills to keep an overall program up to date. They know how to harden a system but lack the skills to coordinate with other IT departments when it comes to patching and system configuration changes.
Not every company will have a specialized IT manager, plenty of that stuff is going to fall on the security personnel themselves.
*
Most of the GIAC line (over 20)
Offensive Security line (5)
Entire EC Council line (8 )
SSCP & CASP
Cisco core security line (3)
Cisco specialist security line (6)
That's over 40 certifications specifically about technical security. When you add in the Microsoft and Linux certs which also do cover security practices, that's another 15 or 20 certifications to add.
The CISSP doesn't need to be technical and it shouldn't be technical. Technical is covered. I think there's room for more affordable technical certifications that correlate to the GIAC ones, but realistically most organizations that are really looking for tech-specific certification at that level will pay for it or outsource it anyway.
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
Sure. But a CISSP isn't going to cause someone to develop organizational skills and the ability to coordinate an infosec program. This isn't an argument for the efficacy of the CISSP, it's an argument against the notion that technical skills necessarily include the organizational and big-picture skills to run a program.
What the author is pointing out is that our industry is broken, and undue influence of the CISSP is a contributing factor. Information is the next battlefield. Successful hacks from stealing personal information to hacking centrifuges are happening ever more frequently. Millions are being spent on creating regulations, audits, vulnerability assessments run by folks that have never even secured their personal laptop much less have spent 4 years in network administration, canned reports, all in the name of security. But what we really need are more people that understand how to, you know, secure systems and networks. The more the crap hits the fan, the more we are going to see this.
It's defnitely a misundertanding, but not a minor one and not limited to people that don't want to deal with getting it. For example, the US Department of Defense considers it a level 3 technical certification (its highest level).
As far as the private sector goes, I don't really see a problem with CISSP being the "gold standard" and required by HR. Are people being hired, en masse, to do technical jobs for which they are truly, horribly under-qualified while lots of qualified people do lower-paying jobs? Somehow, I don't think so, and I certainly haven't seen any evidence of it. Any organization hiring for a technical security position obviously needs to vet candidates for the tech skills. I don't see requiring or respecting the CISSP as opposed to or in conflict with that need.
Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
In progress: CLEP US GOV,
Next up: MATH 211, ECON 352, ICS 340
Is anything wrong with that though, in and of itself. Yes some people fake the experience qualification but otherwise that's one thing that alot of the other certs lack. No one is walking into DoD w/ CISSP in Security Architecture and Cryptography 5 yr domain experience unless they've actually done something like configure firewalls or bonafide PKI work as vetted by respectable CISSPs.
Lets face it we all hear about the dumb-as-toast CISSP but, much like the welfare queen of the 70s, is this just a myth purported by the non CISSP who met someone at Defcon that had the paper but was unable to root a fully patched linux box? The local CISSPs in my area are brimming with technical prowess. One is a DNSSEC recovery key holder (thanks to uncovering a massive security flaw in DNS). Two others are pen testers, and a few app devs. Yes these folks have many certifications in addition to CISSP but it isn't like holding the cert detracts from their knowledge.
The author says, "HR offices are essentially discriminating against people who don’t have one, for really no good reason." Does this really need to be spelled out to this guy? OK, here goes: HR offices are essentially discriminating against people who don’t have one.
In my experience, the number of CISSPs I have come into contact whom I would describe as less than competent in their positions is disproportionately high compared to other major certifications. The time I've spent perusing job postings and speaking with recruiters (and colleagues) has led me to conclude that the demand for this certification is very high. The concepts covered by the CISSP are, in my limited opinion, pretty basic, volume of topics notwithstanding. The combination of these 3 things is negatively impacting the Infosec industry in a significant way.
It's not the fault of (ISC)², but that doen't make it any less of an issue.
To his second point: The CISSP exam is a generalized InfoSec certification; meaning it broadly covers all fields of what the (ISC)2 considers to be Information Security. The blog author is correct that 99% of all InfoSec people do not work in all fields of InfoSec. If the author wants an InfoSec cert specialized only in his field(s), he should pursue (or create) one of those and not the highly-generalized CISSP certification.
To his third point: Since its creation in 1996, the CISSP certification was never intended to test any sort of hands-on skills in InfoSec. The generalized nature of the CISSP would make this impossible. Such a thorough test would be prohibitively expensive and, as the blog author points out, 99% of InfoSec people do not work in most of the areas of InfoSec covered by the CISSP, so they would have no hands-on skills to be tested. It is moronic to complain that something doesn't do what it was never designed nor intended to do.
I can only believe that this blog author also writes articles complaining about how in University he was forced to take endless classes in subjects that were unrelated to his life, interests, and what he believe to be all of his future careers. He would bemoan, "What possible good could come of forcing people to study subjects that they would otherwise never have the need or desire to experience?" Broad vistas of new and expansive knowledge are obviously not part of life's dream here.
Rather than a University for InfoSec, it sounds like the blog author prefers a blue collar trade school in the InfoSec arts. I'm not sure why he thinks one must be torn down to build the other; both are quite complimentary and quite needed.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
I can say from the day before to the day after I was certified, my skills and knowledge have not changed. But I have a clear baseline to show my present and future employers. It shows you can prove that you can retain standard knowledge and develop.
It does not suddenly make you different. Plus there are many things outside the CBK that my job needs from me.......I think the CISSP helps me hit the right notes with my management......
HR doesn't write job descriptions, management does. I've written several jd's and postings for jobs. HR reviews them and helps screen the candidates...that's it. They have no knowledge of the job itself and don't pretend to.
And as a hiring manager, I am smart enough to know that a cert doesn't mean you can or can't do the job.
What I don't understand is the contempt of article. He says, "As the Information Systems Security Professional, I do not need to know a damn thing about fire extinguisher types, fence height, or lighting. Sure, it may be interesting knowledge.But not relevant to most people’s infosec jobs, and thus extraneous in the cert."
Sorry to say this but he is absolutely wrong. You can lock down a server from attacks on the network, but if you allow someone to get into your data center with liquid, and that person spills this liquid taking down a rack of servers with valuable data. Sure the data can be recovered, but it costs money to replace that rack of servers and restoring the data. Knowing how to physically secure data is just as important as and software polices or access controls you set.
The CISSP is more of a broad-level security management certification that's material teaches broad security principles and best practices from a wide variety of domains. Understanding physical security might be useless for a pen tester or another type of specialist but for a CISO or CSO perspective, it's probably more vital to at least have a broad understanding of basic security principles from most of the 10 domains. Why? Well, a CSO in the health or financial industry needs to be able to work with senior management to make their business case as well as working with physical security, network security, system administrators, and the policy writers to at least explain what they need to ensure compliance. Security officers in certain industries might not need to be experts (or remember every port or algorithm) in every domain but they need to at least have a basic (inch deep) understanding of the concepts to work with the experts in each of those departments and understand why each of those departments are important to information security.
In the end, I'd say the CISSP is excellent for someone who is looking for more of a senior management role in security, someone who is a security enthusiast, and/or someone looking to check a box with HR. The perception might be off about it but that doesn't make it any less valuable.
Blog: www.network-node.com
Now one might argue that the information security domain is broader than networking and I agree but it's not a huge gap. My background is in networking and there are areas that I can perform technically and others that I just understand the theory of. However, I know when to go to an expert in the area when I need one. A CCIE is expected to be able to design, implement and troubleshoot complex networking systems. A CISSP designation does not mean the individual can perform any of those functions within information security. The sub-specialty designations are a nice start but have a long way to go. I might argue that the intention of these designations is that the ISSAP can design, ISSEP can implement and troubleshoot and the ISSMP can manage/operate the systems but these certifications suffer from the same problem as the CISSP. Book knowledge across broad domains is the requirement for certification.
I am very much in favor of ISC2 revamping, not doing away with or deprecating, their certifications. There needs to be theory and concepts based cert of general knowledge covering the broad set of domains in information security. Maybe it's the CISSP, Security+, GSEC, whatever. Then there needs to be a hierarchical certification ladder for specific domains to progress through. Personally, I like Cisco's approach to certification when I compare it to Microsoft or the array of IS certifications. Granted, Cisco is a product manufacturer. I'm not trying to downplay the value of the CISSP to an organization or the individual holder. It's an accomplishment that requires a certain level of aptitude to achieve. However, when I look at the broad needs of the industry I believe there is a gap. SANS has done a good job at identifying specific domains with technical competency but without hierarchy and there is a lack of a governing body or standards to tie all of these avenues together in a manner that organizations can understand and allow hiring managers a means to assess talent without running every candidate through the ringer during an interview.