CISSP seems very close to security+? Hmmmm?

5502george

So one of my top contributing factors for procrastinating getting my CISSP for so long was the fact that all I hear is how difficult the test is. I finally set a goal and have begun my journey with Conrad + 11th hour and Harris, but the content seems unusually similar to Gibson and other material I used for Sec+?

...I understand the test itself is more difficult, but is the material really that different other than 4 more domains? It does not seem to be as of yet?

redz

No. They are both entry-level. The CISSP is just wider. The "inch-deep" of knowledge is the same on both, the CISSP just has more material, longer questions, and a longer test. It's not particularly difficult; how could a test that ~1,000 people per month pass be all that difficult?

Read CISSP test taking tips, and take a few practice tests with a focus on following the tips towards the end of your preparation. Then finish the test in an hour and wonder what the heck everyone was so worked up on the TE boards about.

beads

The CISSP is now an entry level test with the expectation not the reality that the candidate have at least four years of experience. Hence the rapidly lowering of value of the exam itself. Put it this way: The CISSP is worth more to those who don't have it then for those who do.

Give it another year or two and the exam will be next to worthless.

- B Eads

5502george

beads wrote: »

The CISSP is now an entry level test with the expectation not the reality that the candidate have at least four years of experience. Hence the rapidly lowering of value of the exam itself. Put it this way: The CISSP is worth more to those who don't have it then for those who do.

Give it another year or two and the exam will be next to worthless.

- B Eads

HA HA man I love your brutal honesty! But in all reality I do not find this test to actually be any harder than the entry level sec+

LarryDaMan

I agree with the sentiment in this thread for the most part as everyone (20+ people) in my security group at work has the CISSP. So it is certainly not exclusive or upper-level, but saying it is entry level might be a bit of hyperbole. Does it really even matter anyway? Get the certs to make it through the initial door and then blow them away with your experience and knowledge during the interview and on the job. There is no golden ticket, there are terrible doctors and lawyers with many many years of school and certifications, but I wouldn't hire them just because they passed the bar exam/medical board.

beads

LarryDaMan wrote: »

I agree with the sentiment in this thread for the most part as everyone (20+ people) in my security group at work has the CISSP. So it is certainly not exclusive or upper-level, but saying it is entry level might be a bit of hyperbole. Does it really even matter anyway? Get the certs to make it through the initial door and then blow them away with your experience and knowledge during the interview and on the job. There is no golden ticket, there are terrible doctors and lawyers with many many years of school and certifications, but I wouldn't hire them just because they based the bar exam/medical board.

The value of the exam is collapsing quickly. Much like the old joke that goes like this: What do you call someone who graduates third from the bottom of his/her medical school class? "Doctor".

The exam either needs to become much more difficult; vetted more rigorously; or replaced with a new "gold standard" by another testing organization as what we will be left with shortly will be a joke.

Been around this block several times and it always the same scenery around the last corner.

- B Eads

redz

LarryDaMan wrote: »

it is certainly not exclusive or upper-level, but saying it is entry level might be a bit of hyperbole. Does it really even matter anyway?

Saying it is an entry-level certification is an obvious exaggeration. Saying that it covers entry-level knowledge across a broad spectrum of domains, however, is not.

bobloblaw

CISSP won't be next to worthless in two years. It's still difficult for most. It won't make anyone a security expert, nor has it ever. No one is prime to currently make a play to overtake it anytime soon.

Redz and beads are smart, and forget sometimes that a majority of people are not.

redz

bobloblaw wrote: »

Redz and beads are smart

Don't be nice to us. Now we're both going to expect people to be nice to us all day; you're setting us up for huge letdowns in the office.

I think "next to worthless" is also an exaggeration, however, the devaluation of the certification is already evident in our current job searches, leading us to some level of bitterness (this is also why we both obtained concentrations, to "separate from the pack"). According to Beadsy, the Downtown Chicago market rate for a CISSP is ~65-85 per year. I've found rather similar results in other locations.

That being said, the CISSP isn't, nor should it ever have been, what gets you a fancy job or a high salary, but seeing it as a requirement for positions paying so little is evidence of devaluation in the market. With the rate of new CISSP's (I think it is nearly 1,000 per month), people will need more to separate themselves - this potentially leading to the "new 'gold standard'" that he referenced.

We've had plenty of conversations on the topic, and although I don't have quite the apocalyptic view Beads does (I'm still young and optimistic about life), I do understand it and recognize it as a real possibility that I have every intention of staying in front of.

For clarification:
- I'm not against (ISC)2, the CISSP, or those attaining/attempting the certification.
- In my mind, there is currently no better certification to obtain from a personal ROI standpoint. I still, and will continue to, recommend it to everyone, whether or not they hold a full-time security position.

EDIT: Maybe the PMP has higher ROI? I don't know. I never attempted it, studied it, or researched career impacts of it.

dijital1

The Security+ certification focuses more on security controls and technologies. It doesn't discuss in any appreciable amount of detail the business aspects of information security. The CISSP does require a degree of technical knowledge to pass but more importantly it requires that the candidate understand that businesses/organizations are not in business just to be secure.

It gives you a base set of tools to identify key business functions, identify the IT systems that support those business functions and then recommend controls to protect the identified systems. So in the end it's about using security to support the business in a way that's overly expensive or that hinders its ability to function.

I also agree with redz that if you're really looking to set yourself apart from the sea of CISSPs out there (as well as learn the material at deeper level) then you should consider doing the specializations. I've done all of them at this point and can tell you from personal experience that I'm a much better security *insert whatever hat I'm wearing on a given day* professional for it. There is no "get certifications xyz" and the floodgates of money open to you. There are good CISSPs and bad ones; much like any other profession. Forget the surveys that show that CISSPs "on average" earn X amount of money? If you make it your aim to be among the best in the field then money will never be a problem.

With all of that said, the CISSP is still currently an expected line item on any security professional's resume. Can you get a job without one? Yes. Can you have a good career without one? Yes. But it does open doors to additional opportunities (especially in the federal space) where you won't even be considered unless you have it; regardless of how good you are.

Consider it a necessary benefit/evil for this industry.

redz

dijital1 wrote: »

if you're really looking to set yourself apart from the sea of CISSPs out there (as well as learn the material at deeper level) then you should consider doing the specializations.

Personally - I only did the ISSEP - but if the AP and MP are even close to as difficult, then you're a sick, sick man.

dijital1

Mmm I think the ISSEP is probably the most challenging of the specializations. The ISSAP is second followed by the ISSMP. They're all challenging in their respective ways. I'm actually studying for the CAP now. I've been meaning to do it for a while and I'm finally getting my butt in gear to make some time this month to get it done.

Should be interesting.

redz

http://www.techexams.net/forums/isc-sscp-cissp/91716-certified-authorization-professional-cap-exam-review.html

I did a little write-up on it. It is nowhere near the level of a concentration. My disclaimer being, I have a decent depth of experience with both NIST and DIACAP.

dijital1

Thanks redz. Good summary of the exam.

beads

I have meet three perhaps four people whom I either knew or strongly suspect were no more than 25 in the past year who at least claimed to be CISSPs. Add to the number of folks when asked have replied to the question about time requirements (being so young)? "Just make something up..."

Lots of poorly equipped CISSPs out there trying hard to do a job they just aren't fully qualified to do. If you've been in the field long enough you can add the CISSP to the field of other bubbled out certifications, that I have personally held: CNE, MCNE, MCSE. Seen the pattern when tons of folks dive into a certified position and the certification becomes first tarnished then relegated to the dustbin before the next "hot" certification comes along.

No, I am not so much bitter as I am looking for the next up and coming flaming hoop of flaming heat and goodness to replace this one. History has a tendency to repeat itself - over and over.

- B Eads

JDMurray

The Security+ exam is actually much closer to the SSCP exam.

The Security+ exam was released in December 2002 and was awful when I took it about a year later. Since then, Sec+ has undergone several major revisions that have brought it very close to what the SSCP exam is now. The SSCP itself was released in 2000 and hasn't changed very much in depth or quality, although the content has been updated.

What you are all seeing is the result of CompTIA's efforts to bring the Security+ cert more in depth and scope with its major IT cert competition.

redz

beads wrote: »

flaming hoop of flaming heat

I have a lot of ideas on how to fix the process, but not a perfect one. Some of the problem lies in the inherent trust of endorsements. In many instances the endorser stands to profit, or increase the organizational bottom line, from the endorsee gaining the full CISSP designation (vice the unverifiable "associate...") by way of an increased bill rate. Some of the problem also resides with the overall desirability of the certification due to the ROI associated with it.

It would be a high cost to audit all potential CISSP's, with the potential of a null impact. Of course, for the concentrations, all applicants are audited - and none of my contacts were called during said audit. So what is the impact of the audit in the first place?

AnthonyF

For the ISSMP, you pass you are in. You do not have to be audited or submit any other paperwork. Did you have to fill out and submit anything for the ISSEP?

Chivalry1

I would not go in with the expectation of it being equivalent to an entry level certification. CISSP has it challenges even for veteran security practitioner. Although I agree with some of the statements that there will be a new "gold standard" that will replace it in the next 10 years. I think partially to blame are HR department asking for high level certification for entry level jobs. Received a phone call the other day regarding a Security/Network administration job with CISSP credentials; the salary for the job a whopping $45,000. You sir may have several seats!!

redz

AnthonyF wrote: »

For the ISSMP, you pass you are in. You do not have to be audited or submit any other paperwork. Did you have to fill out and submit anything for the ISSEP?

Yeah... I had to submit EVERYTHING. Then they never acted on it, called anyone, anything like that. I was kind of disappointed.

EDIT:

Chivalry1 wrote: »

Received a phone call the other day regarding a Security/Network administration job with CISSP credentials; the salary for the job a whopping $45,000.

The worst one I've gotten this month was for a "business analyst"... 55/year. 45 is impressive. Can you forward me the req's? I want to call and laugh at them.

moyondizvo

5502george wrote: »

HA HA man I love your brutal honesty! But in all reality I do not find this test to actually be any harder than the entry level sec+

All the best and please let us know the outcome, I am interested in knowing your perception after the exam and whether you will still truly feel that the two are comparable.

5502george

moyondizvo wrote: »

All the best and please let us know the outcome, I am interested in knowing your perception after the exam and whether you will still truly feel that the two are comparable.

Edit: I did not mean tests, I was refering to the study material. I know this will def be a harder test, but I find very strong similarities in the study materials.

5502george

BTW, how close did you find the SSCP and the CISSP study material out of curiosity?

DoubleNNs

5502george wrote: »

BTW, how close did you find the SSCP and the CISSP study material out of curiosity?

Something I'm curious about as well.

bobloblaw

5502george wrote: »

Edit: I did not mean tests, I was refering to the study material. I know this will def be a harder test, but I find very strong similarities in the study materials.

Absolutely. The difficulty of the exam is when they throw it all at you in one sitting. A majority of the questions on the test are a paragraph or more long. Unlike the Sec+, or CompTIA exams in general, it's not comprised of your simple direct Q&A line of testing.

TeKniques

beads wrote: »

The value of the exam is collapsing quickly. Much like the old joke that goes like this: What do you call someone who graduates third from the bottom of his/her medical school class? "Doctor".

The exam either needs to become much more difficult; vetted more rigorously; or replaced with a new "gold standard" by another testing organization as what we will be left with shortly will be a joke.

Been around this block several times and it always the same scenery around the last corner.

- B Eads

Such deflating news, but not at all that much surprising. In my opinion the addition of CBT probably had an impact. Maybe it's just psychological, but taking a paper test and passing feels so much more of an accomplishment

5502george wrote: »

BTW, how close did you find the SSCP and the CISSP study material out of curiosity?

Marginal at best. While there is some crossover between several of the domains there are a few that aren't even touched. The focus of the exams is different as the SSCP is a technical exam and the CISSP is more managerial in its structure.

cyberguypr

Interesting. Does anyone else prefer the paper test? Although ready since 2010, I refused to take CISSP until they went CBT. Heck, my work was offering free flu vaccines and I passed because it required filling up a stupid Scantron-type sheet.

JDMurray

Yes, I much more prefer the scratching of pencil graphite on paper to the sterile click of a pointer upon a self-illuminated surface.

moyondizvo

5502george wrote: »

BTW, how close did you find the SSCP and the CISSP study material out of curiosity?

I think Tekniques has covered this one. It should be expected that some of the domains/knowledge areas of one IT security certification will crossover with another, the principles of security have not changed much over the decades.

However what differs is the depth of the knowledge that a vendor expects you to know these principles and is testing on. As stated, the SSCP is comparable to Security+, sure the domains may crossover with the CISSP, but the expected outcomes from all 3 are different.

cyberguypr wrote: »

Heck, my work was offering free flu vaccines and I passed because it required filling up a stupid Scantron-type sheet.

**LMAO**

teancum144

beads wrote: »

The value of the exam is collapsing quickly.

I respectfully disagree. It depends on how you value it. It is still a requirement for many jobs. In that case, the value is not being weeded out of the selection process. It still requires a certain level of knowledge across a broad array of security topics, which is valuable to ensure well-rounded security understanding (at least at some level). If not for the CISSP, I wouldn't be forced to study this breadth of information.

beads wrote: »

The exam either needs to become much more difficult; vetted more rigorously; or replaced with a new "gold standard" by another testing organization as what we will be left with shortly will be a joke.

Again, I respectfully disagree. If they make it "much more difficult" that would unfairly socially promote those who already have it. As has been pointed out, its being a gold standard is a misperception. By more people obtaining their CISSP, that misperception is being corrected to reflect the reality of what it is. As a result, employers will have to better screen candidates (not a bad thing).

Perhaps the CISSP is becoming more common is not because its quality is declining, but because security has become so popular and therefore the CISSP (perceived as the gold standard) has become more popular.

beads

cyberguypr wrote: »

Interesting. Does anyone else prefer the paper test? Although ready since 2010, I refused to take CISSP until they went CBT. Heck, my work was offering free flu vaccines and I passed because it required filling up a stupid Scantron-type sheet.

I am so with JD on this one. Its a matter of preference but the ability to look at several questions at a time, page back and forth, etc. Just works for me as I feel as though I have more psychological control than with the CBT.

- B Eads