Debunking myths about CISSP

If you're somewhat new to information security and think you should go get the CISSP in the near future, please read this list of common myths first.

The following statements are NOT TRUE:

1. All it takes to qualify for a 6-figure job in information security is a CISSP.

2. You need a CISSP to get hired for an infosec position.

3. If you pass the CISSP exam, you're an Associate of CISSP and can put "CISSP pending endorsement" on your resume and LinkedIn page.

4. You can just go through a bootcamp and pass the CISSP with no infosec experience or additional studying.

5. Even if you have little or no infosec experience, you can get a CISSP.

6. An Associate of ISC2 is just as good as CISSP because you passed the exam and that's what matters to get hired.

7. The CISSP exam is not very technical so all you need is basic knowlege of security to pass it.

8. "I spent 5 years at the helpdesk and added new users to AD groups according to roles to provide them rights and permissions, and I inventoried hardware, so that qualifies for 5 years experience in 2 domains."

Feel free to add to these if I missed any.

Find more posts tagged with

Comments

gespenstern

6. Isn't always true as DoD don't care with their 8570 if you are really a CISSP or just an Associate of (ISC)2 working towards CISSP.

8. I'd personally bet that a well crafted resume of a guy with that experience sent to (ISC)2 will lead to an endorsement.

And I double very much 7, so tired of that "manager's hat" emphasis. If you are really technical already then yes -- pay attention to this manager's hat. If your experience is like in 8 -- tough luck, you have to learn soooo many technical things from crypto to authentication protocols and TCP/IP.

renacido

gespenstern wrote: »

6. Isn't always true as DoD don't care with their 8570 if you are really a CISSP or just an Associate of (ISC)2 working towards CISSP.

8. I'd personally bet that a well crafted resume of a guy with that experience sent to (ISC)2 will lead to an endorsement.

And I double very much 7, so tired of that "manager's hat" emphasis. If you are really technical already then yes -- pay attention to this manager's hat. If your experience is like in 8 -- tough luck, you have to learn soooo many technical things from crypto to authentication protocols and TCP/IP.

6. While you're correct that Associate of ISC2 qualifies for IAT-III or IAM-II for 8570, to a civilian manager hiring someone for a senior-level position requiring IAM-II or IAT-III (IAM/ISSM), Associate of ISC2 and CISSP definitely are NOT equivalent as qualifications. The only people that really don't have to care are military guys.

8. If by "well-crafted resume" you mean "well-written bullsh**", and ISC2 doesn't really do a diligent reference check as they're supposed to if they're doing the endorsement, AND the candidate doesn't get audited, then it's possible. Myth is still debunked in my book.

beads

Physical security no matter how questionable has always been the most easily abused "qualification" used for an excuse for a qualification for the CISSP. Classics used on this board alone have included: "I worked behind a locked door..."; "Worked as a security guard"; Guard duty while in the service is admirable doesn't really train you for guarding Enterprise security; finally, watching video feeds of traffic coming in and out of the company parking lot.

Combine any of the above with another lame excuse, such as MAC (Move Add Change) in AD (see above), on that a "well-crafted" resume and you will understand why so many resumes end up somewhere other than the interview pile.

Just ask the 20 year old "CISSP" caught last year for further career advice.

- b/eads

renacido

beads wrote: »

Just ask the 20 year old "CISSP" caught last year for further career advice.

- b/eads

Yikes.

Well, I guess if a hiring manager doesn't sniff out the BS and hires someone with questionable ethics for a job they're dangerously unqualified for, when they inevitably have to deal with either a negligent hire or a preventable security breach, that's what we call in the military "a self-inflicted gunshot wound".

NetworkNewb

why is the is experience factor of this cert such a huge deal to some people? I understand experience is important... But the required experience for the CISSP takes in to no account for the quality, risk, or level of the security experience achieved.

I could be I wrong, but couldn't a 16 year old with his own lawn business count that as experience towards the CISSP? Assuming they handle the physical security practices of the companies' assets (where the lawn mower is stored) and they have a website where people log in to see when they log in to see when their lawn is being mowed. Handling and creating the security practices of access to customer's PII (maybe the website holds the customer's physical addresses, maybe he setup the required complexity of the passwords).

I have always had the belief that a certification should hold nothing else then the person knows just enough to pass the topics on the exam. If someone needs to a grasp on someone's experience level they would actually have to look at their background/resume and see what that actually encompasses, instead of just relying on what certification they hold.

Someone straight out of college with a degree in Information Assurance and 2 years experience working in an enterprise's security department dealing with their security practices and policies does not qualify them, but if that 16 year old kid mowed lawns for 5 years and handled those same tasks I mentioned above would qualify for this cert? I'm just not a huge fan of experience requirements for certs in general and think that experience (and level of experience) should be looked at elsewhere and not from certs. They are pretty much saying I can't learn what someone else did in shorter amount of time even if I worked harder and dealt with more complex issues. But just because they did it over a longer period of time they automatically are smarter. (implying quantity over quality)

I don't mean this as bash on the CISSP requirements specifically but any cert that requires it.

Feel to correct me if I'm wrong with this! Just throwing it out there for discussion as I'm sure it won't be agreed by everyone and I would like to hear what people who hold the cert think about this.

(pretty certain I qualify for the requirements if I took the test right now btw, not questioning it for that reason)

JockVSJock

renacido wrote: »

and ISC2 doesn't really do a diligent reference check as they're supposed to if they're doing the endorsement, AND the candidate doesn't get audited, then it's possible. Myth is still debunked in my book.

Also ISC2 doesn't audit folks who obtain CISSPs to make sure they haven't done any wrongdoing.

Know a person who holds a CISSP and was domain hijacking a legitimate website in order to confused end users and get paid.

gespenstern

JockVSJock wrote: »

Also ISC2 doesn't audit folks who obtain CISSPs to make sure they haven't done any wrongdoing.

Know a person who holds a CISSP and was domain hijacking a legitimate website in order to confused end users and get paid.

Yep, enforcing ethics is a problem for (ISC)2 at least in my eyes and is something that is widely criticized on the internet.

I guess they would love to see numbers of CISSP holders always growing, but at what price? I think they lack some good policing here that would investigate and punish offenders and strip them of CISSP designation.

beads

@NetworkNewb;

When you run for a spot on the Board of Directors you can make it your mission to change the requirements designated by the certifying organization to be no experience at all. After all certifications like information "want to be free", right?

@JockVSJock;

This has been a complaint about the ISC(2) since the organization claimed its 500th member, years ago. The organization has moved from an Ad Hoc ethics and review committee to a permanent standing committee - progress but still not enough.

As far as your friend's past misdeeds are concern its really so much more common than not. I would say most CISSP holders I have meet in the past 5 years or so have a very fragile background in InfoSec that I really can't take the certification seriously anymore. Let's just say I am highly skeptical these days.

Caveat emptor

- b/eads

NetworkNewb

I'm not asking them to change it, I just don't agree with it... Just throwing my thoughts out there and seeing where they land since the topic was being discussed

renacido

NetworkNewb wrote: »

why is the is experience factor of this cert such a huge deal to some people? I understand experience is important... But the required experience for the CISSP takes in to no account for the quality, risk, or level of the security experience achieved.

I don't so much care whether ISC2 requires experience or not. That's up to them.

What I care about is the character of potential hires. Cheating your way to a certification to me is an integrity issue. And your integrity is like your virginity in my book - once you lose it, it's gone forever.

On the job, I can provide training and guidance and opportunities to develop an employee's skills and knowledge areas if there are some gaps. But I can't make a liar into an honest person. Not in my job description.

I understand that to get a job we need to put ourselves and our qualifications in the best possible light. I get it. I do it. It's a competitive job market and we all have to pay the bills.

A well-crafted resume that maximizes your marketability is what everyone should have. But it should be honest.

At the end of the day, if you land a job you're not qualified for, you're hurting yourself. It sucks to get passed over for a job, but it sucks worse to get fired or quit because you got in over your head.

JockVSJock

beads wrote: »

As far as your friend's past misdeeds are concern its really so much more common than not.

Not my friend.

Someone I used to know and no longer associate with because of their criminal behavior.

NetworkNewb

renacido wrote: »

I don't so much care whether ISC2 requires experience or not. That's up to them.

What I care about is the character of potential hires. Cheating your way to a certification to me is an integrity issue. And your integrity is like your virginity in my book - once you lose it, it's gone forever.

On the job, I can provide training and guidance and opportunities to develop an employee's skills and knowledge areas if there are some gaps. But I can't make a liar into an honest person. Not in my job description.

I understand that to get a job we need to put ourselves and our qualifications in the best possible light. I get it. I do it. It's a competitive job market and we all have to pay the bills.

A well-crafted resume that maximizes your marketability is what everyone should have. But it should be honest.

At the end of the day, if you land a job you're not qualified for, you're hurting yourself. It sucks to get passed over for a job, but it sucks worse to get fired or quit because you got in over your head.

I'll definitely agree with that. While I don't agree with the requirement, having someone unethically obtain a certification should be noted and raise concern about the person's character in general. Good points!

bpenn

NetworkNewb wrote: »

I'll definitely agree with that. While I don't agree with the requirement, having someone unethically obtain a certification should be noted and raise concern about the person's character in general. Good points!

Then again, you shouldnt be hiring someone based off of a certification, only. I prefer candidates with excellent soft skills if anything. Feels like thats harder to come by then people with experience.