Menial jobs that requires certifications such as CISSP, etc

I can't deny that I've received plenty of job offers ever since I obtained my CISSP and CISM certification. But what irks me most is that 80% of the job offers I've received were nothing more than paper pushing / button clicking roles. Even more so disappointing, when I look at IT security / cybersecurity jobs on jobs portal, some entry level to 3 years experience IT security related jobs require CISSP (really?). The expected salary does not even commensurate to the one of a CISSP...

Now I'm not saying that CISSP holders demand better or superior treatment here but I think that these organisations do not know; to the full extend, what CISSP is about or they are just following the trend of hiring someone with these fancy certifications. These situations I believe, has somewhat led HRs to discriminate job applicants without CISSP. There are demand for ITsec / cybersecurity professional but the requirement just discourage people without one to apply for it.

I'm not sure what's the situation like in other parts of the world but it's quite real in my country.

Find more posts tagged with

Comments

OctalDump

Yes, I see similar things like listing MCSE for helpdesk roles or CCIE for low to mid level networking (eg network administrator). I think some employers just aren't sure what these things mean. Probably also there is some disconnect between the IT people actually needing staff, and the HR people writing the job ads.

Someone else commented in another thread specifically on Info Sec roles, where many organisations are just hiring their first Info Sec specialist and aren't quite sure what to ask for or are being very risk adverse.

I think we sometimes expect employers to be much more professional/competent than they are.

Sheiko37

It's backwards logic to expect someone to have a CISSP only years (decades?) into their career. How bad is their security knowledge up until this point? The certification isn't that hard to achieve.

I agree though that a job requiring 3 years experienced and the CISSP is dumb since the CISSP alone requires 5 years to be certified.

tuabuikia wrote: »

I think that these organisations do not know; to the full extend, what CISSP is about

I'd like to hear what you think the CISSP is about...

tuabuikia

Not saying that one should start achieving 'CISSP' once they have decades of experience. 5 years of experience is just good enough for a security professional to start obtaining CISSP.

Having CISSP certified staff member in your organisation means that they (your staff) understands the various domain of information security and have significant experience on it. With that, said I believe that CISSP should only be made mandatory depending on your job role and description.

For example, in one opening I came across for an IAM analyst role (access provisioning, etc), it requires the candidate to have CISSP. In this case, potential candidate will probably only get to practice one area out of the 8 domain. Take that into consideration together with the number of years in experience, it'll only create a disparity in salary. ISC2 CAP or ISACA CSX would be a better choice of certification requirement for this role; in my opinion.

However, if you're a senior manager managing the IAM service line, then CISSP should be a requirement taking into consideration that you would need to manage the service, developing and maintaining policies around privileged IDs, addressing audit findings, etc.

TheFORCE

tuabuikia wrote: »

For example, in one opening I came across for an IAM analyst role (access provisioning, etc), it requires the candidate to have CISSP. In this case, potential candidate will probably only get to practice one area out of the 8 domain. Take that into consideration together with the number of years in experience, it'll only create a disparity in salary. ISC2 CAP or ISACA CSX would be a better choice of certification requirement for this role; in my opinion.

However, if you're a senior manager managing the IAM service line, then CISSP should be a requirement taking into consideration that you would need to manage the service, developing and maintaining policies around privileged IDs, addressing audit findings, etc.

IAM topics are not covered only one domain. IAM topics are covered under all the below domains.
Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and Business Continuity)
Identity and Access Management (Controlling Access and Managing Identity)
Asset Security (Protecting Security of Assets)
Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
Security Operations (Foundational Concepts, Investigations, Incident Management, and Disaster Recovery)

An IAM manager does not only have to deal with IAM they have other business things to worry about, a manager has not gotten to the point of being a manager just because they have a CISSP, they have other work experience and years on the IT field.

Danielm7

Just this morning I found a listing for a Jr security analyst for the company I work for, it was altered by a recruiter. The requirement was 1 year in security and various other things, the recruiter added CISSP, GCIA and CISM...

We already emailed him to fix it.

636-555-3226

Infosec job descriptions & listings are an absolute mess. Mostly because the drafters (HR/IT managers) don't understand information security and don't understand the certifications they're asking for. Step #1 for any business - hire an experienced CISO/infosec director/manager. That's it. Let them do the rest from that part on since they understand how these things work (if they're experienced)

jeremywatts2005

I see this all too often in jobs. I make way more than most CISSP's. I am a senior InfoSec manager and I do not have a CISSP nor was it required. I make a nice salary without it. That is one of the reasons I have been hesitant in getting the cert is I do not know the value it would bring to the table for me. Outside of saying I have it. The same thing happened to MCSE back in the late 90's earl 2k it started to devalue because they wanted help desk guys to have it even though there was a multitude of certifications that would be more help desk related.