The Value of the CISSP?

Turgon · November 2007

Over the last few years, I have seen the CISSP and other certs get bashed on the internet as having little merit. Prior to the year 2000 I started to undertake more and more security work as part and parcel of my job and have considered taking a security certificate or two when time allows and when the certification choices for security become clearer.

Iam still considering CISSP. Could folks comment on the validity of the cert as things stand and it's value as compared to other offerings?

CISSP bashing here..

http://blogs.ittoolbox.com/wireless/networks/archives/certified-information-systems-security-professional-cissp-is-it-worth-it-9500

sic' The CISSP has become the watered down equivilant of the MCSE during the 1990's. The material is dated, the testing inadequate and inaccurate, and the value is strictly a PERCEIVED value by people that have no idea what the CISSP really is.'

JDMurray · November 2007

Turgon wrote:

Could folks comment on the validity of the cert as things stand and it's value as compared to other offerings?

1. I do not see any evidence that getting the CISSP will hurt your reputation as an Information Security professional. Do you see any downside to obtaining CISSP certification?

2. I do see plenty of evidence that many employers prefer--even require--that prospective employees have the CISSP certification. Isn't it more likely that you would not be offered a job, or awarded a contact, because you don't have the CISSP certification?

3. Is there another "managerial" InfoSec certification that is more highly recognized and recommended than the CISSP? Certainly not the CISM, which I see as in direct competition with the CISSP.

The blog comments in the link you posted are from people who are inaccurate (e.g., "The material is dated, the testing inadequate and inaccurate...") or are grinding a personal axe (e.g., "I can't pass the exams so certs suck"). Also realize that the (ISC)2 and ISACA are two security organizations competing for members and revenue. It's not uncommon to hear hard-core members of one fraternity putting down the certs of the other. Collect 'em all--that what I say.

Slowhand · November 2007

I think I'm with JDMurray on this one, there seems to be a lot of ignorance in the arguments against CISSP on those blogs. The Beer with a CISSP of Lime blog screams of the "I'm hardcore because I know stuff without having passed a test" vibe. (Kind of like someone bashing you for having a college degree, when they 'did just fine without it'.) Like always, the argument falls back to the fact that there are people who **** the exams, or learn just enough to pass the test, without having actually worked or done some sort of hands-on labs. There's a lot of talk about real-world experience and boasting about the work done, but the assumption that no one else knows anything is always there.

Learning the material for any cert, be it CISSP or otherwise, isn't going to hurt you or your career, so long as you study and pass honestly. Take it with a grain of salt, do your own research, and know that there are probably a whole lot more benefits to being CISSP certified than there are drawbacks, (if any). At the end of the day, having plenty of experience as well as the certifications to back up your claims of skill is a nice feeling.

SecurityMonkey wrote:

I've read through several CISSP books, exam preps, cram books, and even attended a few of the 'bootcamps'. I have found some decent material regarding security in general.

What I'm missing is how the world feels safer knowing that a CISSP is watching over them, writing their policies, administering some new-fangled security system, etc. I don't see anything in the material that is truly mind-boggling or really tests whether or not you've been in the industry a while and know your stuff. I see a lot of book reading, concept familiarization, and memorization - sort of like when I crammed for my history finals back in college. I still can't remember when papyrus was discovered. Darn.

I see the CISSP in the same light that I do the MCSE. Lots of reading, take some tests and "BAM!" - you MUST be an expert now, right? *bbzzzzzzttt* Wrong.

I think that (ISC)2 should consider adjusting the CISSP in a few areas - like adding some hands-on testing, interviewing, etc. Think CCIE or RHCE - two exams that are very hard to book-read your way through because you actually have to physically DO something to pass.

I know a lot of CISSP's since I'm in the industry, and they are very much like most of the MCSE's I know. Half of them really know their stuff, and got the cert to appease a hiring monkey somewhere. The other half are book-learned wanna-be's that should consider a fine career in doorknob polishing or perhaps cabana boy towel folding techniques. (Wait a tick... I may want to consider that last career sometime soon. Hmmm)

Of course, he fails to mention that you need several years' worth of work experience in IT security in order to become CISSP certified, in addition to a college degree in a related field and passing the exam. Not to mention that Microsoft strongly recommends a certain number of months/years working with the technologies, in addition to reading, before attempting the MCSE tests. But hey, since when has a little thing like the whole story stood in the way of a good rant?

Turgon · November 2007

Yes thanks for the comments and I agree with your sentiments. I would like to see what some holders of the CISSP think. I recall Freak bemoaning the certificate once he passed but that was more on the validity of official test preparation material as compared to the actual test itself. He also found the test to be poorly worded and vague to say the least. Historically once a cert takes off more and more people set out to attain it and more materials appear to help people do that. It's about that time when a lot of early holders of a cert start to get uptight about all these
new supposedly inexperienced people joining the party.

No doubt the experience of CISSP holders is a variable.

To what extent can people short-circuit the experience process by providing testimonials from buddies that basically lie about one's real security experience? I understand that was a problem in the past.

Some of the criticism also seems to focus on the idea that perhaps many holders of the CISSP presume instant benefits of obtaining the certificate as though the paper says the holder is an expert or mega authority on security. I have no doubt some people do get carried away but that doesn't mean to say one couldn't learn a good deal by studying diligently for the certificate. Like any certificate though that reward has to be earned by the effort put in by the candidate. Hell I transformed my awareness in 1998 by studying for my first MCP! Of course there are **** but that seems to be a problem with most certificates these days.

For all the bashing, I still think it's worth doing and will probably do so once I get some free time. Having done a lot of security work in the past, and continuing to do so, I would like to round off that experience with this certificate. I may learn a few things along the way.

Schluep · November 2007

I am currently an Associate of (ISC)2. I passed the CISSP exam but do not even have the certification since I do not meet the work experience requirement. Most of my experience has been Database/GIS/Programming related and does not qualify as "Direct Full-Time InfoSec Experience" as is needed for the CISSP. Even without holding the certification it has been of incredible value to me. I am setting up some side projects with a Security consulting firm that would not have happened had it not been for passing this exam, and I do not even have the certification yet. For someone transitioning into InfoSec it gave me a very broad view and understanding of the field so I could then hone in on areas most important or most unfamiliar in my personal study. All this and I only took the exam mid-September.

Does it mean it will have this value for everyone? Of course not. I think most of the people attacking it either failed to pass the exam or have that "better than you" attitude since they have success in InfoSec without the certification. It is like anything else however, there are far more people on the internet attacking things than supporting them (since the supporters have better things to do in most cases). Do a search sometime for the number of Mother Theresa hate sites and conspiracy sites if you are ever in doubt when it comes to unsubstantiated attacks people seem to enjoy posting on the internet (anonymously).

As to people cheating the exam or faking their security experience, it is something that will always happen no matter how well people try to stop it. You can't cover everything. I think however that with many versions of the test from a large question pool, audits on work experience and endorsement with potential penalty to the false endorser (under the new requirements they must hold an (ISC)2 credential holder to endorse a candidate). The test is performed on paper and there were 4 proctors for my exam which could easily cover the entire room (plus no two people near each other had the same test booklet). I would say they got MUCH father than most certifications to try and preserve the integrity of the certification, but some people will still find a way to **** the process.

Turgon wrote:

I recall Freak bemoaning the certificate once he passed but that was more on the validity of official test preparation material as compared to the actual test itself. He also found the test to be poorly worded and vague to say the least

From my personal experience I found most of the questions to be very clear with a definitive answer. Of course some are designed to have you choose between more than one correct answer and often the descriptions are not sufficient to be fully confident with your choice, however if you look at it closely there is usually some hint as to which one you should select. I think there will be some poor questions on every test, but even then you can usually narrow it down to at least two choices and it is no different than any other certification in this regard.

It is NOT a hand-on certification however. It is primarily focused toward the technical aspect of Managerial or Consultant decision making. You will not be learning to configure specific firewalls/routers or how to perform a port scan for example. You should probably have an understadng of the various types of firewalls and hardware devices and what would be best used under specific conditions. If people were expecting a technical exam they should have read more about the objectives prior to preparing for it, as that is not the goal of this vendor neutral exam.

My belief is that in this case many of the criticisms are invalid. If you want the certification then I definitely recommend you go for it. As the previous posters said, it definitely will not hurt any.

garv221 · November 2007

I just saw a job posting for an IT Director in SC that mentioned minimum experience of 5 years as IT Director and mandatory CISSP. The pay scale showed 90k-120k depending on experience. This cert is no joke for those who like running departments and making big money. IMHO its the standard for anyone who is on the next level in IT security or IT management as it secures policy, procedures and IT security.

Munck · November 2007

It depends on your objectives. If you want to do policies, management and other "soft" subjects, then CISSP is a worthy challenge. If you want to be a hardcore technician, I'd rather spend time doing some SANS GIAC or vendor-specific certs. At least that's what I've discovered works best for me. It's all about market value

CISSP is often pictured as "the holy grail" of IT-security, which I think is a shame.

Turgon · November 2007

Well our Head of Security and CISSP holder has said he will endorse me for the CISSP. I just need to find time to cover the exam syllabus now. Perhaps next year.

garv221 · December 2007

Munck wrote:

CISSP is often pictured as "the holy grail" of IT-security, which I think is a shame.

Why is that a shame?

keatron · December 2007

Munck wrote:

It depends on your objectives. If you want to do policies, management and other "soft" subjects, then CISSP is a worthy challenge. If you want to be a hardcore technician, I'd rather spend time doing some SANS GIAC or vendor-specific certs. At least that's what I've discovered works best for me. It's all about market value

CISSP is often pictured as "the holy grail" of IT-security, which I think is a shame.

I am a CISSP but the only management I do is of my company (and actually my partners do a big part of that). The CISSP objectives gives one a very good overall view of security and all the different aspects needing consideration. I do primarily three things. Penetration tests & vulnerability assessments, forensics, and training. First of all, a good complete penetration test will test all 10 areas of the CISSP domains. As a penetration tester, you need to know these to be able to test them. Secondly, In a lot of the stuff I've written, I favor viewing the CISSP as a general practitioners license like doctors have (not in depth, but in concept). Then what you do everyday as your specialty (just like you have cardiologist, pediatricians, etc). But you can't truly become a specialist, without first being a general practitioner (at least in medicine). I often wonder if that ideology is not a bad idea for IT Security. I say this because I've seen some of the best vendor specific security experts struggle when they have to take a high level security policy and map it to technical implementations.

The work I do from day to day is about as technical as you can get (even the training side). Mind you some of it can be quiet boring (pulling vendor documentation and reading through hundreds of RFC's). I'll give you a perfect example. I recently helped a client rework a security policy because some of the technical requirements they had in the policies were impossible to implement because they were in conflict with TCP/IP protocols and how they work. So the problem was, their technical implementations didn't match their policy, and the reason they didn't was because their policies specified implementations that were technically impossible to implement. Being able to talk and understand security at a high level while also being able to actually work and a very technical/low level is a combined skill set that IS in demand, and WILL be in demand for the foreseeable future. So to say that the CISSP is just for managers is not exactly accurate. Knowledge is something that can be applied how you choose. That's just like saying "Nmap is for hackers", when in actuality it can also be used for network administration. Or just like saying, Solarwinds is a network administration tool, when in actuality, it can be invaluable as a hacking tool.

So hey dude, go get your CISSP!

Schluep · December 2007

After reading a post like that I just have to comment.

Keatron, that was a brilliant explanation with some great analogies anyone can relate to. The next time someone asks if they should go for the CISSP certification I won't bother with one of my long-winded posts. I'll just keep the link to this thread handy.

Turgon · December 2007

keatron wrote:

Munck wrote:

It depends on your objectives. If you want to do policies, management and other "soft" subjects, then CISSP is a worthy challenge. If you want to be a hardcore technician, I'd rather spend time doing some SANS GIAC or vendor-specific certs. At least that's what I've discovered works best for me. It's all about market value

CISSP is often pictured as "the holy grail" of IT-security, which I think is a shame.

I am a CISSP but the only management I do is of my company (and actually my partners do a big part of that). The CISSP objectives gives one a very good overall view of security and all the different aspects needing consideration. I do primarily three things. Penetration tests & vulnerability assessments, forensics, and training. First of all, a good complete penetration test will test all 10 areas of the CISSP domains. As a penetration tester, you need to know these to be able to test them. Secondly, In a lot of the stuff I've written, I favor viewing the CISSP as a general practitioners license like doctors have (not in depth, but in concept). Then what you do everyday as your specialty (just like you have cardiologist, pediatricians, etc). But you can't truly become a specialist, without first being a general practitioner (at least in medicine). I often wonder if that ideology is not a bad idea for IT Security. I say this because I've seen some of the best vendor specific security experts struggle when they have to take a high level security policy and map it to technical implementations.

The work I do from day to day is about as technical as you can get (even the training side). Mind you some of it can be quiet boring (pulling vendor documentation and reading through hundreds of RFC's). I'll give you a perfect example. I recently helped a client rework a security policy because some of the technical requirements they had in the policies were impossible to implement because they were in conflict with TCP/IP protocols and how they work. So the problem was, their technical implementations didn't match their policy, and the reason they didn't was because their policies specified implementations that were technically impossible to implement. Being able to talk and understand security at a high level while also being able to actually work and a very technical/low level is a combined skill set that IS in demand, and WILL be in demand for the foreseeable future. So to say that the CISSP is just for managers is not exactly accurate. Knowledge is something that can be applied how you choose. That's just like saying "Nmap is for hackers", when in actuality it can also be used for network administration. Or just like saying, Solarwinds is a network administration tool, when in actuality, it can be invaluable as a hacking tool.

So hey dude, go get your CISSP!

Thanks Keatron,

Yeah I use nmap all the time for debugging. Well the road is clear for me post CCIE lab next year. I have plenty of experience backed up with a referral. The problem is time right now. I think meantime I will grab some decent books. Any recommendations?

Schluep · December 2007

I used the following books for my CISSP studies:

All-In-One CISSP Exam Guide (Third Edition) by Shon Harris
Official (ISC)2 Guide to the CISSP CBK
Exam Cram2 - CISSP by Michael Gregg

The book by Shon Harris was the most helpful for me overall in gaining a strong understanding of all the subject matter. It covers it at a very basic level which can good be good in your weak areas and overkill in the areas youare familiar with. Having done a lot of application development and database management I was practically pulling my hair out as she explaned the differnces between the various programming languages, assembly code, and binary executables for example. I grealy appreciated this basic explanation though when it came to things like the Common Criteria, TCSEC, and ITSEC or the various conceptual security models (Bell-LaPadula/Biba/Clark-Wilson) that I was unfamliar with. Overall I highly recommend it. It would make a good first book to begin your studies with. The one I usd was the Third Edition since there was no Fourth Edition at the time, however the Fourth Edition was just released within the past few weeks so definitely get the newest one so it has more of the recent information in it.

The Official (ISC)2 guide to the CISSP CBK is obviously a must read. I found it did not flow very well and had poor organization (likely due to multiple authors being involved), but it definitely has very accurate and useful information that you should be familiar with. There was a lot of information covered in here not mentioned in Shon Harris, and even more informatin that served to strongly reinforce it.

I ordered the Exam Cram 2 book online without seeing it and was planning to use it as a study guide before the exam since it did not seem nearly as in depth as the other two that I ordered. I believe this was a huge mistake and the content of the book was VERY lacking even for a quick review. I would never recommend this book to anyone and if you want a third resource I would suggest finding a better one.

I looked up a lot of things online to find more detail about them than any of these books covered, and also spent a lot of lookig up the NIST documents and things mentioned in the course of my reading. I used some practice quizzes to judge my skills and brushed up on my weak areas. Don't limit yourself to just using books, especially ones designed solely for the purpose of taking the exam. I felt very confident taking it and finished in half the allotted time because I was well prepared.

keatron · December 2007

The books Schluep posted are a good foundation. You can had Hal Tipton's Information Security Handbook. It serves as a nice "glue" to "bind" the other books together. It's a little more focused on practical application which in leaves you with a little deeper understanding of most of the CBK domains, which helps you cut through the fat on those LONG questions on the exam.

keatron · December 2007

Schluep wrote:

After reading a post like that I just have to comment.

Keatron, that was a brilliant explanation with some great analogies anyone can relate to. The next time someone asks if they should go for the CISSP certification I won't bother with one of my long-winded posts. I'll just keep the link to this thread handy.

Thanks man.

JDMurray · December 2007

keatron wrote:

You can had Hal Tipton's Information Security Handbook.

I'd like to add that the 6th edition of this book retails for $150US, is 3280 pages in length, and the pages are vellum-thin. I bought mine half-price form Mr. Tipton himself and it does contain some mighty good reading. The only problem is that it's not something that you can easily lug to Starbucks (and you get some long, hard stares if you do).

clewcrew · May 2010

I have been in the information security business for 20+ years (HP, Oracle and CA) as an engineer, and subsequently to my lobotomy - sales - as a security solutions strategist focusing on federal and healthcare markets.

I am now taking a 6 month CISSP course to hone my skills in the trade. It will not earn me more income (I am in sales and make more than most CISSP's). However, the course and subsequent certification will make me a smarter listener and tie the COTS solutions I promote to the business needs. The CISSP certification will tell my customer base, I took the time to understand their business across the 10 functional areas.

Further, Oracle and CA place tremendous value on the CISSP cert. At Oracle my SE's were required to obtain the CISSP certification and in fact were trained so they could pass the exam.

A lot of folks who bash the CISSP, simply won't take the exam due to time required to invest and costs. They are probably solid security pros, but frankly if a candidate comes to me and they are NOT CISSP certified and another is - I will hire the CISSP guy. Why? Because they took the time to hone their craft and prove it...

SephStorm · May 2010

As a beginner in the Security field, my biggest complaint/fear is the stranglehold CISSP has on HR departments for recruiting. A look on moster will show you cissp is requested or required on everything from Associate Information Security Analyst, to Senior Security Manager of IT Risk.

Another line of intrest, lets take JDMurray's first reply. All of his points were geared towards someone who is looking at the CISSP as it applied to employment. Not the value of the cert to improve one's knowledge, or improve a skill set. Now, I did see Schluep's reply, which is the first I have really seen of this type. I am very glad he got that experience from preparing from his CISSP, but again, I don't see the CISSP as a learning cert, more along the lines of the MCSE, get it or get out.

I probably would have the same feeling about MCSE, if it wern't such a technicaly valid cert. after taking the exam, you should KNOW Microsoft systems. After taking CISSP, if it were what I wanted in a top tier infosec cert, you should KNOW information security.

My two cents.

dynamik · May 2010

SephStorm wrote: »

As a beginner in the Security field, my biggest complaint/fear is the stranglehold CISSP has on HR departments for recruiting. A look on moster will show you cissp is requested or required on everything from Associate Information Security Analyst, to Senior Security Manager of IT Risk.

It's a very well-marketed certification. Some of our customers refuse to work with anyone that doesn't have one. Keep in mind that those job descriptions are HR wish lists. This will obviously vary depending on the organization, but for the entry-level positions, you should look at that as an ideal, not a requirement. However, it will be often be a requirement for senior-level/managerial positions.

SephStorm wrote: »

Another line of intrest, lets take JDMurray's first reply. All of his points were geared towards someone who is looking at the CISSP as it applied to employment. Not the value of the cert to improve one's knowledge, or improve a skill set. Now, I did see Schluep's reply, which is the first I have really seen of this type. I am very glad he got that experience from preparing from his CISSP, but again, I don't see the CISSP as a learning cert, more along the lines of the MCSE, get it or get out.

This certification really just baselines your knowledge in a wide range of subjects. My feeling is that although you learn a lot throughout the course of your studies, you really don't learn how to do anything. The exam is just too broad.

I've ready at least one full book dedicated to each domain. I've probably broken into the double-digits in some of them, and I still feel like I have so much more to learn. You're kidding yourself if you think you're going to walk away with in-depth knowledge. For example, your studies in network security will teach you that you should only allow network communications to traverse the network perimeter if its necessary for business purposes; you won't actually learn how to configure a firewall.

The material will be extremely straight-forward if it's within your realm of expertise. However, there will likely be other areas, DR/BCP, risk management, SDLC, etc. that will be completely new to you. The aim here is to develop a general understanding of the material within the ten domains, as well as how they complement each other.

SephStorm wrote: »

I probably would have the same feeling about MCSE, if it wern't such a technicaly valid cert. after taking the exam, you should KNOW Microsoft systems. After taking CISSP, if it were what I wanted in a top tier infosec cert, you should KNOW information security.

I have to be honest, the MCSE/MCITP:EA is just the tip of the iceberg when it comes to administering/engineering Microsoft networks. The required exams can passed by simply memorizing theory and technical details; many can get by without even having any hands-on experience with the technology. Most of the material is taught and tested at a relatively high level. Like the CISSP does for information security, the Microsoft certifications simply establish a baseline for competency.

Also, I don't think it's possible to, "Know information security." That's like saying, "I know surgery." InfoSec professionals all have their specializations, just like surgeons do. Someone might be an expert when it comes to exploit development and reverse engineering, but chances are that person won't be equally skilled when it comes to enterprise risk management. The CISSP just attempts to make people a little more well-rounded. I consider a lot of the material to be valuable even if you don't directly work with much of it on a day-to-day basis.

The Value of the CISSP?

Comments