Is CISSP certification worth the effort?

sea_turtle · August 2012

Is CISSP certification worth the effort? | It jobs - InfoWorld

I think this sum's up the CISSP well:

Laura Raderman talked about her angst on the Security Musings blog: "I pay (ISC)2 only because I have to to keep my CISSP.... I'm not a member because I believe in their mission or their goals. I think they're overpriced and useless to me other than maintaining my credential."

I was one of the many who had to pass the CISSP years ago to keep their job (8570), all in all I do keep up with my CPE's, and only because it makes me so marketable if I were to ever look for another job again.

thoughts?

ajd86 · August 2012

I almost think you answered your own question. Having the marketability that the CISSP provides makes it worth it to me.

JDMurray · August 2012

If Laura Raderman had an employer that paid her (ISC)2 Annual Maintenance Fee, would she still be writhing with angst? It's that angst that inspires her blog articles.

theenigmacode · August 2012

I think it's not only about CISSP, it's true for all the certifications. We've to remember that being a certified member, doesn't mean 'we know it all'. In real world, nothing can replace your practical experience, knowledge, analytical approach to the problem and common sense (which is very uncommon). I have come across few people who don't possess any certifications but their skills are second to none.
Any certification is just way of obtaining knowledge that some people prefer, some don't

Lob · August 2012

it's $85 in money terms and effort in CPE terms.

In my books, $85 is free.

ISACA maintenance is the same unless you're a member. Then you get to pay high membership fees and low maintenance fees.

Bad people can get CISSP as well as good people. I can go back 15 years to a Lotus Certified Professional I worked with who was cr-p - my uncertified skills were far better than his.

For what it's worth, some of the higher level things I learned during the CISSP prep are good and useful at a management level.

instant000 · August 2012

Is CISSP certification worth the effort?

My answer:

Yes!

Mathematical Proof:
Salary before CISSP = A
Salary after CISSP = 1.5 * A

Note: sample size of 1.

Hope this helps!

sea_turtle · August 2012

even if any company paid for my fee's and sent me to different security conferences to gain CPE's its still not worth it. The CISSP lists VoIP as a WAN technology when i took the exam a few years back, that's a total joke. The material is dated, yet enough companies and hiring managers do believe that the cert means something, thus its premier.

Certs that do matter? CCIE, JNCIE, ITIL, PMP. Those certs are worth their weight in gold. (i dont know the ones from the systems engineer that are solid but im guessing an MCSE or something like that?)

cyberguypr · August 2012

Wait, that sounds a bit a paradoxical. You argue it's not worth it but then you say it's seen as premier by employers. I am not saying that is the definitive factor to determine its worth but there's definitely some value if it is seen that way by employers.

sea_turtle · August 2012

I think its not worth it at all BUT i find it interesting that it is so sought after by employers. Its kind of like when a headhunter puts out a req that says "CCIE prefered CCNA required". It doesnt make much sense when that is a serious gap of people they are talking about/looking for.

beads · August 2012

From a personal standpoint. No, not at all - its become just another paper cert. From the employer standpoint there isn't much else to compare so its worthwhile to pursue. Thus the market wins and the individual kinda wins but for the wrong reasons. With that said I will tell you most CISSPs I've more recently meet don't exactly come close to the ethics let alone the ideals set forth by the ISC2. Don't have the experience? "Just make something up..." Heard phrases like that time and time again and to a lesser effect on this board. By this time I suspect somewhere between 40-60% of so called CISSPs shouldn't have been sitting for the exam let alone signed off on. That low barrier alone means the cert will eventually be reduced to what happened to the CNE, MCSE and so many others over time - a joke. An important but understandably inside joke, like so many others over time. Keep churning out those Cracker Jack CISSPs!

- beads

dmoore44 · August 2012

beads wrote: »

...Thus the market wins and the individual kinda wins but for the wrong reasons. ...

What are the wrong reasons? You're not supposed to approach a certification in order to learn something new - you're already supposed to have a handle on the material you're being tested over. So, if an individual pursues the CISSP in order to learn INFOSEC, they're doing it wrong.

JDMurray · August 2012

sea_turtle wrote: »

Its kind of like when a headhunter puts out a req that says "CCIE prefered CCNA required". It doesnt make much sense when that is a serious gap of people they are talking about/looking for.

This is because people are forced to deal with cert who don't have time to acquire the expertise about them that we here at TE do. Headhunters, hiring manager, HR staff, and educators suddenly get the world of certifications flung at them on top of everything else they do, so they try to boil it all down to a simple matrix of "this is required and this is desirable," and "this is better than that." They don't have the time (or the desire) to truly understand how much difference there is between a CCNA and CCIE, or a Security+ and a CISSP, or an MCSE and an MCITP. I would say only the hiring managers are responsible for discovering that level of detail about certification.

spicy ahi · August 2012

So it's not valuable to you because you don't think it's valuable yet you maintain it because it makes you more marketable if you look for job... Wait... so if it makes you marketable, it's valuable right?

Just messing around with ya.

I think it's valuable for IAM or CISO types, but I still don't understand why a lot of jobs recommend CISSP for pen testing or IT auditing jobs in the DoD space. It's probably just easy to say CISSP required for all those IA jobs than to actually *gasp* figure out what appropriate certifications apply to a position.

ptilsen · August 2012

It has market value. It's worth it. End of story.

Whether the exam has any value in proving a certain level of knowledge among IT and Infosec professionals is worth debating. Even five years ago, when I was a CISSP/CCNP/MCSE as an adjunct, he described the CISSP as "a mile wide, an inch deep". I don't see that that's seriously changed in recent years. We can complain about material being out of date and the like, but I've never heard of a non-product-specific cert vendor that doesn't have that problem. Is CISSP really any more out of date than each iteration of A+ or Net+? A+ has always been 3-5 years behind, from what I've seen.

CEH is hardly an alternative, and the problems there seem much worse than those with CISSP, to me. OSCP definitely has some merit, but I assume most infosec professionals are not pentesters.

I think we tend to grossly exaggerate the problems with certifications. MCSE is not a joke. Yes, there have been problems and the various version of it have been devalued. But, it's still one of the most sought-after, respected certs in the MS world. And outside of blatant cheating, it would be disingenuous at best to describe it as easy. I think the same principles are true of CISSP, A+, even CEH and whatever other certs we might find highly problematic. Almost all of them have a purpose and have some value both in the market and as actual representations of knowledge, even if we feel the value is exaggerated or misunderstood.

Ultimately, I return to my first line, which is that for the time being, CISSP is worth it. If you're successful and in a position where it doesn't add value, fine, don't pay for renewal or take it. Most of us interested in infosec will still probably pursue it, because for the time being, the industry wants it.

TeKniques · August 2012

ptilsen wrote: »

It has market value. It's worth it. End of story.

Whether the exam has any value in proving a certain level of knowledge among IT and Infosec professionals is worth debating. Even five years ago, when I was a CISSP/CCNP/MCSE as an adjunct, he described the CISSP as "a mile wide, an inch deep". I don't see that that's seriously changed in recent years. We can complain about material being out of date and the like, but I've never heard of a non-product-specific cert vendor that doesn't have that problem. Is CISSP really any more out of date than each iteration of A+ or Net+? A+ has always been 3-5 years behind, from what I've seen.

CEH is hardly an alternative, and the problems there seem much worse than those with CISSP, to me. OSCP definitely has some merit, but I assume most infosec professionals are not pentesters.

I think we tend to grossly exaggerate the problems with certifications. MCSE is not a joke. Yes, there have been problems and the various version of it have been devalued. But, it's still one of the most sought-after, respected certs in the MS world. And outside of blatant cheating, it would be disingenuous at best to describe it as easy. I think the same principles are true of CISSP, A+, even CEH and whatever other certs we might find highly problematic. Almost all of them have a purpose and have some value both in the market and as actual representations of knowledge, even if we feel the value is exaggerated or misunderstood.

Ultimately, I return to my first line, which is that for the time being, CISSP is worth it. If you're successful and in a position where it doesn't add value, fine, don't pay for renewal or take it. Most of us interested in infosec will still probably pursue it, because for the time being, the industry wants it.

This is a very good post ... thank you. I certainly do not think my MCSE is/was a 'joke' -- those tests were quite difficult. As someone who's aspiring to move from direct IT Management to more of an InfoSec Management role I believe the CISSP is a vital step to achieve that in today's market place.

The article referenced by the OP may have some merit, but I really think it's more hit and miss for certain individuals. If you think the CISSP is truly just not worth your time/money then there are some options. A: Don't pursue the certification. B: Stop paying your AMF and submitting your CPEs.

Is CISSP certification worth the effort?

Comments