Read this article and lets discuss.....

Find more posts tagged with

Comments

He should really get out more. I know CISSPs who DO know about packets, IDS and risk analysis.
Has there always been this much rage surrounding CISSP? Those of you on the Yahoo board saw that mega thread about the defcon anti CISSP talk. Now this? Ok everyone turn ur badges in and go home.

spicy ahi

I think the biggest issue is that there aren't any really good technical certs for the IA space. CEH comes close to being the technical counterpart to the Sec+, but what cert is the technical complement to the CISSP?

cyberguypr

Yeah right, CISSP means absolutely nothing. That is why when you run a search at a job board for any big city it returns hundreds jobs. Now, take a look at a sampling of the positions requiring this cert:

- InfoSec Analyst
- IT Manager
- Compliance Analyst
- IT Auditor
- Sr. Information Storage Engineer
- Application Security Engineer

It doesn't take a genius to figure out that those positions are as different as day and night. The CISSP happens to cover domains related to all of them. It is unrealistic to expect every CISSP to be a master or networking, appsec, compliance, and all of the other domains. Whoever doesn't understand that shouldn't be complaining about the certification.

emerald_octane

Plus, the author, as a CISSP holder, should know that security is holistic. We all know this. No one is an expert in everything as mentioned above, but the infosec manager must know about the various domains atleast enough to make sure they are considered. An app dev might not know how to configure IDS or fence height, but a CISSP App dev may write an application and say, "wait, maybe I should have some have some type of remote journaling functionality built into the application to support BCP & DR scenarios." The network manager manager might not give two shakes about forensics, but the CISSP network manager may be able to go to management and say, "look, if we don't implement these $xxxxx safeguards then we could be found negligent because the cost of the safeguard is much cheaper the liability to our customers if a data breach were to occur!"

ITHokie

That does NOT bode well for the future of information security. If you argue that it’s meant to be a broad, “theory” cert – well, I argue we don’t NEED those. We need more DO-ers.

That's a big problem. Broad theory certs should have the type of influence in the industry that Security+ has, not CISSP, which has come to be seen as some sort of gold standard for security practitioners. I realize that DoD and HR have led the charge in creating this misperception, but the result is that there alot of folks and even companies out there in security roles that know little about the technologies behind the assets they are trying to protect.

This is absurd, but very much a reality. There is way too much emphasis placed on a cert that tells me little to nothing about someone's ability to secure a network.

So much emphasis, in fact, that I grudgingly decided to get it even though I don't really need it. My position requires a DoD IAT III cert, and I have one - the GCIH. I orginally began studying for the CISSP, but found the material to be lame. So I dropped CISSP studies in favor of GCIH even though I knew how "in demand" it was. I don't need it, and I don't expect to learn much helpful information from it, but I'm going to get it anyway simply because (1) it's pretty much expected if you are in Infosec, and (2) future earning potential.

ITHokie

spicy ahi wrote: »

I think the biggest issue is that there aren't any really good technical certs for the IA space. CEH comes close to being the technical counterpart to the Sec+, but what cert is the technical complement to the CISSP?

There are plenty of goods technical certs for Infosec, including these -> GIAC Forensics, Management, Information, IT Security Certifications.

tpatt100

Example of a blogger trying to get clicks. Use inflammatory title to make sure his blog post gets shared everywhere. People who don't want to get it for feel forced to get it agree with him. People who got it and wanted to get it do not.

If a company wants somebody to get it for a job get it or don't get it nobody is "forcing" you. Some of the really technical security types I worked with before could not manage an information security program. They know how to do "security" but lack the organizational skills to keep an overall program up to date. They know how to harden a system but lack the skills to coordinate with other IT departments when it comes to patching and system configuration changes.

Not every company will have a specialized IT manager, plenty of that stuff is going to fall on the security personnel themselves.

ptilsen

It seems more like a misunderstanding of the purpose of the cert, which is not to demonstrate technical competency. There are plenty of certs for technical competency -- too many*, if anything. Knowledge of theory and concepts are important, even for practitioners with deep technical understanding. Deep technical understanding paired with security concepts is much more likely to yield good results than one without the other. That's not to say that CISSP doesn't include some specific information that probably has no place on it. Perhaps it has a lot, but the concept of a high-level certification about security concepts and theory is still a good one, in my opinion.

*
Most of the GIAC line (over 20)
Offensive Security line (5)
Entire EC Council line (8 )
SSCP & CASP
Cisco core security line (3)
Cisco specialist security line (6)

That's over 40 certifications specifically about technical security. When you add in the Microsoft and Linux certs which also do cover security practices, that's another 15 or 20 certifications to add.

The CISSP doesn't need to be technical and it shouldn't be technical. Technical is covered. I think there's room for more affordable technical certifications that correlate to the GIAC ones, but realistically most organizations that are really looking for tech-specific certification at that level will pay for it or outsource it anyway.

ITHokie

tpatt100 wrote: »

If a company wants somebody to get it for a job get it or don't get it nobody is "forcing" you. Some of the really technical security types I worked with before could not manage an information security program. They know how to do "security" but lack the organizational skills to keep an overall program up to date. They know how to harden a system but lack the skills to coordinate with other IT departments when it comes to patching and system configuration changes.

Sure. But a CISSP isn't going to cause someone to develop organizational skills and the ability to coordinate an infosec program. This isn't an argument for the efficacy of the CISSP, it's an argument against the notion that technical skills necessarily include the organizational and big-picture skills to run a program.

What the author is pointing out is that our industry is broken, and undue influence of the CISSP is a contributing factor. Information is the next battlefield. Successful hacks from stealing personal information to hacking centrifuges are happening ever more frequently. Millions are being spent on creating regulations, audits, vulnerability assessments run by folks that have never even secured their personal laptop much less have spent 4 years in network administration, canned reports, all in the name of security. But what we really need are more people that understand how to, you know, secure systems and networks. The more the crap hits the fan, the more we are going to see this.

ITHokie

ptilsen wrote: »

It seems more like a misunderstanding of the purpose of the cert, which is not to demonstrate technical competency.

It's defnitely a misundertanding, but not a minor one and not limited to people that don't want to deal with getting it. For example, the US Department of Defense considers it a level 3 technical certification (its highest level).

ptilsen

ITHokie wrote: »

For example, the US Department of Defense considers it a level 3 technical certification (its highest level).

I will admit that that is a serious problem -- but with the DoD, not the CISSP. I don't think there is really any action to be taken on the part of (ISC)2 to correct DoD's standards issues.

As far as the private sector goes, I don't really see a problem with CISSP being the "gold standard" and required by HR. Are people being hired, en masse, to do technical jobs for which they are truly, horribly under-qualified while lots of qualified people do lower-paying jobs? Somehow, I don't think so, and I certainly haven't seen any evidence of it. Any organization hiring for a technical security position obviously needs to vet candidates for the tech skills. I don't see requiring or respecting the CISSP as opposed to or in conflict with that need.

emerald_octane

ITHokie wrote: »

It's defnitely a misundertanding, but not a minor one and not limited to people that don't want to deal with getting it. For example, the US Department of Defense considers it a level 3 technical certification (its highest level).

Is anything wrong with that though, in and of itself. Yes some people fake the experience qualification but otherwise that's one thing that alot of the other certs lack. No one is walking into DoD w/ CISSP in Security Architecture and Cryptography 5 yr domain experience unless they've actually done something like configure firewalls or bonafide PKI work as vetted by respectable CISSPs.

Lets face it we all hear about the dumb-as-toast CISSP but, much like the welfare queen of the 70s, is this just a myth purported by the non CISSP who met someone at Defcon that had the paper but was unable to root a fully patched linux box? The local CISSPs in my area are brimming with technical prowess. One is a DNSSEC recovery key holder (thanks to uncovering a massive security flaw in DNS). Two others are pen testers, and a few app devs. Yes these folks have many certifications in addition to CISSP but it isn't like holding the cert detracts from their knowledge.

lifecomm

Very good points already.

The author says, "HR offices are essentially discriminating against people who don’t have one, for really no good reason." Does this really need to be spelled out to this guy? OK, here goes: HR offices are essentially discriminating against people who don’t have one.

ITHokie

It seems to me that the primary source of disagreement concerning the CISSP is due to our own limited experiences and anecdotal evidence. Some believe that the CISSP is generally only held by people who have the skills and experience necessary for the current positions. Likely, this is based on the fact that CISSPs that they know almost always fit this category. Others have come in to contact with more than a few CISSPs in roles for which they are not well qualified. I can't speak for everyone else's experience, but I can speak for my own.

In my experience, the number of CISSPs I have come into contact whom I would describe as less than competent in their positions is disproportionately high compared to other major certifications. The time I've spent perusing job postings and speaking with recruiters (and colleagues) has led me to conclude that the demand for this certification is very high. The concepts covered by the CISSP are, in my limited opinion, pretty basic, volume of topics notwithstanding. The combination of these 3 things is negatively impacting the Infosec industry in a significant way.

It's not the fault of (ISC)², but that doen't make it any less of an issue.

JDMurray

What is the first point of the blog author's argument? I see him list second and third points to his argument, but I'm not clear on what his first point is. It can't be that people taking a certification too seriously is an indication of a worthless certification. I'm sure people who graduate from Harvard, Yale, and MIT take their degrees very seriously. Does that seriousness indicate those are worthless degrees?

To his second point: The CISSP exam is a generalized InfoSec certification; meaning it broadly covers all fields of what the (ISC)2 considers to be Information Security. The blog author is correct that 99% of all InfoSec people do not work in all fields of InfoSec. If the author wants an InfoSec cert specialized only in his field(s), he should pursue (or create) one of those and not the highly-generalized CISSP certification.

To his third point: Since its creation in 1996, the CISSP certification was never intended to test any sort of hands-on skills in InfoSec. The generalized nature of the CISSP would make this impossible. Such a thorough test would be prohibitively expensive and, as the blog author points out, 99% of InfoSec people do not work in most of the areas of InfoSec covered by the CISSP, so they would have no hands-on skills to be tested. It is moronic to complain that something doesn't do what it was never designed nor intended to do.

I can only believe that this blog author also writes articles complaining about how in University he was forced to take endless classes in subjects that were unrelated to his life, interests, and what he believe to be all of his future careers. He would bemoan, "What possible good could come of forcing people to study subjects that they would otherwise never have the need or desire to experience?" Broad vistas of new and expansive knowledge are obviously not part of life's dream here.

Rather than a University for InfoSec, it sounds like the blog author prefers a blue collar trade school in the InfoSec arts. I'm not sure why he thinks one must be torn down to build the other; both are quite complimentary and quite needed.

Lob

All-in-all, the CISSP has a broad understanding of information security which is formalised and supported with the need for CPEs.

I can say from the day before to the day after I was certified, my skills and knowledge have not changed. But I have a clear baseline to show my present and future employers. It shows you can prove that you can retain standard knowledge and develop.

It does not suddenly make you different. Plus there are many things outside the CBK that my job needs from me.......I think the CISSP helps me hit the right notes with my management......

chilipepper

The blog post is a bit incendiary and logically flawed.

HR doesn't write job descriptions, management does. I've written several jd's and postings for jobs. HR reviews them and helps screen the candidates...that's it. They have no knowledge of the job itself and don't pretend to.

And as a hiring manager, I am smart enough to know that a cert doesn't mean you can or can't do the job.

ivx502

Although, I do not hold the CISSP. I have interacted with several people that have it, and here are my conclusions. It isn't the certification that makes the person. It is the person that makes the certification. I know a few that understand the tightrope to walk between a security policy and functionality. The others you could attempt to slide a few fancy terms by, and they would be quick to correct you.

What I don't understand is the contempt of article. He says, "As the Information Systems Security Professional, I do not need to know a damn thing about fire extinguisher types, fence height, or lighting. Sure, it may be interesting knowledge.But not relevant to most people’s infosec jobs, and thus extraneous in the cert."

Sorry to say this but he is absolutely wrong. You can lock down a server from attacks on the network, but if you allow someone to get into your data center with liquid, and that person spills this liquid taking down a rack of servers with valuable data. Sure the data can be recovered, but it costs money to replace that rack of servers and restoring the data. Knowing how to physically secure data is just as important as and software polices or access controls you set.

Iristheangel

There isn't a certification out there that is going to make you a magical expert on any subject. It compliments experience.

The CISSP is more of a broad-level security management certification that's material teaches broad security principles and best practices from a wide variety of domains. Understanding physical security might be useless for a pen tester or another type of specialist but for a CISO or CSO perspective, it's probably more vital to at least have a broad understanding of basic security principles from most of the 10 domains. Why? Well, a CSO in the health or financial industry needs to be able to work with senior management to make their business case as well as working with physical security, network security, system administrators, and the policy writers to at least explain what they need to ensure compliance. Security officers in certain industries might not need to be experts (or remember every port or algorithm) in every domain but they need to at least have a basic (inch deep) understanding of the concepts to work with the experts in each of those departments and understand why each of those departments are important to information security.

In the end, I'd say the CISSP is excellent for someone who is looking for more of a senior management role in security, someone who is a security enthusiast, and/or someone looking to check a box with HR. The perception might be off about it but that doesn't make it any less valuable.

gwhitney

I don't entirely disagree with the thought behind the post. Obviously, he has his own writing style which makes for good reading and conversation as seen here. What I read is that he is comparing the CISSP to something like the CCIE. You can't read a book and get a CCIE like you can with the CISSP. Honestly, I spent two weeks studying for my CISSP and another week on my ISSAP with six months in between. My cert doesn't say that. It doesn't say what I scored or if I can actually deliver any value in the information security realm. A CCIE has expectations that go along with it. I have met CISSP's that don't have a clue what they are doing and I scratch my head at the questions they ask or things they say. I've met some that are really good. What we don't want to see is the certification diluted by a pool of candidates that might not offer the value expected, similar to the MCSE certs not long ago.

Now one might argue that the information security domain is broader than networking and I agree but it's not a huge gap. My background is in networking and there are areas that I can perform technically and others that I just understand the theory of. However, I know when to go to an expert in the area when I need one. A CCIE is expected to be able to design, implement and troubleshoot complex networking systems. A CISSP designation does not mean the individual can perform any of those functions within information security. The sub-specialty designations are a nice start but have a long way to go. I might argue that the intention of these designations is that the ISSAP can design, ISSEP can implement and troubleshoot and the ISSMP can manage/operate the systems but these certifications suffer from the same problem as the CISSP. Book knowledge across broad domains is the requirement for certification.

I am very much in favor of ISC2 revamping, not doing away with or deprecating, their certifications. There needs to be theory and concepts based cert of general knowledge covering the broad set of domains in information security. Maybe it's the CISSP, Security+, GSEC, whatever. Then there needs to be a hierarchical certification ladder for specific domains to progress through. Personally, I like Cisco's approach to certification when I compare it to Microsoft or the array of IS certifications. Granted, Cisco is a product manufacturer. I'm not trying to downplay the value of the CISSP to an organization or the individual holder. It's an accomplishment that requires a certain level of aptitude to achieve. However, when I look at the broad needs of the industry I believe there is a gap. SANS has done a good job at identifying specific domains with technical competency but without hierarchy and there is a lack of a governing body or standards to tie all of these avenues together in a manner that organizations can understand and allow hiring managers a means to assess talent without running every candidate through the ringer during an interview.