Is CISSP Wide enough?

blueberriesblueberries Banned Posts: 138
Hello,

I am a networking guy looking to getting into the InfoSec field.

Right now I am doing the dirty blue collar work in my job, connecting cables, configuring things, troubleshooting, etc.

I'd rather be in a more administrative position away from all of the machines so I am wondering if CISSP is right for me?

I like the whole "mile wide, inch deep" philosophy and noticed in the network domain of CISSP its lighter than the N+ exam, which strikes me as being attractive.

I was wondering if the physical security domain is wide enough, though?

Yes, it is important to know about fire extinguishers, but what about real physical security?

I think it would be cool if the CISSP added a new domain on theoretical martial arts, in order to protect the company from assaults. Also a theoretical firearms and explosives unit would really whet my appetite for this cert.

Please let me know if you think the CISSP is worth it, and if you agree that it could be a bit wider regarding these important (but neglected) topics.

Thanks for your time.

Blue
«1

Comments

  • TBRAYSTBRAYS Member Posts: 267
    This is merely a management exam, which requires 5 years experience w/o and 4 with a degree in 5 of the domains in the CBK. Are you serious about martial arts being added to the CBK? If so, you're looking at the wrong field!
    Bachelors of Science in Technical Management - Devry University
    Masters of Information Systems Management with Enterprise Information Security - Walden University
    Masters of Science in Information Assurance - Western Governors University
    Masters of Science Cyber Security/Digital Forensics - University of South Florida
  • webgeekwebgeek Member Posts: 495 ■■■■□□□□□□
    Yes, it is important to know about fire extinguishers, but what about real physical security?

    I think it would be cool if the CISSP added a new domain on theoretical martial arts, in order to protect the company from assaults. Also a theoretical firearms and explosives unit would really whet my appetite for this cert.

    icon_scratch.gif *****

    It is not our job to be cops and bomb squad. Leave that to the experts. To satisfy your firearms needs, go to a range, educate yourself, and get CCW permit.
    BS in IT: Information Assurance and Security (Capella) CISSP, GIAC GSEC, Net+, A+
  • TBRAYSTBRAYS Member Posts: 267
    webgeek wrote: »
    icon_scratch.gif *****

    It is not our job to be cops and bomb squad. Leave that to the experts. To satisfy your firearms needs, go to a range, educate yourself, and get CCW permit.

    Agreed!
    Bachelors of Science in Technical Management - Devry University
    Masters of Information Systems Management with Enterprise Information Security - Walden University
    Masters of Science in Information Assurance - Western Governors University
    Masters of Science Cyber Security/Digital Forensics - University of South Florida
  • !nf0s3cure!nf0s3cure Member Posts: 161 ■■□□□□□□□□
    While I have met many people who were CISSP's but let it expire as they did not see any value in it anymore. They all were SME's in their fields and they question the validity of some of the latest range of Domains. But again it is a mean to get the license then what you choose to do with it your choice. At times it is about getting a foot in the door. And lot of doors need the key called CISSP. Use it to unlock the door and then find your way from there.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    Yes, it is important to know about fire extinguishers, but what about real physical security?

    I think it would be cool if the CISSP added a new domain on theoretical martial arts, in order to protect the company from assaults. Also a theoretical firearms and explosives unit would really whet my appetite for this cert.

    CISSP stands for "Certified Information Systems Security Professional." There is probably enough information-systems-related physical security topics already in the CISSP CBK. I can see CCTV cameras and fire extinguishers and bollards all being necessary to protect a data center from physical incidents, but firearms and martial arts too? I think that would best be left for certifications in law enforcement and security guard training. I'm sure there are entire Web sites for such things.
  • bobloblawbobloblaw Member Posts: 228
    You have to pass the CISSP first, and only then can you submit an application for ninja school.
  • dbrinkdbrink Member Posts: 180
    I got a good laugh out of this thread....trying to figure out if the original post is completely serious with the martial arts and explosives comment.
    Currently Reading: Learn Python The Hard Way
    http://defendyoursystems.blogspot.com/
  • f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    Wow, this thread is mind blowing. I think that a blackbelt in karate should be added to the 5 year requirement. But maybe the name should be changed if we go that route, from CISSP (Certified Information Systems Security Professional) to CISSBA (Certified Information Systems Security Bad Ass)


    On a serious note, blueberries, you and I are in the same position. I recently passed the CISSP and am going through the paperwork now in hopes that it will bring me to the management level of information security/network security. I didn't feel that the physical security domain was lacking at all, but that could just be my ignorance showing.
  • emerald_octaneemerald_octane Member Posts: 613

    I do this at work, everyday with my 'sisp' badge.
  • !nf0s3cure!nf0s3cure Member Posts: 161 ■■□□□□□□□□
    Not sure why he mentioned martial arts, lets talk about Crypto! Just did a course about Crypto equipment and did not touch a single thing on the CISSP list. Sure the guy said what algoriths they used but that was it. It was more about networking than anything Crypto! So I still have to study that Crypto domain as it has to be done.
  • da_vatoda_vato Member Posts: 445
    Emerald!... you made me spit out my coffee this morning when I saw your post lol icon_thumright.gif . When I first read this posting I thought of this exact video. Priceless!

    Well gents I used to teach MMA in the army, I suppose we could start our own Elite CISSP group (providing I ever get there) and we could make appearances on the ultimate fighter we could even call ourselves the "Crypto Crew".....

    Instead of security through obscurity we could start security through intimidation. icon_cool.gif
  • doverdover Member Posts: 184 ■■■■□□□□□□
    That video was awesome - I needed a laugh this morning.

    He should have been interrogating a little girl in the pink room about her misuse of Internet privileges in clear violation of Acceptable Use Policy.
  • NyblizzardNyblizzard Member Posts: 332 ■■■■□□□□□□
    Laughed a few times reading this :D
    O
    /|\
    / \
  • blueberriesblueberries Banned Posts: 138
    Hello guys! Thanks for all the insight and feedback. I don't mean to imply that one needs a blackbelt in anything. I am just saying that if someone comes into the server room and tries stealing something, studying theoretical incapacitation tecniques could help a manager, not necessarily implement the technique himself but to instruct one of the aforementioned experts to do so. This is kind of like a CISSP manager telling someone to configure a firewall without actually having to do it.

    A well rounded security manager should be able to understand what is happening under his watch, imo. Theoretical security is theoretical security, and maybe 20 pages and ten questions of theoretical jiujitsu may help do the job.

    For example: if you want your security guard to do a triangle choke instead of an armbar to leave less fractures, it could save the company lots of money in lawsuits, imo. Just thinking out loud here.
  • badrottiebadrottie Member Posts: 116
    Just when I thought that my military experience would not have applicability in the information security field, this post made me reconsider.

    Directional anti-personnel mines really do have their place in the data center as part of a defense in depth strategy.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Bear in mind that the "I" in CISSP is about information. The skills that you mentioned are only tangentional related. I have not explored the updated CBK but my only issue with the Physical Security domain is the lack of life-safety topics. For example, how to handle active shooter scenarios or natural disasters.

    As an Infosec manager, I'm also always surprised that many people consider the CISSP as a mangement certification. There are actually very few management topics in the CISSP. In previous casual conversations with collegues and peers on the topic of the CISSP, many of my peers view the CISSP like the entry level A+ of security.

    Perhaps you ought to consider reviewing a different organizations certications and materials like ASIS International - www.asisonline.org. That org's charter is more inline with what you describe.
  • doverdover Member Posts: 184 ■■■■□□□□□□
    You're definitely thinking outside the Information Security box...

    If any of the InfoSec/IT manager types I've worked with had to combat anything other than weight gain or WoW villains I'd put my money on the thief - every time.
  • thegoodbyethegoodbye Member Posts: 94 ■■□□□□□□□□
    paul78 wrote: »
    As an Infosec manager, I'm also always surprised that many people consider the CISSP as a mangement certification. There are actually very few management topics in the CISSP. In previous casual conversations with collegues and peers on the topic of the CISSP, many of my peers view the CISSP like the entry level A+ of security.
    I agree with you, which is why I don't ever flaunt my CISSP. In my mind, it means I know the bear minimum about information security.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    I am just saying that if someone comes into the server room and tries stealing something, studying theoretical incapacitation tecniques could help a manager, not necessarily implement the technique himself but to instruct one of the aforementioned experts to do so.
    One of the universal axioms of the CISSP CBK is "human safety." The lives of humans are worth far more than any bit of information that many be managing or protecting. As is such, dangerous situations should be immediately reported to authorities and the area of danger be evacuated. Transfer the risk to the professionals who are trained to handle physically threatening situations.
  • emerald_octaneemerald_octane Member Posts: 613
    paul78 wrote: »
    In previous casual conversations with collegues and peers on the topic of the CISSP, many of my peers view the CISSP like the entry level A+ of security.

    Much like Hedge Fund managers and Heirs of large fortunes consider < $250,000 incomes to be scraping by, I presume :D . If nothing else I feel that the AMFs, CPEs and exp requirement raise the stakes. Plus ISC2 does a pretty good job with edu events; i've gone to three in my city so far, most CISSPs, some SSCPs, few with concentrations. Good discussions.
  • bobloblawbobloblaw Member Posts: 228
    Did I just read "theoretical incapacitation techniques"? Best CISSP thread ever.
  • NetworkVeteranNetworkVeteran Member Posts: 2,338 ■■■■■■■■□□
    JDMurray wrote: »
    One of the universal axioms of the CISSP CBK is "human safety." The lives of humans are worth far more than any bit of information that many be managing or protecting. As is such, dangerous situations should be immediately reported to authorities and the area of danger be evacuated. Transfer the risk to the professionals who are trained to handle physically threatening situations.

    Absolutely! I have seen competitors used physical force to take our equipment (and their configurations). Considering physical security is wise. Asking employees inadequately trained in physical combat to attempt to fight off attackers or even use their inexperienced judgement to determine when it is wise to do so is a serious lawsuit and/or tragedy waiting to happen. This is one reason why bank tellers are instructed to always hand over the money even if they are "sure" the robber's weapon isn't real.
  • HumbeHumbe Member Posts: 202
    f0rgiv3n wrote: »
    Wow, this thread is mind blowing. I think that a blackbelt in karate should be added to the 5 year requirement. But maybe the name should be changed if we go that route, from CISSP (Certified Information Systems Security Professional) to CISSBA (Certified Information Systems Security Bad Ass)

    LOL !!!

    Now we are Bad Asses ? :D
  • blueberriesblueberries Banned Posts: 138
    Humbe wrote: »
    LOL !!!

    Now we are Bad Asses ? :D

    I always considered CISSPs to be bad asses, and not just because of the way they strut their stuff, but because of the warrior symbology that is associated with infosec.

    Usually when I see these guys I am on my hands and knees crimping a cable or something and these guys walk in like spartan warriors, always seeming like they know what to do.

  • f0rgiv3nf0rgiv3n Member Posts: 598 ■■■■□□□□□□
    Humbe wrote: »
    LOL !!!

    Now we are Bad Asses ? :D

    Only if you're a blackbelt icon_pirat.gif I hope to become a CISSBA some day... for now I'll just have to settle with CISSP.
  • da_vatoda_vato Member Posts: 445
    f0rgiv3n I will train you. You! Daniel suuun, me! Mr Miagi. I'm even thinking a reality tv show with this "IT Ninjas" .... What you guys think? Ok maybe I went too far...... Haha
  • blueberriesblueberries Banned Posts: 138
    I always envisioned an IT Iron Chef where the challenger challenges either a red hat Iron IT chef, a Cisco Iron IT chef, or a Microsoft iron IT chef.
  • da_vatoda_vato Member Posts: 445
    I don't even watch tv but I might watch that icon_thumright.gif
  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    While adding some Kinetic training to the CISSP might not be the best idea, as keepers of the keys to IT kingdom, it isn't unthinkable that an admin/engineer might be put into a situation requiring some self defense or CCW training because of what they know.

    I also kinda think of CISSP as more like an entry level, broad test covering the basics of infosec. There was a bit of chatter about the value of CISSP on twitter the other week because of this blog post: Idoneous Security: Going paperless. and a response Idoneous Security: The view from the other side. And, while I value mine and don't plan on letting it expire, I just look at it as a first step sorta thing. To bring it back to martial arts I think CISSP = Black Belt. Which is to say, people outside of martial arts think of black belt as the end goal, while people who have been involved with them for long enough know, it is just the end of the beginning.
  • blueberriesblueberries Banned Posts: 138
    I don't agree that CISSPs aren't engineers. They study social engineering, and therefore, are engineers of the human soul.
Sign In or Register to comment.