CISSP is Worthless?

diggitle · May 2014

I really don't understand why companies, and IT professionals boast and praise the CISSP so much. Currently I work at a company that performs a multitude of services (managed security, and red team activities) yet 2 of the CISSPs i work with have no scripting, programing, hacking, or network engineering experience. They are constantly coming to me (non cissp) for metasploit, canvas, exploitation, etc help. These are script kiddie programs too. So why is there so much push for a certification that is a mile wide and an inch deep. I've read Keatrons post about the cans and the wrapper but how is that possible? How is it possible to master all the cans? No one person does all 12 domains. This is why I think they should revamp the CISSP and stop treating it like whom ever has it is the "No all" I know 3 CISSPs that have failed other exams i.e CCNA, CEH, OSCP, Security+ (yes they did), etc.

colemic · May 2014

My take... The CISSP isn't designed - or intended - to measure technical aptitude or knowledge; it provides a baseline for measuring the ability to bring together security and business requirements in a way that finds the right balance between security and ability to get the job done.

It isn't surprising (to me) that they need help in certain technical areas. You can't expect someone who has those parameters (inch deep, mile wide) to NOT need assistance in technical areas.

It's not a technical cert, has never been marketed as such, and shouldn't be used to gauge technical ability.

TeKniques · May 2014

Agree with Colemic. There seems to be a lot of confusion exactly what the CISSP is geared towards. Of course, it doesn't help that HR posts jobs that ask for a CISSP with a bunch of technical requirements, but it is what it is.

diggitle wrote: »

I really don't understand why companies, and IT professionals boast and praise the CISSP so much. Currently I work at a company that performs a multitude of services (managed security, and red team activities) yet 2 of the CISSPs i work with have no scripting, programing, hacking, or network engineering experience. They are constantly coming to me (non cissp) for metasploit, canvas, exploitation, etc help. These are script kiddie programs too. So why is there so much push for a certification that is a mile wide and an inch deep. I've read Keatrons post about the cans and the wrapper but how is that possible? How is it possible to master all the cans? No one person does all 12 domains. This is why I think they should revamp the CISSP and stop treating it like whom ever has it is the "No all" I know 3 CISSPs that have failed other exams i.e CCNA, CEH, OSCP, Security+ (yes they did), etc.

This may be true from your everyday experiences so I can reciprocate with one of my own. I know lots of technical people, ones who can do security forensics, setup sophisticated routing, and do all sorts of security scripting ... ask one of them to write up an information security policy, align a security strategy with business objectives, or implement a security awareness training program and none of them will even know where to start. Point is, security is not just a technical job. On the flip side, just being a CISSP doesn't mean you can do those things either; experience and achievements will ultimately determine if someone is capable or not to fulfill a job requirement.

colemic · May 2014

TeKniques wrote: »

Agree with Colemic. There seems to be a lot of confusion exactly what the CISSP is geared towards. Of course, it doesn't help that HR posts jobs that ask for a CISSP with a bunch of technical requirements, but it is what it is.

This may be true from your everyday experiences so I can reciprocate with one of my own. I know lots of technical people, ones who can do security forensics, setup sophisticated routing, and do all sorts of security scripting ... ask one of them to write up an information security policy, align a security strategy with business objectives, or implement a security awareness training program and none of them will even know where to start. Point is, security is not just a technical job. On the flip side, just being a CISSP doesn't mean you can do those things either; experience and achievements will ultimately determine if someone is capable or not to fulfill a job requirement.

A CISSP *should* be able to do those things, though.

And totally, totally agree that not all security is technical! Regardless of what technical security people say.

philz1982 · May 2014

Much of my experience with Security has been being able to provide a business case to get people to change. If you need to tap folks with certain expertise to build that business case then so be it. A CISSP is looked at as having familiarity with topics so they can make educated business decisions. There are plenty of people who know "Insert your IT Focus here" the people who can coordinate between these disciplines and produce actionable insight that results in business value are the ones who are rare. You usually find either IT focus or business focus, not much of both.

emerald_octane · May 2014

diggitle wrote: »

So why is there so much push for a certification that is a mile wide and an inch deep. I've read Keatrons post about the cans and the wrapper but how is that possible? How is it possible to master all the cans? No one person does all 12 domains. This is why I think they should revamp the CISSP and stop treating it like whom ever has it is the "No all" I know 3 CISSPs that have failed other exams i.e CCNA, CEH, OSCP, Security+ (yes they did), etc.

Were the CISSPs that you mentioned hired in Pen test roles? If not, why be surprised when they don't do much pentesting?

Because Security is holistic. Ok, maybe you've met a few CISSPs who couldn't tell a SYN packet from a hot pocket, but i've met very disgustingly smart CISSPs who can be technical from end to end and do it securely as well. Any sec guy can go into a network and start chopping it down with complete disregard for the business, not understanding the whole picture. A CISSP should be knowledgeable enough to go out to his red team and say "I need you to make sure we meet this regulation requirement by showing our infrastructure capability", then they can go back to the suites and say "we're compliant with XYZ, or we're not, but it costs $$$$, the vulnerability is only $, so we're going to accept the risk."

colemic · May 2014

^^golf clap^^ to the two posts above. That's it perfectly.

JDMurray · May 2014

colemic wrote: »

A CISSP *should* be able to do those things, though.

No, a CISSP should have knowledge of the domains covered by the CISSP certification as defined by the (ISC)2. If you want additional knowledge not covered by the CISSP (e.g., network troubleshooting, pen testing, programming, soldering and screwdrivers) then you have gone beyond the need for someone with only a CISSP certification. You can't make everything that you need fit under a single umbrella named "CISSP" just to reference your ideal InfoSec worker only using a single title. Think up new title instead.

colemic · May 2014

write up an information security policy
align a security strategy with business objectives
implement a security awareness training program

I was referring to the examples listed above... I do believe that those tasks fall should fall within the skillset of a CISSP.

danny069 · May 2014

But you guys that got offers were you an "associate" of CISSP or a FULL CISSP? or did it even matter

CISSP is Worthless?

Comments