CISSP as a stand alone Certification

I noticed a number of people only listing CISSP as there only certification. Now correct me if I'm wrong, I thought a CISSP was the final product of years of security professional’s career.Generally they wouldn’t have certifications and experience in other areas before attempting the CISSP test? While there is no prerequisites required to take the CISSP exam, I assumed they would hold other certifications before attempting the CISSP. After all passing one test hardly makes you a security expert.

Find more posts tagged with

Comments

Danielm7

Passing earlier certs and the CISSP doesn't make you an expert either. A lot of people let older/lower certs expire and only list the ones that are relevant to the specific job. You'll find lots of people, especially in security, who think certs are pointless, they might have picked up one for a work requirement. I wouldn't look too deeply into it.

E Double U

Danielm7 wrote: »

A lot of people let older/lower certs expire and only list the ones that are relevant to the specific job.

Pretty much. I don't list my CompTIA or Microsoft certs anymore because the jobs that interest me now require ISC2 and GIAC.

cyberguypr

^ exactly my case. I've also seen cases as Danielm7 mentions where some people may only get CISSP because it was required for a specifc role.

renacido

I don't list all of mine here, just the ones that are relevant to my career path. And even then I only list them on my profile so when I talk about the certs themselves I don't get the, "you say such-and-such about CISSP but I see you don't have that cert" response to my ramblings here.

I like that other people display theirs...shows their potential for bias, gives me some insight into where they're at in their career so I know how to frame the conversation.

One or 2 entry-level certs = new blood, struggling to get one or both feet in the door, trying to figure out what they want to or should do, need lots of guidance. Might have been told lots of BS by people who don't actually know jack squat but pretend to. I try to be extra helpful and nice to the new blood.

Bunch of low-level certs, one or two mid-level technical certs = have 2-5+ years under their belts, think they know everything now but usually only have decent depth in their particular niche, probably have only worked in 1-3 companies/environments unless they're in sales/consulting, in which case they've been exposed to a lot at least ankle deep, but they don't understand the daily grind or deep complex issues of an enterprise network.

Buttload of very impressive, expensive GIAC certs = govie, military, or defense/govt contractor bleeding the taxpayers dry with their luxurious training budgets. I'm retired USAF so I know, and was never fortunate enough to be able to get on that gravy train. Yes I'm hating a little.

One or two sort of rare or "vintage" certs = usually in a small company or isolated in a government organization with no training budget or IT budget and they're often THE guy for everything. Usually a jack-of-all-trades stuck with legacy systems no longer supported by the vendors, who work hard to keep the house of cards from falling. Sometimes I read stuff from this type of guy that made sense 10 years ago but not so much anymore. It's like they're trapped in 2005.

Bunch of mid-high level certs = Been doing this a while. Mostly spot on in their advice. I read every word they write. Ok, not every word, but when I read something that makes sense it's usually from these guys.

No certs listed = could be a total newb, could be someone who's been in the field for 40 years or presents at DefCon every year. Could be someone in between who thinks listing certs is like wearing 15 pieces of flair. You never know until you read their stuff.

DDStime

TechGromit wrote: »

After all passing one test hardly makes you a security expert.

CISSP is hardly an expert cert

TechGromit

Danielm7 wrote: »

Passing earlier certs and the CISSP doesn't make you an expert either.

True, technically just passing the test gives you an associate CISSP, you have to prove you have the experience to get the full CISSP title. Not that I have ever seen anyone identify themselves as an associate CISSP.

cyber_fan_monterey

Maybe they have tried passing CISSP for the fifth time and become an expert

.
Of course that's not me

Mike7

Same here. I usually only list my ISC2 and ISACA certs as they are more recognised and relevant to my work.

No one needs to know that I am a MCP. (Er.. Microsoft certified pro, not male chauvinist p**)

Remedymp

Certs show perseverance for those individuals who need to market themselves to get into a line of business. As noted above, once said individual gets into the position they desire, they tend to neglect their certs that are not inline with their current role. However, I argue that those past certs describes a past of achievements that got that person to where they're now.

A person with a MCP may very well be knowledgeable about Windows security hardening. You won't know that unless you have a conversation with them. The MCP credential could start that convo.

Even level one security analyst positions are starting to ask for CISSP where it isn't needed.

renacido

Remedymp wrote: »

Even level one security analyst positions are starting to ask for CISSP where it isn't needed.

Yes, but usually written something like "CISSP or similar cert highly desired", which just means a security-specific cert helps get you an interview. Even things written in all caps "REQUIRED" aren't required unless required by actual law or regulation. If your resume makes a strong case that you're qualified, with or without a CISSP, that's all that matters.

I landed two Sr-level security jobs with large companies, both which "required" CISSP and a Bachelor's degree, with neither of these. One of these required the compensation board to approve their offer to me because not only did I not meet these so-called "requirements", the starting salary was well above the range HR wanted to pay. The Board approved. Not bragging, just saying don't be discouraged by obtuse "requirements". A strong resume and good interviewing skills supported by good references are most important. Certs help recruiters find you in search engines. They are SEO for your resume. And they make you learn valuable stuff that you wouldn't bother to if you weren't being tested on it.

If a hiring manager is serious about needing a CISSP to fill a junior security analyst position, they better pay very well or the position will be vacant forever.

Mike7

Remedymp wrote: »

A person with a MCP may very well be knowledgeable about Windows security hardening. You won't know that unless you have a conversation with them. The MCP credential could start that convo.

Yes, there is value in having knowledge in other things. I guess I am just not comfortable putting a long string of certifications in my signature. I feel that you are telling others that "Yes I am certified in many technologies. You should agree with what I say and do not suggest anything".

Guess I am trying to be humble.

Others can view my LinkedIn profile to know that I have MCSD, MCDBA, MCSA and MCSE. Does it make me a Microsoft expert? No.

Remedymp wrote: »

The MCP credential could start that convo.

Or I can easily start that convo by mentioning technologies I used at work and giving examples.

As others mentioned, just the higher level certs that are relevant to current job role will do.

Remedymp

We’re looking for a L1 security analyst who will assist with the Global Security Organization.

The resource will be responsible for managing the mailbox/messaging queue, evaluating alerts, and escalating them to the appropriate group. He/she must understand the common security tools (FW,IDS, proxy) in order to be able to accurately evaluate issues and make sure they are escalated as needed.

Required:
• PCI DSS v2.0/3.0 understanding
• Incident Response experience that entails Service Level Agreements (SLA’s)
• Knowledge of common security tools (FW, IDS, Proxy)
• Microsoft Office Suite experience
• Attention to accuracy
• Ability to work in a high-pressure environment
• Sense of urgency
• Knowledge of appropriate networks, products, and protocols

Nice to have:
• Envision experience
• Archer GRC Tool experience
• CISSP Certification

^^^^^^^^^^

Danielm7

Yep, silly, but it is listed under the "nice to have" section. If someone had a few years as a lower level sysadmin, some helpdesk dealing with passwords, etc, they could probably find a way to qualify for the CISSP, without a real security role. We see it here all the time and on other forums. People have a varied background and ask what to do and someone says they could probably have enough to qualify for the CISSP, does that then mean they should be a Sr level security engineer? Nope.

dustervoice

E Double U wrote: »

Pretty much. I don't list my CompTIA or Microsoft certs anymore because the jobs that interest me now require ISC2 and GIAC.

Agreed.. listing my Comptia creds will only eat up valuable real estate on my 2 page CV.

TechGromit

Remedymp wrote: »

A person with a MCP may very well be knowledgeable about Windows security hardening. You won't know that unless you have a conversation with them.

Then would it be valuable to list expired certifications? I've seen someone on the forum do that. I would think expired certifications would give someone more credibility then someone without certifications.

Iristheangel

These are always fun posts. I don't think there is a cert-posting etiquette as long as you cleared the exam. I don't care if people do or do not post their certs.

For me? I've been around TE for since 2009 and I think a lot of the older members have seen me on my journey throughout the years from back when I was first going through the Network+ (still the *only* exam I received a perfect score on) while working two full time jobs to pay for my exams and study resources to where I'm at now working on my second CCIE and making a great living. I've gone through a lot on these forums from when I was still trying to figure out what I wanted to be when I "grew up" in IT from the time I decided to jump into security and, eventually, to the time I set my heart on networking thanks to the WGU CCNA course and being inspired by some of NetVeteran and Forsaken's posts. I don't think I ever got a chance to tell them that they both inspired me down this path but here's to hoping they read this one day

As far as the certs I have listed here, some of them are close to expiring, not relevant to me anymore, or I just can't speak intelligently to them anymore so I don't have them on my resume but I still put them down because whether or not they really were important in the long run, I feel like I took a lot of these certs with this forum and I grew up here

I guess to each their own and I'm not going to judge the guy who might post his old Novell and Windows NT certs or if someone wants to list just their top cert while omitting everything else.

Off-topic: Forsaken - If you ever read this, I was always super inspired when you wrote about what standards you hold CCNPs to when you're interviewing them. To answer two questions you posted on a long ago thread that you ask people during interview:
1) Yes, I can list out the OSPF LSAs and I can explain their uses
2) LDP <- What protocol is used for label distribution with MPLS
When I was studying for my CCNP, I practically drilled those things in my head while I went. I suppose that's part of why it took me 6 months to get through the ROUTE exam

beads

@TechGromit;

Yeah there going to be some difference in philosophy, particularly here, on Tech Exams. Back in the early last decade it wasn't uncommon to see people list 12-35 certs after their name. Today its seems to be more en vogue to list your most prominent or recent exam. Today the CISSP is one of the most desired designations and thus one of the more abused certifications as well. Seeing many resumes as of late showing no security background, let alone IT but also the highly coveted CISSP. Go figure.

Personally, I see the CISSP as having its day in the sun and now a middling cert. A new hands on and 100 percent vetted cert more along the lines of the GIAC expert exam or better yet, modeled after the CPA exam or American Bar. Anything else is really going to be called into question.

I would however would enjoy reading from someone whose only certification is a current CISSP.

- b/eads