cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Interesting comments on Peerlysts on the relevance of the CISSP qualification

HI All

 

https://www.peerlyst.com/posts/is-cissp-worth-it-nathan-chung-cissp-giac-gsec-ccsk

 

There is an interesting discussion on Peerlyst as to the relevance of the CISSP and its worth.

 

What do others think?

 

Regards

 

Caute_cautim

11 Replies
Steve-Wilme
Advocate II

The case in point doesn't hold true.  HR departments often simply do not check thoroughly or the candidate manages to evade answering the question about the current status of their ISC2 qualifications.  We had a CISO who had allowed his CISSP to expire for example.

 

The main plus point of the CISSP being a mile wide and an inch deep is that it fills in the gaps in you knowledge as a practitioner, as typically you won't have covered every domain in depth through practical hands on experience.  

 

It is correct to say it's treated as a tick box exercise along with the other paper qualifications, as a means of screening candidates for positions.  So as a candidate you have to bag a number of certifications, even if you have significant experience, if the sector you've been working in has a downturn and you can't rely on you network to get another position.  So even with almost 30 years experience in IT and 18 in InfoSec you still get the same challenges as someone new to the field, which is a little absurd, but you're forced to play the game.

 

As a tactic, it makes sense to maintain a number of certifications and professional memberships, rather than rely on a single one.  There really isn't a gold standard, the field is still too fragmented with too many qualifications.  What really counts is knowing how to practice security in the field, which encompasses a whole range of skills that the CISSP doesn't even touch on.   It's why I think the IISP skills framework, with it's focus on the softer skills in section J strikes a better balance.  Take a look and try the application as a thought exercise as it'll give you a better idea of where your strengths lie and where you could benefit from some development.

 

 

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
emb021
Advocate I

Its a 'discussion' that's been going on for some time.  I've seen it for years, been involved with it at time.

 

I didn't start to get certs until I lose my job 6 years ago, and found that companies were often ignoring me due to a lack of certs.  While they haven't gotten me a job, I know that having them have ensured I atleast got an interview or that recruiters reached out to me with positions.

 

Yes, companies WILL ignore you if you don't have certs.

 

Yes, there is the problem that people get certs who don't have the experience or skill.  Certs are only an indicate of knowledge, some if they require you to have worked in the field can show experience, but few show skills (some of the new more hands-on certs like the OSCP and maybe the ISACA CSX.  SANS seems to be added some hands-on stuff in some of their certs and I think EC Council is doing the same).

 

Yes, there are some in the field who poo-poo certs and can get positions without them.  Good for you.  But many of us may not have 'rock star status' or strong networks that can ensure getting that next job without certs.

 

And yeah, there are these people who think they can just go out and get a cert and that guarantees them a (high paying) job in the field.

 

A lot of this is why I created a presentation on certs that I've given at a few local infosec events and meetings.  I cover the whys and hows of certs, getting and keeping them, and go over the major ones (from CompTIA, ISC2, ISACA, SANS/GIAC, and EC-Council), and the several good smaller ones (OSCP, IAPP, DRI, PMI, etc).

 

Certs have their place.  For some roles you MUST have them (government work, auditing work, PM work, etc).  Just don't be a jerk about them.

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Steve-Wilme
Advocate II

It makes sense to think of certs as if they're college degrees.  Not a whole lot of use in isolation if trying to get a first position, as you won't have the experience.  So I'm a little dubious about the take your CISSP pass the exam and then get the experience argument from ISC2.  In a tight job market you won't even be able to state that you have the CISSP, just that you have an exam pass.  And if you don't get the requisite experience and are forced out of economic necessity to work in another field you've pretty much waste your exam fee, study costs and effort (not that I necessarily think any learning is wasted, but it is if you see it as a golden ticket to a well paid career).  

 

There was an interesting comment made at the recent IISP Live event, which was that a lot of InfoSec Managers and CISOs suffer from feelings of inadequacy and have taken certification after certification to compensate.  If you swallow the meritocracy argument wholesale then you'd assume formal qualification were the path to success, but really not so much as you think.  Sometime a necessary condition, but not always.  And more qualifications doesn't equate to a correspondingly better position.  So perhaps you collect enough to get by and not be excluded from opportunities rather than play badge collecting for its own sake.  You'd probably be better taking a more general business qualification than getting a full complement of available security qualifications and working on your soft skills.

 

 

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
emb021
Advocate I


@Steve-Wilme wrote:

It makes sense to think of certs as if they're college degrees.  Not a whole lot of use in isolation if trying to get a first position, as you won't have the experience.  So I'm a little dubious about the take your CISSP pass the exam and then get the experience argument from ISC2.  In a tight job market you won't even be able to state that you have the CISSP, just that you have an exam pass.  And if you don't get the requisite experience and are forced out of economic necessity to work in another field you've pretty much waste your exam fee, study costs and effort (not that I necessarily think any learning is wasted, but it is if you see it as a golden ticket to a well paid career).  

 


Well, there are certs out there that are good for those without the experience, but show your knowledge: the CompTIA and SANS/GIAC certs, and I think some of the EC-Council ones.  I usually point people to the CompTIA and SANS ones who are trying to get into the field.

 

For me, the ISACA and ISC2 certs are for those already in the field to show they have the knowledge/experiene.  I *hate* seeing them listed for entry level positions, tho it happens.  (the "have 2 years experience and a CISSP" bs many of us see).

 

I don't see a problem with passing the ISACA or ISC2 certs, then getting the experience.  There is the risk of not being able to get the experience if you're not already employed, but I have seen some positions where they have said "have the cert *or be able to get it*", which means if you've passed the exam and just need the experience, this would give you a leg up on the person who hasn't done that.

 

[for those not aware, the ISACA certs also require experience, but there is no 'associate' level like ISC2 and a few others do.  You have 5 years after passing to get the experience.]

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
dreastans
Newcomer III

Personally I think the CISSP is an important checkbox for any professional that is going into an information security role and intends to manage a cyber security program.  The CISSP is deliberately not easy to pass because of all the information it covers.  While it might not be the be all-end all technical certification, it's important for existing information security managers and candidates to have this type of well-rounded knowledge.  Entry level?  Not sure that's as good of an argument, but it doesn't hurt.  I perceive the CISSP as a qualifier similar to that of a Bachelor's; it proves that you have the critical thinking skills of someone who is managing the information workspace.


---
Andrea Stansbury- CISSP
Steve-Wilme
Advocate II

Now this is not bragging, but 3 colleagues and myself all passed the CISSP after self studying for 7-8 days.  It really isn't as hard as is made out.  On the other hand I've seen HR departments reject or not forward on candidates with MSc degrees in Information Security.  It should be fairly clear which involves the most effort to obtain and which is in the most depth.  It's the plethora of InfoSec qualifications and the unwillingness to set a realistic entry point that is the problem.

 

Why wouldn't an organisation demand a good IT based degree, technical qualification and some professional security qualifications for a position listed as graduate trainee or apprentice, if they can get away with it?  And believe me they try offering positions at £25K requiring these qualifications and then either harp on about the skills shortage or the lack of practical experience of the applicants.  If they had the 4 -5 years experience they won't be a trainee!  Surely a better approach is to hire people for their potential, train and mentor them to become competent InfoSec professionals over time.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
rslade
Influencer II

> Steve-Wilme (Contributor II) posted a new reply in Career on 07-25-2019 02:50 AM

>   And believe me they try offering positions at £25K
> requiring these qualifications and then either harp on about the skills shortage
> or the lack of practical experience of the applicants.

Amen and amen.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
When Oscar Wilde asked Sarah Bernhardt whether she minded if he
smoked, she replied `Oscar, I don't mind if you burn.'
- https://twitter.com/InterestingLit/status/386204202071904256
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

@rsladeWith or without the strings?

 

Regards

 

Caute_cautim


@rslade wrote:
> Steve-Wilme (Contributor II) posted a new reply in Career on 07-25-2019 02:50 AM

>   And believe me they try offering positions at £25K
> requiring these qualifications and then either harp on about the skills shortage
> or the lack of practical experience of the applicants.

Amen and amen.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
When Oscar Wilde asked Sarah Bernhardt whether she minded if he
smoked, she replied `Oscar, I don't mind if you burn.'
- https://twitter.com/InterestingLit/status/386204202071904256
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

 

CraginS
Defender I


@Caute_cautim wrote:

HI All

 

https://www.peerlyst.com/posts/is-cissp-worth-it-nathan-chung-cissp-giac-gsec-ccsk

 

There is an interesting discussion on Peerlyst as to the relevance of the CISSP and its worth.

 

What do others think?

 

Regards

 

Caute_cautim


First, I believe the CISSP is a worthwhile certification, and am glad I completed mine back in 2002. That said, I blame both (ISC)2 and a subset of CISSPs for grossly overstating what the certification indicates. When both the organization and some CISSPs represent it as meaning that the holder is an expert on all aspects of information security they do us all a disservice. The results of that deception are that employers  have made CISSP a filter for hiring in totally inappropriate situations, and individual CISSPs have taken on on jobs they were not really qualified for, such that their poor performance damaged the reputation of all CISSPs and the certification itself.

 

The CISSP certification process does not ensure a CISSP is truly expert in anything. The experience requirement should (but may not actually) show that the holder is knowledgeable and capable at above journeyman level in at least two of the domains. The exam ensures that the holder is sufficiently aware of the breadth and content of the domains that make up the multi-discipline information security environment. For years I have told aspirants that the exam should allow any CISSP to approach a professional engagement and determine which domains will be involved, and determine which specialties should take part. Yes, the CISSP is a management certification, not a performance certification. (In my opinion, SANS GIAC certifications are the "gold standard" of performance certifications in our field.) A CISSP should be able to identify for each engagement the need to either BE SMART, GET SMART, or HIRE SMART in order to complete all the tasks. needed for the engagement; knwo what experts you need, and already be, become, or hire the right experts. 

 

Between 2000 and 2002 when I was studying for the exam, a CISSP colleague told me that CISSPS at Black Hat / DEFCON would hide the fact that they held the certification; if they were outed, they would apologize for having it and explain it was a job requirement. That situation changed after first U.S. Defense, and then other major institutions formalized the requirement to hold relevant jobs.

 

On the subject of management versus performance certifications, note that ISACA's CISM is a direct competitor to the CISSP as a management certification. The CISM was designed for managers overseeing work by CISA auditors. In fact, when ISACA first introduced the CISM, any current CISSP could grandfather i(no exam) into a CISM by paying a fee and presenting a resume showing relevant infosec management experience. Also, (ISC)2 created the Associate of (ISC)2 status as a means of diverting young infosec workers into the (ISC)2 pipeline in lieu of the ISACA pipeline. 

 

Finally, I disagree with Steve @Steve-Wilme that the certification is akin to  a college degree.  Completed degrees have no indication of continuous updating of knowledge and skills. The CPE requirement of CISSP, CISM, SSCP, CISA, all in accord with ISO 17024, is the linchpin to making any of these certifications an ongoing indication of currency in the field.

 

The above essay is from my blog, Randomness.  

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts