cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Community Champion

Shall We Call a Truce?

Why is it that technical professionals continue to dismiss the role of GRC in information security? I am certain that I would have long left this earth before an agreement can be reached on this topic – it’s just that BAD! A security professional with a CISSP certification doesn’t necessarily do the same job as a security professional with an Offensive Security Certified Professional (OSCP) certification. Notice how I properly designated both as security professionals? Furthermore, a person with the OSCP probably shouldn’t pursue the CISSP – can I say that? For the roles are completely different, and a security professional, no matter their degree of intelligence, will never be an ace of all security domains. There’s a false assumption that a CISSP is somehow a master in all thing’s security. I wish that we’d do a better job as an organization at communicating what a CISSP is, and what a CISSP does.

 

In my opinion, candidates who have no interest in a CISO or similar management role should not pursue the CISSP. Though the CISSP will help ANY security professional in their careers, those who have no interest in security supervisory roles could have spent that time and effort pursuing more technical certifications.

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
6 Replies
Highlighted
Community Champion

Re: Shall We Call a Truce?

I wasn't aware that there was any beef between technical security and GRC folks ongoing, I thought we were in a grand alliance to crush the Heretics of Resilience and their running dog lackies the Enterprise Architects... 😉

 

I'd take it that certifications provide a certain amount of information for employers and colleagues about a candidate of co-worker in terms of knowledge, experience etc  - but to really get an idea of capability I think getting that person to show you what they can do, be it popping a box or writing a security policy and getting them to do it over time and multiple engagements is you get an idea of what they are doing.

 

CISSP to me is a pretty broad certification and it provides useful vocabulary, terms of references and insight into the goals and methodologies of other professionals. I'd say that just limiting it to supervisors(such as CISOs) would miss out on the widespread sharing of the CBK that benefits folks. A lot of 'techies' might hold CISSP a lot of folks with CISSP might be practitioners of Web Application Testing, Pen Testing or red teaming. I don't see that as a problem, so much as a useful bridge.

 

I  think that it's a good idea to try to avoid boiling folks down to just the certification where possible, you I or another might be a CISSP, and whilst is useful short hand I don't think it needs to define us, or we should need to define who should take it. Inch Thin/Mile wide and all that.

 

 

Highlighted
Community Champion

Re: Shall We Call a Truce?

DoD is requiring certifications of many contractors. CISSP covers roughly 90% of this.  "CISO or other management roles" isn't part of the equation.

 

I am one of these.  I know many others that are in the same category.  My function on the task I am currently supporting is ISSE.

Highlighted
Community Champion

Re: Shall We Call a Truce?


@Flyslinger2 wrote:

DoD is requiring certifications of many contractors. CISSP covers roughly 90% of this.  "CISO or other management roles" isn't part of the equation.

 



DoD has IAM (Management) and IAT (Technical) designations, so yes, Management does factors into the equation. I served for over 26 years in the military, and I have provided guidance on DOD 8570 designations. The DoD 8570 actually informs my opinion about the different certifications, and the roles and functions they play in a multitude of technical and management occupations in organizations.

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
Highlighted
Community Champion

Re: Shall We Call a Truce?

> Lamont29 (Contributor II) posted a new topic in Certifications on 09-16-2018

> Why is it that technical professionals continue to dismiss the role of GRC in
> information security?

A truce? Never! UNIX is the one, true oper ... wait ...

WIMP will never have the power of the comma ... wait ...

You think there's a battle between admin and the techies?

OK, I admit, we've long made jokes about beards and suits. (The suits manage
what they don't understand, and the beards understand what they can't manage.)
And, yeah, when I do seminars I start with security management to scare all the
hotshot geeks into realizing that they need to know the management parts.

But surely anybody who has actually passed the exam realizes that you need to
know both.

And, yeah, we get constant complaints from techies that the exam is too
management oriented, and from managers that it's too technical. Which probably
means it's about right.

> a security
> professional, no matter their degree of intelligence, will never be an ace of
> all security domains.

True. But they should know enough about all to be able to talk to a specialist in
any particular area.

> There's a false assumption that a CISSP is somehow a
> master in all thing's security.

Hey, there are always false assumptions about the CISSP. Mostly by people who
don't want to take the time to figure things out, and want to pick fights.

>   In my
> opinion, candidates who have no interest in a CISO or similar management role
> should not pursue the CISSP.

I've never been a CISO, and I doubt that I'd want the role. I've been a manager, I
like aspects of it, and I do management consulting as well.

> Though the CISSP will help ANY security
> professional in their careers, those who have no interest in security
> supervisory roles could have spent that time and effort pursuing more technical
> certifications.

There are plenty of professionals who aren't supervisors.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I have always been waiting for something better -- sometimes to
see the best I had snatched from me. - Dorothy Reed Mendenhall
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

............
This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468