One would think that if someone posts seeking aid after failing to pass, AND, asks for help in trying to discern what concepts they did not understand then many would rise to the occasion and provide their thoughts and recommend sources of information (Ethics would come into play), Advance and protect the profession comes to mind. In other strings I have seen posts and responded to questions seeking information with regard to what to study. There in is some of the issue, I have tons of material for the different exams and always explain that the materials should be used to enhance and strengthen ones subject knowledge.
However, there are individuals which do not or are not willing to dedicate the time and effort required to actually learn or understand the concepts required. For example; I spoke with an individual just yesterday about steeping up his game and earning a certification above his current CASP certification or at least taking some college classes. His response was, did I know of any certifications for which he could just memorizes exam questions and then just take the exam and pass? College classes were dropped completely from the conversation as he has no time for them. I excused myself from the conversation completely at that point.
Which is the underlying concept of this entire thread, "Then Why Bother." If the mindset of an individual is to memorize the material yet have no real understanding of the concepts would you want them as a co-worker or better yet a supervisor? What about you give them the materials and the understanding that they need to know the concepts and they spend little to no time on the learning or reviewing the material, fail the exam and then come back to you complaining about how it was just an English test?
I do However get the gist of your post and thoughts, and yes you are correct much of the information on any post(s) is opinion based, "until it is supported by facts."
I would like to say that based on my own opinion that after doing some research the following may provide insight into your questions.
Time required (sacrifice), Money (Return on investment), and I am sure there are other reasons which would further fortify the reasons for the scoffs and laughs. However, I have recently given a class to some co-workers at the request of senior management at our enterprise on earning high level certifications, and witnessed the attitudes you describe. I started out by asking for data such as how many in attendance had a Security+, CASP, CISA, CISM, etc. etc.. Once all of that information was provided I had them focus their attention on the averages just for our enterprise which I had calculated based on training records and information from HR.
There were a lot of laughs until I presented them with a pay chart which the CEO had provided.
Silence fell across the room when they found out why they were not getting promoted, were unable to move into other departments and were not being sent to training they felt the deserved or being paid as much as others in the department, (Compared to those who have higher level certifications, degrees, or both) .
There are other certifications which may have a better return on investment. However, the requirement of time, money, and passing the exam is still present.
If one knows everything there is to know, then what can they be taught, and who is qualified to teach them?
If one seeks instant gratification in all things then what is left upon reaching that moment of gratification?
Has the CISSP become devalued? Based on the number of individuals in our enterprise now seeking to get vouchers for the exam, I would say no.
Again, this is my opinion. However, it is based on statistics from our enterprise of 35,000 people, 4 time zones, and geographically disperse locations.
The negativity is out there. I am glad you have not experienced it.. Hmmm, regional thing? I would have to think not. The enterprise which I currently work in is global and I do mean global. It is not hard for me to hear someone complain on a daily basis about why they need a certification, a higher level certification, a college degree, or especially how much of a waste it is to try and pass the CISSP English exam. I travel a lot and in the last three years I have seen my family for six weeks in total. So, for me to listen to them give all the reasons why they don't have time and can't pass the exam actually falls on deaf ears. I don't have the time to deal with the "gimme, gimme" something for nothing crowd. The individuals which I find are most happy with their life and career choices are those which understand sacrifice. They may not have the job they want, but they have a job.
They may not make the money they want, but they are making money. Choices, balance, sacrifice, work ethics, pride in themselves, and desire, things that make and individual want to be a better person even if it is for self-serving purposes. Self-serving, meaning ultimately they can get to that level where they want to be in life.
I sincerely apologize if I communicated that I think the exam has ever been diluted. If anything it’s gotten harder to pass purely from a knowledge retention perspective.
What I was trying to communicate is that the CISSP, in its younger days, was not the first certification people attempted in their careers. In my observation, when I sat for the exam, nearly everyone in the room with me was mid (10+ years) or senior (20+ years) career folks – but now we have the Associate of (ISC)^2.
At 4 years of experience, a person is just barely beyond entry level and in the full-performance spectrum of their current occupation. I feel like the CISSP is getting hijacked by really smart tech people that lack the business experience and maturity to effectively function where the CISSP matters – in communicating actual risk and risk mitigation strategy by speaking both the technical and business languages.
That’s where we get people holding up their CISSP lapel pin as if it were the Ark of the Covenant regurgitating that entropy and length is all that matters in assigning password complexity requirements for the last 20 years – but failing to account for the fact that there are mitigations against interface brute force attacks (account lockouts, minimum time between retries, etc.) and that in order to do an offline attack, the attacker has already obtained Administrator level access to download your password file; and nobody beyond the "Security Boffin" is going to remember a password longer than 6 or 7 characters before writing them on sticky notes all over their office.
I believe that the Associate of (ISC)^ contributes to the dilution of the value of (ISC)^2's credentials. This also contributes to the dilution of the entire security profession. Attaining the CISSP in 4 or 5 years should be the exception not the ordinary.
The problems that you’ve brought up are pervasive. They’re pervasive across industries, and they’re pervasive across job roles. And they get worse the more leadership attempts to apply lean management by treating human employees like machines that never aspire to be or do anything other than what they’re doing today.
That leads me to another question about your coworkers and employer. Are they required to hold the CISSP? Is the CISSP going to be a function of improving their current job performance, or is another, perhaps vendor-specific certification more applicable to their current job? Is the CISSP more about finding another position, rather than moving to an available opening in their current organization?
Would you expect the employer to support someone improving their skills for an organizational need that currently exists? What about supporting or paying for the development of skills for a person that is going to leave as soon as they’ve obtained them?
I am not offended by your posts. These forums are intended for open dialogue, so I welcome your comments. I recall when I were an undergraduate and there was this young PhD. Other faculty were openly hostile towards her, but I thought that she represented a refreshing change.
These mid-level professionals by and large will do well, and we should be supporting them. We had a slower learning pace than these up and coming professionals. They will learn from us if they are wise, but I also learn new methods from them. We must churn Security Professionals faster than we did when we were in our 20-30’s. In this professional space, there’s plenty of opportunity and prosperity for us all.
I agree with some of the concept you're applying here. My disagreements - the certification here is not a socialist welfare system designed to assist people getting jobs that we should somehow make more attainable. My agreements - I think that there are enough actual SSCPs and CISSPs out there that there should be some kind of apprenticeship system.
I know a handful of folks that had to dodge and weave to get their endorsements because none of the current CISSPs in our organization would endorse them after they passed the test. They were smart - they passed the test. They were not mature enough to wield the credential and then went about butchering both security and operational efficiency in the name of whatever industry catch phrase made them seem like an expert that day.
Let's look at the experience requirement. Why does a 4-year degree only except 1 year of experience?
Anyone can get a degree without actual work experience. Academics is theory, but experience is practice. A person may obtain a graduate degree without experience. In many cases folks obtain a Master of Business Administration ("MBA") but land only entry level jobs in big business because their prior career experience was "Student" and part-time "Fry Cook" even if they had a 6 month internship with a Fortune 500 business and did a lean re-engineering project as part of their Capstone.
If you want a foot in the door, go get a Bachelor of Science degree in IT and then take the SSCP. That's what they are there for. I don't see this as taking away pie - I see this as starting off with a basic Chocolate Mousse pie before plunging into a Kentucky Chocolate Bourbon and Walnut pie and deciding you're too young for the alcohol and are allergic to Walnuts.
Well, that may be a perfect example of someone who has no business holding any certification.
If the subject of your scenario there used one of those programs that just shower you with questions that past test-takers memory dumped, then it’s likely that they obtained the CASP (and any of their other qualifications) fraudulently.
That’s the epitome of what we’re talking about here. Folks that do the bare minimum to meet the academic requirement but in the process and throughout their career afterward ignore the ethics and standards requirements. You know the type – the ones that use CPE training and conferences as vacations, signing attendance rosters but not actually attending, etc.
It seems as though you are arguing for completely removing the experience requirement and making it a knowledge-only exam for the sake of refreshing the ranks.
With respect, there are other certifications for this purpose. The SSCP (that has only one year of experience required – or less with a degree), Security+ and CASP (where the experience requirements are recommended rather than required), the GSLC (which shares many CISSP-CBK points but has no experience requirement), etc.
Also, being a leader involves different traits than the technical skills you can learn from a study guide. Encouraging and soliciting of ideas to solve problems is a trait of good leadership. It's not really a technical skill. The thing that made the CISSP more valuable among my cohort than the GSLC for example was the experiential requirement of the CISSP encouraged applicants to take the time to develop those skills you don’t get from a study guide.