One would think that if someone posts seeking aid after failing to pass, AND, asks for help in trying to discern what concepts they did not understand then many would rise to the occasion and provide their thoughts and recommend sources of information (Ethics would come into play), Advance and protect the profession comes to mind. In other strings I have seen posts and responded to questions seeking information with regard to what to study. There in is some of the issue, I have tons of material for the different exams and always explain that the materials should be used to enhance and strengthen ones subject knowledge.
However, there are individuals which do not or are not willing to dedicate the time and effort required to actually learn or understand the concepts required. For example; I spoke with an individual just yesterday about steeping up his game and earning a certification above his current CASP certification or at least taking some college classes. His response was, did I know of any certifications for which he could just memorizes exam questions and then just take the exam and pass? College classes were dropped completely from the conversation as he has no time for them. I excused myself from the conversation completely at that point.
Which is the underlying concept of this entire thread, "Then Why Bother." If the mindset of an individual is to memorize the material yet have no real understanding of the concepts would you want them as a co-worker or better yet a supervisor? What about you give them the materials and the understanding that they need to know the concepts and they spend little to no time on the learning or reviewing the material, fail the exam and then come back to you complaining about how it was just an English test?
I do However get the gist of your post and thoughts, and yes you are correct much of the information on any post(s) is opinion based, "until it is supported by facts."
I would like to say that based on my own opinion that after doing some research the following may provide insight into your questions.
Time required (sacrifice), Money (Return on investment), and I am sure there are other reasons which would further fortify the reasons for the scoffs and laughs. However, I have recently given a class to some co-workers at the request of senior management at our enterprise on earning high level certifications, and witnessed the attitudes you describe. I started out by asking for data such as how many in attendance had a Security+, CASP, CISA, CISM, etc. etc.. Once all of that information was provided I had them focus their attention on the averages just for our enterprise which I had calculated based on training records and information from HR.
There were a lot of laughs until I presented them with a pay chart which the CEO had provided.
Silence fell across the room when they found out why they were not getting promoted, were unable to move into other departments and were not being sent to training they felt the deserved or being paid as much as others in the department, (Compared to those who have higher level certifications, degrees, or both) .
There are other certifications which may have a better return on investment. However, the requirement of time, money, and passing the exam is still present.
If one knows everything there is to know, then what can they be taught, and who is qualified to teach them?
If one seeks instant gratification in all things then what is left upon reaching that moment of gratification?
Has the CISSP become devalued? Based on the number of individuals in our enterprise now seeking to get vouchers for the exam, I would say no.
Again, this is my opinion. However, it is based on statistics from our enterprise of 35,000 people, 4 time zones, and geographically disperse locations.
The negativity is out there. I am glad you have not experienced it.. Hmmm, regional thing? I would have to think not. The enterprise which I currently work in is global and I do mean global. It is not hard for me to hear someone complain on a daily basis about why they need a certification, a higher level certification, a college degree, or especially how much of a waste it is to try and pass the CISSP English exam. I travel a lot and in the last three years I have seen my family for six weeks in total. So, for me to listen to them give all the reasons why they don't have time and can't pass the exam actually falls on deaf ears. I don't have the time to deal with the "gimme, gimme" something for nothing crowd. The individuals which I find are most happy with their life and career choices are those which understand sacrifice. They may not have the job they want, but they have a job.
They may not make the money they want, but they are making money. Choices, balance, sacrifice, work ethics, pride in themselves, and desire, things that make and individual want to be a better person even if it is for self-serving purposes. Self-serving, meaning ultimately they can get to that level where they want to be in life.
I sincerely apologize if I communicated that I think the exam has ever been diluted. If anything it’s gotten harder to pass purely from a knowledge retention perspective.
What I was trying to communicate is that the CISSP, in its younger days, was not the first certification people attempted in their careers. In my observation, when I sat for the exam, nearly everyone in the room with me was mid (10+ years) or senior (20+ years) career folks – but now we have the Associate of (ISC)^2.
At 4 years of experience, a person is just barely beyond entry level and in the full-performance spectrum of their current occupation. I feel like the CISSP is getting hijacked by really smart tech people that lack the business experience and maturity to effectively function where the CISSP matters – in communicating actual risk and risk mitigation strategy by speaking both the technical and business languages.
That’s where we get people holding up their CISSP lapel pin as if it were the Ark of the Covenant regurgitating that entropy and length is all that matters in assigning password complexity requirements for the last 20 years – but failing to account for the fact that there are mitigations against interface brute force attacks (account lockouts, minimum time between retries, etc.) and that in order to do an offline attack, the attacker has already obtained Administrator level access to download your password file; and nobody beyond the "Security Boffin" is going to remember a password longer than 6 or 7 characters before writing them on sticky notes all over their office.
I believe that the Associate of (ISC)^ contributes to the dilution of the value of (ISC)^2's credentials. This also contributes to the dilution of the entire security profession. Attaining the CISSP in 4 or 5 years should be the exception not the ordinary.