The problems that you’ve brought up are pervasive. They’re pervasive across industries, and they’re pervasive across job roles. And they get worse the more leadership attempts to apply lean management by treating human employees like machines that never aspire to be or do anything other than what they’re doing today.
That leads me to another question about your coworkers and employer. Are they required to hold the CISSP? Is the CISSP going to be a function of improving their current job performance, or is another, perhaps vendor-specific certification more applicable to their current job? Is the CISSP more about finding another position, rather than moving to an available opening in their current organization?
Would you expect the employer to support someone improving their skills for an organizational need that currently exists? What about supporting or paying for the development of skills for a person that is going to leave as soon as they’ve obtained them?
I am not offended by your posts. These forums are intended for open dialogue, so I welcome your comments. I recall when I were an undergraduate and there was this young PhD. Other faculty were openly hostile towards her, but I thought that she represented a refreshing change.
These mid-level professionals by and large will do well, and we should be supporting them. We had a slower learning pace than these up and coming professionals. They will learn from us if they are wise, but I also learn new methods from them. We must churn Security Professionals faster than we did when we were in our 20-30’s. In this professional space, there’s plenty of opportunity and prosperity for us all.
I agree with some of the concept you're applying here. My disagreements - the certification here is not a socialist welfare system designed to assist people getting jobs that we should somehow make more attainable. My agreements - I think that there are enough actual SSCPs and CISSPs out there that there should be some kind of apprenticeship system.
I know a handful of folks that had to dodge and weave to get their endorsements because none of the current CISSPs in our organization would endorse them after they passed the test. They were smart - they passed the test. They were not mature enough to wield the credential and then went about butchering both security and operational efficiency in the name of whatever industry catch phrase made them seem like an expert that day.
Let's look at the experience requirement. Why does a 4-year degree only except 1 year of experience?
Anyone can get a degree without actual work experience. Academics is theory, but experience is practice. A person may obtain a graduate degree without experience. In many cases folks obtain a Master of Business Administration ("MBA") but land only entry level jobs in big business because their prior career experience was "Student" and part-time "Fry Cook" even if they had a 6 month internship with a Fortune 500 business and did a lean re-engineering project as part of their Capstone.
If you want a foot in the door, go get a Bachelor of Science degree in IT and then take the SSCP. That's what they are there for. I don't see this as taking away pie - I see this as starting off with a basic Chocolate Mousse pie before plunging into a Kentucky Chocolate Bourbon and Walnut pie and deciding you're too young for the alcohol and are allergic to Walnuts.
Well, that may be a perfect example of someone who has no business holding any certification.
If the subject of your scenario there used one of those programs that just shower you with questions that past test-takers memory dumped, then it’s likely that they obtained the CASP (and any of their other qualifications) fraudulently.
That’s the epitome of what we’re talking about here. Folks that do the bare minimum to meet the academic requirement but in the process and throughout their career afterward ignore the ethics and standards requirements. You know the type – the ones that use CPE training and conferences as vacations, signing attendance rosters but not actually attending, etc.
It seems as though you are arguing for completely removing the experience requirement and making it a knowledge-only exam for the sake of refreshing the ranks.
With respect, there are other certifications for this purpose. The SSCP (that has only one year of experience required – or less with a degree), Security+ and CASP (where the experience requirements are recommended rather than required), the GSLC (which shares many CISSP-CBK points but has no experience requirement), etc.
Also, being a leader involves different traits than the technical skills you can learn from a study guide. Encouraging and soliciting of ideas to solve problems is a trait of good leadership. It's not really a technical skill. The thing that made the CISSP more valuable among my cohort than the GSLC for example was the experiential requirement of the CISSP encouraged applicants to take the time to develop those skills you don’t get from a study guide.