cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lamont29
Community Champion

Shall We Call a Truce?

Why is it that technical professionals continue to dismiss the role of GRC in information security? I am certain that I would have long left this earth before an agreement can be reached on this topic – it’s just that BAD! A security professional with a CISSP certification doesn’t necessarily do the same job as a security professional with an Offensive Security Certified Professional (OSCP) certification. Notice how I properly designated both as security professionals? Furthermore, a person with the OSCP probably shouldn’t pursue the CISSP – can I say that? For the roles are completely different, and a security professional, no matter their degree of intelligence, will never be an ace of all security domains. There’s a false assumption that a CISSP is somehow a master in all thing’s security. I wish that we’d do a better job as an organization at communicating what a CISSP is, and what a CISSP does.

 

In my opinion, candidates who have no interest in a CISO or similar management role should not pursue the CISSP. Though the CISSP will help ANY security professional in their careers, those who have no interest in security supervisory roles could have spent that time and effort pursuing more technical certifications.

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
6 Replies
Early_Adopter
Community Champion

I wasn't aware that there was any beef between technical security and GRC folks ongoing, I thought we were in a grand alliance to crush the Heretics of Resilience and their running dog lackies the Enterprise Architects... 😉

 

I'd take it that certifications provide a certain amount of information for employers and colleagues about a candidate of co-worker in terms of knowledge, experience etc  - but to really get an idea of capability I think getting that person to show you what they can do, be it popping a box or writing a security policy and getting them to do it over time and multiple engagements is you get an idea of what they are doing.

 

CISSP to me is a pretty broad certification and it provides useful vocabulary, terms of references and insight into the goals and methodologies of other professionals. I'd say that just limiting it to supervisors(such as CISOs) would miss out on the widespread sharing of the CBK that benefits folks. A lot of 'techies' might hold CISSP a lot of folks with CISSP might be practitioners of Web Application Testing, Pen Testing or red teaming. I don't see that as a problem, so much as a useful bridge.

 

I  think that it's a good idea to try to avoid boiling folks down to just the certification where possible, you I or another might be a CISSP, and whilst is useful short hand I don't think it needs to define us, or we should need to define who should take it. Inch Thin/Mile wide and all that.

 

 

Flyslinger2
Community Champion

DoD is requiring certifications of many contractors. CISSP covers roughly 90% of this.  "CISO or other management roles" isn't part of the equation.

 

I am one of these.  I know many others that are in the same category.  My function on the task I am currently supporting is ISSE.

Lamont29
Community Champion


@Flyslinger2 wrote:

DoD is requiring certifications of many contractors. CISSP covers roughly 90% of this.  "CISO or other management roles" isn't part of the equation.

 



DoD has IAM (Management) and IAT (Technical) designations, so yes, Management does factors into the equation. I served for over 26 years in the military, and I have provided guidance on DOD 8570 designations. The DoD 8570 actually informs my opinion about the different certifications, and the roles and functions they play in a multitude of technical and management occupations in organizations.

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
rslade
Influencer II

> Lamont29 (Contributor II) posted a new topic in Certifications on 09-16-2018

> Why is it that technical professionals continue to dismiss the role of GRC in
> information security?

A truce? Never! UNIX is the one, true oper ... wait ...

WIMP will never have the power of the comma ... wait ...

You think there's a battle between admin and the techies?

OK, I admit, we've long made jokes about beards and suits. (The suits manage
what they don't understand, and the beards understand what they can't manage.)
And, yeah, when I do seminars I start with security management to scare all the
hotshot geeks into realizing that they need to know the management parts.

But surely anybody who has actually passed the exam realizes that you need to
know both.

And, yeah, we get constant complaints from techies that the exam is too
management oriented, and from managers that it's too technical. Which probably
means it's about right.

> a security
> professional, no matter their degree of intelligence, will never be an ace of
> all security domains.

True. But they should know enough about all to be able to talk to a specialist in
any particular area.

> There's a false assumption that a CISSP is somehow a
> master in all thing's security.

Hey, there are always false assumptions about the CISSP. Mostly by people who
don't want to take the time to figure things out, and want to pick fights.

>   In my
> opinion, candidates who have no interest in a CISO or similar management role
> should not pursue the CISSP.

I've never been a CISO, and I doubt that I'd want the role. I've been a manager, I
like aspects of it, and I do management consulting as well.

> Though the CISSP will help ANY security
> professional in their careers, those who have no interest in security
> supervisory roles could have spent that time and effort pursuing more technical
> certifications.

There are plenty of professionals who aren't supervisors.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I have always been waiting for something better -- sometimes to
see the best I had snatched from me. - Dorothy Reed Mendenhall
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
dcontesti
Community Champion

@Lamont29 

 

As I read your note, I see three arguments:

 

1. ISO vs GRC

2. CISSP vs OSCP

3.  CISSP  vs. technical certification.

 

1. ISO vs. GRS :   So having sat on both sides of this fence I can share my experience.  Back before (yes there was a time) GRC became a hot topic (I qualify this as I was in discrete manufacturing), I was an ISO and concerned with ensuring the bad guys didn't get in.  To do this, I didn't need to be technical and know everything in Security but I did need to understand the technologies (at the 1 inch level) so that I could ask the right questions of the technical folks and in a lot of cases convert what they said into management speak.

 

Then came the first of the GRC that were relevant to us.  It was confusing and took time away from the techies.  This was our biggest complaint.  It was time that had not been planned nor was it time that we could afford to take away from supporting the infrastructure.  So now we were forced to do provide evidence that we were doing our jobs.  The argument was and probably still is:  we are protected, we have had no incursions, we have no time to fill in these silly requests.  Of course the argument on the other side : it's the law and we have to prove to the auditors that we are compliant and complying.

 

I was amazed the first go around, how we skirted issues and sometimes let "little" things slip.  

 

I moved from being the ISO to being the "GRC guru" as the laws expanded and began touching us more and more.   This was an eye opener for me and I did rely heavily on my CISSP and my ISSMP.    I even took a course in audit so that I could understand the methodologies.  I now found myself on the other side of the fence and I am sure having darts thrown at my picture (LOL).

 

My job was to ensure that we were compliant with the regulations but I also learned that I needed to educate the techies on why it was important.  That not only keeping the intruders away from the door was required but to keep the corporation in line with the legal requirements was important (and in most cases save fines).

 

Eventually, we were able to work with management so that they understood that each round of audits took x% of an FTE from doing what the techie needed to do and were able to increase staffing (not a simple feat but actually doable).  

 

So I don't think that the techies dismiss the role of GRC (maybe some do) but for the most part, I think it may have something to do with the perceived time away from doing what I need to do and not understand the legal ramifications.  So we need to educate both sides of the argument (one technical issues are important but also why the legal side).

 

2. CISSP vs. OSCP:  As to your question on whether an CISSP should get a OSCP or vice versa, I do not see a reason why not.   As one grows in their profession, the roles/interests may change.  The company may move someone due to a number of reasons, and gaining more education may be the only way to stay relevant.

 

3, CISSP vs. technical :    Yes they can spend time on technical certifications but it is also helpful to be able to talk to others in the Security.  Also sometimes it is difficult to decide which technical certificate do I attain (do I do CISCO training, do I do Checkpoint training, do I go after product x training).  One of the larger questions is do I have a firm basis to begin/continue my career......technical certificates provide a window into a small area of security, maybe firewall management or network management or UNIX management, etc....but sometimes do not provide insight into other areas.  I see these certs being complimentary to each other and I believe there are other certs that will also compliment/augment the technical cert.

 

Now I will get down from my soap box.

 

Regards

 

Diana Contesti

Lamont29
Community Champion

I really like your share Diana... that was good!
Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE