cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Baechle
Advocate I

Tiering the SSCP and CISSP

 

I would like to propose a change to the prerequisite for qualifications:

 

I propose that the “Associate” status is dropped completely, and that a 3 or 4-year SSCP in good standing requirement be implemented prior to being qualified to sit for the CISSP.

 

The CISSP concentrations already follow this model.  It also provides a model where more technical and less experienced folks will experience a greater level of exam success.

 

This tiered model is similar to the Professional Engineer (“PE”) qualification that requires the applicant to pass a general engineering exam and serve as an Engineer In Training for a period of time before being qualified to earn the PE.

 

I believe that this would have several benefits for the community. 

 

First, it would re-elevate the CISSP prestige to a credential that is distinct in this industry but similar to other professions (Engineering, Accounting, etc.) as one that requires accumulating verifiable successful experience through passing an entry level test (through the SSCP) first, and then working in the field for a mandatory number of years before pinning on the flagship credential.

 

In my opinion and in my observations, the Associate CISSP qualification has diminished the relevance of the SSCP.  By dropping the Associate CISSP and making the SSCP a pathway to the CISSP would make the SSCP relevant both on its own again, and as a career pathway toward the CISSP.

 

Third, in my opinion and observation management and human resources professionals do not fully appreciate the difference in experience between the Associate CISSP and the full CISSP.  Both of these credentials appear to lay-persons as "the CISSP".  This sets up the CISSP for failure when Associate CISSPs, with significant CBK knowledge but not necessarily the experience, fail to perform to the level expected of CISSPs with years of experience.  Dropping the Associate CISSP would start a course correction for business and human resources leaders in how they view the capabilities and relevance of CISSPs.

 

 

Respectfully,

 

Eric Baechle

17 Replies
Shannon
Community Champion

@Baechle I wasn't aware of the fact that there's an 'Associate CISSP' status one can attain, so please send me a link of this to check out the same.

 

To my knowledge, anyone can take the CISSP exam without meeting experience pre-requisites, but clearing the exam only entitles you to the status of 'Associate of (ISC)2' & not 'CISSP.' If someone simply clears the CISSP exam but doesn't get certified, he can't state 'CISSP' on a resume; just 'Associate of (ISC)2.' Even if a CISSP is claimed, it would be negated when a potential employer attempts to validate it on the (ISC)2 site.

 

However, if there is indeed an 'Associate CISSP' status, then yes, it can cause confusion, so (ISC)2 should address this as you suggested.

 

 

 

 

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Baechle
Advocate I

@Shannon,

 

Shannon,

 

I appreciate your input.  I apologize for not tailoring my initial message more toward this audience.  So, please allow me a moment to clarify. 

 

I fully understand that what I stated before is not a construct currently offered by (ISC)^2.  What I was offering was my observations about how (ISC)^2’s current construct is understood by people outside of the community, and how it is being both abused and causing confusion about the skill sets of CISSP holders and folks that “just passed the exam”.

 

Let’s start with some definitions.

 

Associate of (ISC)^2.  This is the official title conferred on someone who passes an exam of any caliber from (ISC)^2 but lacks the requisite experience to qualify for that certification (assuming that they don’t have some other (ISC)^2 certification that they were previously conferred).

 

CISSP.  This is the official title conferred on someone who passes the CISSP exam, the experience audit, with the required number of endorsements. 

 

Associate CISSP.  This is what a non-(ISC)^2 affiliated Human Resources or organizational executive thinks is conferred upon someone who passed the CISSP exam and then chooses to be conferred the Associate of (ISC)^2. 

 

I can give you a direct example from the DoD’s 8570 requirements for certification.  They posit in their structure that someone at various levels must possess a CISSP certification, or based upon your points here be an “Associate of (ISC)^2” either by passing the SSCP, CCSP, or any other lesser or irrelevant exam without the experience to qualify for the CISSP.  In fact, this misunderstanding encourages people to take easier exams and fail to certify their experience so that they can attain the Associate of (ISC)^2 status to be equivalent to a CISSP.

https://iase.disa.mil/iawip/Pages/iabaseline.aspx

 

You’ll note that it also indicates the SSCP, but doesn’t say “or Associate”.  This confounding is prevalent both in the federal government and among folks in private business that are looking for certified people.

 

There is a problem with your conjecture that this is all solved by having an independent verification process.  You are assuming that the Human Resources person doing that validation has some formal knowledge of the (ISC)^2 construct.  Let met give you a scenario that is in my opinion quite a bit more accurate:

 

  • Applicant lists "Associate CISSP" on their resume or something to the effect of, "Associate of (ISC)^2 (CISSP)".
  • Human Resources goes to validate the applicant's status which shows, "Associate of (ISC)^2".  
  • Human Resources asks the applicant to provide proof of their CISSP status.
  • Applicant forwards their exam results.
  • Human Resources, not understanding the intracacies of CISSP vs. Associate of (ISC)^2, assumes this means that the person has the requisite experience and endorsements.

The thing is here, you can pass the CISSP exam - but you can be so bad at your job that nobody would endorse you even if you have the years of experience.  That's part of the reason why I think there should also be an apprenticeship portion of the qualification process, where you work under an already-qualified CISSP for a number of years.

 

 

Shannon
Community Champion

Wow. Frankly, I wasn't aware of this. It definitely degrades the CISSP certification, & adversely impacts the holders. 

 

(ISC)2 could go about addressing this on multiple ways, including :

 

  1. Making the entitlement specific, so that instead of just 'Associate of (ISC)2' it says  'Associate of (ISC)2 for CISSP' or 'Associate of (ISC)2 for SSCP' to make it very clear.
  2. Adding a note on the validation page, clearly stating something like: The Associate of (ISC)2 has cleared the exam for the corresponding certification, but the required experience for it has not been not been confirmed by us.
  3. Removing the (Associate of ISC)2 status entirely.

They can make use of 1, 2, 1 AND 2, or 3 for this. I'm not sure about whether the Associate of (ISC)2 is already specific. If it is, then 1 can be ignored.

 

(On the side of recruiters, it's up to them to do their homework; unfortunately that rarely happens.)

 

I wouldn't want to see the SSCP becoming a mandatory prerequisite for the CISSP, because someone who's already got relative experience shouldn't have to take an SSCP exam ---- the subject knowledge is confirmed once you clear the CISSP exam.

 

Instead, the option to use other certifications to waiver experience should be amended by (ISC)2, so as to properly assign 'weights' to each certification. (In the current system, someone holding an MCSA can waiver 1 year just as easily as someone with an SCP, which I feel is very strange.  Smiley Surprised

 

The requirements can be amended so that the number of certifications acceptable for a waiver varies with their weight, something like this: -

 

At least 1 of the following certifications: SSCP, CASP, CISM, CCSP

 

OR

 

At least 2 of the following certifications: MCITP, CCNP Security, CWSP

 

OR

 

At least 3 of the following certifications: MCSE, MCSA, CCNA Security, Security +, CEH

 

(I've just listed a few certifcations, obvously (ISC)2 will have to thoroughly review what's already on the list and assign the weights to them)

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Baechle
Advocate I

Shannon,

 

I agree with your point that Human Resources and Hiring Managers should be on the hook to do their research of an applicant.  I would also like to make the following point:

 

Who is the Certification for? 

 

I believe the Certificate is for the Human Resources and Hiring Managers, and the certification construct should be such that benefits their ability to properly evaluate and select applicants; or reward existing employees. 

 

The certificate holder obviously benefits because they have a badge of authority on a subject matter.  But a knowledgeable person could easily engage in a discussion to prove their knowledge.  So, the real benefit to the certification is to show lay-persons that their subject of scrutiny has actually achieved some level of recognition and authority.  We should make that easier on folks… otherwise WE are the ones devaluing the CISSP and making it an anecdotal item to flash around (ISC)^2, ISSA, and the like Chapter Meetings.

Shannon
Community Champion

Yes, that's very true, Eric. I suppose all we can do for now is hope that (ISC)2 will do the needful.  

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
mgoblue93
Contributor I

Wow. Frankly, I wasn't aware of this. It definitely degrades the CISSP certification

 

How?

 

They passed the test!!!

 

CISSP is degraded for other reasons.

mgoblue93
Contributor I


I think there's some good rationale in what is written but not so sure if the targets aren't misplaced

> propose that the “Associate” status is dropped completely

Why? That just hurts otherwise qualified people as they work to gain professional experience. Case in point. I hired a computer science college grad. He took the CISSP within 6 months of graduation. He passed. He earned it. Why shouldn't he be allowed to be called an "Associate" until he can get more time getting paychecks?

> re-elevate the CISSP prestige to a credential that is distinct in this industry

I've been critical the CISSP process -- the cert certainly isn't distinct from where me and my peers sit according those around us and who are more experienced.

What got me to reply to your post though is the rationale stated -- "this tiered model is similar to the Professional Engineer (“PE”)"

If a "PE" tier is your model, then CISSP wouldn't be your target. It's NOT an engineering certification. Hasn't been for a while (if it ever was pre-8570.1) either. I think it's certainly debatable that a significant sample size of CISSP holders use their computers professionally just for the internet and email (which is the root of a lot of my criticism).

If you want to re-establish CISSP as something more meaningful, why not make programmatic changes rather than organizational ones (re: eliminating the associate):

1. Industry and the certifying authority needs to clearly communicate just exactly what is the CISSP for? 8570.1, for example, implies it's a technical cert. I'll pick on 8570.1 because it's a good example of what caused membership to skyrocket. Part of the cert is having demonstrable domain experience to earn it. But the reality of it is just the opposite.

2. There's no accountability in the community for this cert. You mention other professionals as models for what the CISSP should be. But there's no transparency in the testing and certification process like there is in other industries where professionals have to be licensed or boarded. But the only method for accountability in this realm is a self-signed ToS and a completely unknown endorsement from another member.

3. Is the board of a certifying authority composed of industry, knowledgeable, folks or is it business and marketing people?

I don't know -- just my $0.02 worth. I'd like the see the CISSP get some of its cachet back. I just didn’t think the root causes (RE: re-elevate the CISSP prestige) were previously addressed.

 

Baechle
Advocate I

Christopher,

 

Thanks for your comments!

 

I think dropping the Associate makes sense from a consumer perspective, because the SSCP is a full certification vs acknowledgement you've passed a test. 

 

Instead of paying annual maintenance fees based on the exams we took, I think Associate status should be something you get by paying flat membership dues.  I think it should grant the Associate access to these forums where they can engage with certified members.  I also think there should be distinct forums here based upon the lines of certifications - so a Forum for Healthcare IT Security Matters a Forum for Cloud IT Security Matters, etc. based around the certification lines - where noncertified Associates can correspond with the community of certification holders relevant to their specializations.  And this basic Associate membership should be somewhat of the basis for getting the journal either electronically or in print.  I think that a flat membership fee should then turn around and grant discounts on official (ISC)^2 products like the CBK books and the like.  Finally, I think that Associate status should be the starting point - and that a certification candidate have their work experience and endorsements evaluated before they are authorized to sit for one of the exams - a process that the Associate dues pay for.

 

But, that is getting a little off topic.

 

🙂

 

Baechle
Advocate I

Shannon (@Shannon);

 

I know it's been a while since we moved this conversation along, but I wanted to point something out here.

 

This was the title of a post in another thread about someone asking for advice about which certification path to pursue:  CISSP Associate or SSCP

 

As you can see the perception problem is there.

 

Sincerely,

 

Eric B.