Even though people consider the CISSP cert useless, it is still better then what the current alternatives. Security+ and CEH are even worse. Though it is no excuse for not having a useful cert because all your "competeitors" are worse...
I disagree that being less shitty than the other shitty certifications is a vote for getting a CISSP.
Whenever people ask me if they should do it, there are pretty much two instances where I recommend it:
1.) You work in corporate security (maybe a CISO, or work for an internal security group within an organization) where you will actually have to deal with security across the many domains that the CISSP covers. Depending on where you work, it might either be required or strongly encouraged. In which case, I'd say, knock yourself out.
2.) You're looking for a job. There are a lot of places that list it as a requirement for a job, as it's one of the few things a recruiter or HR person can flag a resume for. Now, you might say to yourself "I'd never want to work for a place where they actually considered having a CISSP a requirement", to which I'd reply "Good for you, you've moved along the path of security zen". But the reality is, people need jobs. So if you need a job, and this is something that could get you a job (even a job that grizzled security veterans would sneer at), have at it.
Infosec is a young industry (birthed from a very anti-corporate community), and there isn't anyplace that any large number of people consider authoritative enough to offer a certification that isn't considered laughable. That may change in the future (it'd be nice), but I wouldn't bet on it.
If you're really just looking at getting a CISSP to get a job, however, I think you'd be much better off becoming a PCI QSA. You'd pretty much never be out of work. Weigh that against what doing PCI for a living does to your soul. Everybody needs to make that decision for themselves.
So the plus-side of having a CISSP is if you're looking for work, and the downside is attracting the ire of the security community (which may or may not bother you, depending on where you hang out at nights and on weekends). Also having to pay to keep it current, and not associating with any evil hackers (while at the same time having to submit CPE credits for attending conferences put on by evil hackers).
... on the other hand, since PCI QSA status only helps you if you work for a company that does PCI audits, getting that test might be a ticket to a pretty miserable job. It's not like a CISSP, which might help you (but won't) in a variety of different companies.
That is true. I think being a QSA would be a nonrefundable ticket to a miserable job (although I know some folks who came from doing government C&A's who are happy doing it).
I just meant that if it's really just a situation where having a job is more important than what that job is, I think you'll have an easier time finding work as a QSA.
EDIT: Actually, you know what, even with that said I retract my suggestion. You'd have to already be working for a company that is approved to even get your QSA, in which case it's not really applicable for a general person looking for a job. And it's terrible work.
I'm an ISO (Information Security Officer). I am responsible for IT security for a large organization.
I don't have a CISSP, although most other ISO's I know do. I've worked in security for about six years. It's a real mixed bag. Some ISO's are just high-level managers, while others are much more hands-on and technical. I do have several SANS GIAC technical certifications, although I don't consider those better or worse than a CISSP. Certs are really just a requirement if you want to work in IT security.
Like all certs, the CISSP is not a good measure of practical knowledge. I've met hundreds of people who hold various certs and various degrees. And none of that really matters.
What matters is prior computing experience and interest. Have they coded? What languages? Do they have a real interest in general computing. Can they show code they have written? Do they have github accounts (or similar)? Have they been a sys admin or network admin? Do they know OS fundamentals (file systems, user accounts, IPSec, firewalls, logging, shell scripting, etc).
If you find someone who has that past computing experience and a keen interest in general computing, and who has a college degree (major doesn't matter) and who holds a CISSP or SANS GIAC certs, then they'll work out great. But you don't want to hire the guy or gal with an MBA and a CISSP who has never administered a system unless you're only looking for a manager and you have security analysts/engineers to do the heavy technical lifting.
And I think this is where the problem comes in. These kinds of people (MBAs with no experience) are hired, then when the sys admins and other technical staff meet them they are shocked and amazed at how little they know about general computing and wonder how on earth they're going to "secure" systems when they've never installed an OS or configured iptables/pf or brought up a SPAN interface on a Linux box running snort or sent a PGP encrypted email message. In these cases, you have to have analysts and engineers to do the actual work and the managers can do the policies/documentation/audits.
So it's important to be very clear on the technical requirements and expectations (if any) of the security positions. You don't want to find out later that your "security guy" doesn't know what a bit or byte is and has never heard of IPv6 and thinks it has something to do with car engines.
Good points. I think setting expectations is critically important. I see a lot of oversell in certification programs (this certification proves you are elite) and too much blind acceptance of the oversell. These are serious problems.
Disclosure: I have a CISSP (previous employer paid for study / exam).
I would agree that within technical circles, the CISSP is not worth much at all (in certain crowds, it's harmful). If you're well-connected in the industry when job hunting and you have a known body of work, there's little benefit.
Rightly or wrongly, though, it still holds pull with recruiters and management. Getting the current de facto seal of approval from a third party saves them the effort of having to make an initial skills assessment themselves. Buzzword-filtering corporate recruiters lap that stuff up.
I know that I've seen a lot of job ads which (wrongly) ask for a CISSP as a requirement. Additionally, when I went to work in Japan, the CISSP formed the centrepiece of evidence in the work visa application as to why I was an "expert" they needed to go overseas to hire.
Normally I'd be squeamish about talking down a credential that many of my clients might view as instrumental to their careers. But in this job market (and by "this market", for security pros, I mean the last 3 years), it's simply unnecessary. It should be possible to get a job in infosec at any level of your career in 2011.
It is actively harmful to hold a CISSP in the field of software security (which is where we work), but we're all a bunch of douches.
"What I want from the CISSP or any certification program is that it be hard to pass."
On exam difficulty, try CCIE certification. There are two parts, the written ($350 per an attempt) and then the lab part which cost $1500 per an attempt. The lab part has a 26% pass rate over the history of the exam. In comparison, the CA Bar exam has a 35% and 55% pass rate, which is the lowest in the US.
You also can't just take it anywhere, you have to travel to a designated lab testing center, and depending on where you are that means cost of travel and lodging.
I thought about this one for a little bit and threw it into the bucket of "well, most certifications are worthless", but I don't think I fully believed that.
Our security team consists of individuals that I would consider great and folks that do some of the leg work required of a security department at a large company. We have folks who audit and provision access, a job that would require knowing the basics of RBAC most of the time.
I think the point this article is making isn't entirely correct. I've yet to find a test that magically ensures that someone is competent, be it a large number of tests required to pass a degree program or a single test required to pass a certification. It is part of a broader picture. A resume with zero experience/visible work that includes a degree in CS is going in the bin unless it's a person targeting an intern position. A resume with zero degree, a few years of experience and solid examples of their work is going to get attention (and depending on the work, it won't matter if you have traditional corporate experience).
In InfoSec it's possible to get the equivalent. Companies who care enough to fix the problems in their software grant credit that can be cited in a resume/CV. Some will pay bug bounties if you find a vulnerability and follow their disclosure requests.
I'm not sure that the article really tries to say that a certification is a magical elixir. I think he's saying that they are sold as being magical. I also think he's intentionally calling attention to qualities and criteria that are not easily measured. But that's my read.
15 comments
[ 2.2 ms ] story [ 82.3 ms ] threadWhenever people ask me if they should do it, there are pretty much two instances where I recommend it:
1.) You work in corporate security (maybe a CISO, or work for an internal security group within an organization) where you will actually have to deal with security across the many domains that the CISSP covers. Depending on where you work, it might either be required or strongly encouraged. In which case, I'd say, knock yourself out.
2.) You're looking for a job. There are a lot of places that list it as a requirement for a job, as it's one of the few things a recruiter or HR person can flag a resume for. Now, you might say to yourself "I'd never want to work for a place where they actually considered having a CISSP a requirement", to which I'd reply "Good for you, you've moved along the path of security zen". But the reality is, people need jobs. So if you need a job, and this is something that could get you a job (even a job that grizzled security veterans would sneer at), have at it.
Infosec is a young industry (birthed from a very anti-corporate community), and there isn't anyplace that any large number of people consider authoritative enough to offer a certification that isn't considered laughable. That may change in the future (it'd be nice), but I wouldn't bet on it.
If you're really just looking at getting a CISSP to get a job, however, I think you'd be much better off becoming a PCI QSA. You'd pretty much never be out of work. Weigh that against what doing PCI for a living does to your soul. Everybody needs to make that decision for themselves.
So the plus-side of having a CISSP is if you're looking for work, and the downside is attracting the ire of the security community (which may or may not bother you, depending on where you hang out at nights and on weekends). Also having to pay to keep it current, and not associating with any evil hackers (while at the same time having to submit CPE credits for attending conferences put on by evil hackers).
I just meant that if it's really just a situation where having a job is more important than what that job is, I think you'll have an easier time finding work as a QSA.
EDIT: Actually, you know what, even with that said I retract my suggestion. You'd have to already be working for a company that is approved to even get your QSA, in which case it's not really applicable for a general person looking for a job. And it's terrible work.
I don't have a CISSP, although most other ISO's I know do. I've worked in security for about six years. It's a real mixed bag. Some ISO's are just high-level managers, while others are much more hands-on and technical. I do have several SANS GIAC technical certifications, although I don't consider those better or worse than a CISSP. Certs are really just a requirement if you want to work in IT security.
Like all certs, the CISSP is not a good measure of practical knowledge. I've met hundreds of people who hold various certs and various degrees. And none of that really matters.
What matters is prior computing experience and interest. Have they coded? What languages? Do they have a real interest in general computing. Can they show code they have written? Do they have github accounts (or similar)? Have they been a sys admin or network admin? Do they know OS fundamentals (file systems, user accounts, IPSec, firewalls, logging, shell scripting, etc).
If you find someone who has that past computing experience and a keen interest in general computing, and who has a college degree (major doesn't matter) and who holds a CISSP or SANS GIAC certs, then they'll work out great. But you don't want to hire the guy or gal with an MBA and a CISSP who has never administered a system unless you're only looking for a manager and you have security analysts/engineers to do the heavy technical lifting.
And I think this is where the problem comes in. These kinds of people (MBAs with no experience) are hired, then when the sys admins and other technical staff meet them they are shocked and amazed at how little they know about general computing and wonder how on earth they're going to "secure" systems when they've never installed an OS or configured iptables/pf or brought up a SPAN interface on a Linux box running snort or sent a PGP encrypted email message. In these cases, you have to have analysts and engineers to do the actual work and the managers can do the policies/documentation/audits.
So it's important to be very clear on the technical requirements and expectations (if any) of the security positions. You don't want to find out later that your "security guy" doesn't know what a bit or byte is and has never heard of IPv6 and thinks it has something to do with car engines.
Just my experience.
At the high end of information security, these things do not matter at all.
I would agree that within technical circles, the CISSP is not worth much at all (in certain crowds, it's harmful). If you're well-connected in the industry when job hunting and you have a known body of work, there's little benefit.
Rightly or wrongly, though, it still holds pull with recruiters and management. Getting the current de facto seal of approval from a third party saves them the effort of having to make an initial skills assessment themselves. Buzzword-filtering corporate recruiters lap that stuff up.
I know that I've seen a lot of job ads which (wrongly) ask for a CISSP as a requirement. Additionally, when I went to work in Japan, the CISSP formed the centrepiece of evidence in the work visa application as to why I was an "expert" they needed to go overseas to hire.
It is actively harmful to hold a CISSP in the field of software security (which is where we work), but we're all a bunch of douches.
On exam difficulty, try CCIE certification. There are two parts, the written ($350 per an attempt) and then the lab part which cost $1500 per an attempt. The lab part has a 26% pass rate over the history of the exam. In comparison, the CA Bar exam has a 35% and 55% pass rate, which is the lowest in the US.
You also can't just take it anywhere, you have to travel to a designated lab testing center, and depending on where you are that means cost of travel and lodging.
Our security team consists of individuals that I would consider great and folks that do some of the leg work required of a security department at a large company. We have folks who audit and provision access, a job that would require knowing the basics of RBAC most of the time.
I think the point this article is making isn't entirely correct. I've yet to find a test that magically ensures that someone is competent, be it a large number of tests required to pass a degree program or a single test required to pass a certification. It is part of a broader picture. A resume with zero experience/visible work that includes a degree in CS is going in the bin unless it's a person targeting an intern position. A resume with zero degree, a few years of experience and solid examples of their work is going to get attention (and depending on the work, it won't matter if you have traditional corporate experience).
In InfoSec it's possible to get the equivalent. Companies who care enough to fix the problems in their software grant credit that can be cited in a resume/CV. Some will pay bug bounties if you find a vulnerability and follow their disclosure requests.