Training, certification or experience? A security dilemma.
I am beginning to hear this argument more and more. People are getting their CISSP certification without the required amount of experience, they are going to bootcamps, they are just passing the test on book knowledge. The certification I worked hard for is being cheapened, and I don’t like it. When I hear someone compare the CISSP to the MCSE, I cringe. I don’t want the CISSP to become just another piece of paper anyone can get! I want it to remain something that is an accomplishment and something to be proud of.
What can be done? First of all, the ISC2 can enforce the rules on experience as a security professional. I believe they are doing some verification of experience, but this needs to be stepped up. I’m seeing more and more anecdotal evidence that there are a lot of people out there who never should have been allowed to sit for the test in the first place. It’s one thing to not have security in your title, but feel you have the experience necessary. It’s completely different when your only security experience is the boot camp you sat in last week. I don’t know how people pass the test on a few days training, but that’s a different issue.
Second, I would like to see the ISC2 do more to further the public’s awareness of what the CISSP is intended to be, and more importantly, what it is not intended to be. The certificate is a benchmark of 10 domains of knowledge, and the holder is expected to have a general awareness of all 10 domains. They are not however supposed to be an expert in all 10 domains. In fact, the CISSP is aimed at management level personnel, and the holder may not be a technical expert in any of them. For example, I needed to spend a lot of time learning the basics of cryptography for the exam, but I still couldn’t set up a PKI infrastructure if my life depended on it.
The last thing I would like to see from the ISC2 is movement towards more clearly defined processes and policies. Optimally, I would like to see the organization get ISO9000 certified, but that may be too much to ask. There has been a lot of concern lately revolving around a survey sponsored by the ISC2, and I think many of the issues this has raised over this incident could be resolved by clearing up the policies. I don’t believe that policy and process are the solution to a problem in and of themselves, but when you have those documented it’s a lot easier to troubleshoot your issues. Ad hoc processes rarely work, in my opinion.
I’m proud of being a CISSP, and I want to remain that way. But I see that there is currently an assault on the validity of the certificate. Too many people are passing the test that shouldn’t have been allowed to sit for it in the first place. The ISC2 has had some management fumbles lately, and seems more concerned with the number of CISSP’s than the quality of the applicants. The original plan was for the CISSP to be the Gold Standard of security certificates. When I hear the CISSP compared to the MCSE, I feel that the standard has been tarnished. Time to break out the polish and regain some of that shine.