Jun 23 2004
Paper CISSP?
Training, certification or experience? A security dilemma.
I am beginning to hear this argument more and more. People are getting their CISSP certification without the required amount of experience, they are going to bootcamps, they are just passing the test on book knowledge. The certification I worked hard for is being cheapened, and I don’t like it. When I hear someone compare the CISSP to the MCSE, I cringe. I don’t want the CISSP to become just another piece of paper anyone can get! I want it to remain something that is an accomplishment and something to be proud of.
What can be done? First of all, the ISC2 can enforce the rules on experience as a security professional. I believe they are doing some verification of experience, but this needs to be stepped up. I’m seeing more and more anecdotal evidence that there are a lot of people out there who never should have been allowed to sit for the test in the first place. It’s one thing to not have security in your title, but feel you have the experience necessary. It’s completely different when your only security experience is the boot camp you sat in last week. I don’t know how people pass the test on a few days training, but that’s a different issue.
Second, I would like to see the ISC2 do more to further the public’s awareness of what the CISSP is intended to be, and more importantly, what it is not intended to be. The certificate is a benchmark of 10 domains of knowledge, and the holder is expected to have a general awareness of all 10 domains. They are not however supposed to be an expert in all 10 domains. In fact, the CISSP is aimed at management level personnel, and the holder may not be a technical expert in any of them. For example, I needed to spend a lot of time learning the basics of cryptography for the exam, but I still couldn’t set up a PKI infrastructure if my life depended on it.
The last thing I would like to see from the ISC2 is movement towards more clearly defined processes and policies. Optimally, I would like to see the organization get ISO9000 certified, but that may be too much to ask. There has been a lot of concern lately revolving around a survey sponsored by the ISC2, and I think many of the issues this has raised over this incident could be resolved by clearing up the policies. I don’t believe that policy and process are the solution to a problem in and of themselves, but when you have those documented it’s a lot easier to troubleshoot your issues. Ad hoc processes rarely work, in my opinion.
I’m proud of being a CISSP, and I want to remain that way. But I see that there is currently an assault on the validity of the certificate. Too many people are passing the test that shouldn’t have been allowed to sit for it in the first place. The ISC2 has had some management fumbles lately, and seems more concerned with the number of CISSP’s than the quality of the applicants. The original plan was for the CISSP to be the Gold Standard of security certificates. When I hear the CISSP compared to the MCSE, I feel that the standard has been tarnished. Time to break out the polish and regain some of that shine.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
2 Responses to “Paper CISSP?”
I think that this issue regarding required experience is something of a sticky situation.
First, keep in mind that you’re hearing anecdotes. That anecdote is filtered through the person (or persons) who feel, “Hey, I’ve been busting my butt for three years, and this guy hasn’t done what I’ve done.” Purely subjective.
Case in point…I sat for the exam in ‘99, and had been out of the military for just under 2 yrs at the time. Did I have the required three years of experience as a security professional? You bet I did! I had 8 yrs as a military officer. My experience wasn’t all in computer security…I’d done physical security, cryptography, communications security, personnel security, etc. To me, a well rounded professional means having a breadth of experience.
Cheapening of the certification? It was bound to happen. The ISC^2 wants to get the certification out there, and certification programs breed an economy of folks providing training/preparation for the exam(s). I’d look at the continuing education requirements of the certification as a plus.
But who’s cheapening the cert? I received my cert in ‘99, and in Nov ‘99 at the CSI conf in DC, the ISC^2 offered a practice exam. So…you could attend the conf and receive 1 CPE point for each hour of attendance…or sit for the practice exam and be done in an hour…and earn 40 CPE points! That’s 1/3 of the required CPE points for the three year period! Self-serving? Perhaps. Cheapening of the cert? Perhaps.
Final thought…don’t get upset when someone compares the MCSE to the CISSP cert. Doing so is comparing apples to oranges…the certs each have a different focus and a different reason for being. One cannot compare the two b/c the only thing they have in common is that they are certs…beyond that, there is no comparison.
Believe me I work at a large company and we have had and currently have a large number of “PAPER CISSPs”. It’s ridiculous that they only have very generalized security knowledge and nothing more, I have had to train multiple CISSPs on real world practices for securing Active Directory and UNIX and it’s just bullshit.
The certification doesn’t and CANNOT train your problem solving, analytical skills which is critical in all of IT and especially security. It is those two traits that make an individual successful at his/her job and not a sheet of paper worth only to wipe a stinky butt.
CISSP (Certified Irrigitation Sewage Systems Proctologist)