Monday, September 3, 2007

CISSP, Magic Incantation or Nonsense?


Blood pressure is already rising at the mere mention of the word, but stick with me. I have held a few certifications through the years: from ASE Master Auto Technician and Master Heavy Truck Technician many years ago; to MCSE+I on NT 4.0 and CCNA later (one obsolete and the other lapsed); and for the past few years CISSP. I had different reasons for getting each cert, and each served its purpose- but I think the CISSP has been the most valuable.

Some people see the CISSP as a farce, held by people who make a career out of the tedium of security, not "real" security; others think having a CISSP makes you a genius and a security guru. Both are wrong.

The CISSP exam is long and tedious, and it covers a bewildering array of topics. That's the point, a wide-ranging view of information security, not a nuts-and-bolts technical view, not a C-level executive view- but a general grasp of numerous facets of information security.

So, where's the value? It is threefold
  • First and most importantly, you have to get outside of your comfort zone and think about ALL of information security to pass the exam. This can only be good.
  • Second, you "join the club" and get access to resources not readily available to others.
  • Third, it is a high-profile certification that many people recognize.
The resources of ISC² (seminars, conferences, career resources etc.) may be of value to you and the CISSP-only maillist can be a great source of information. What I find most valuable on a day-to-day basis is simply being able to append the "magic letters" to my name when dealing with corporate drones. Some know what it means, some only think they do- but they certainly do not expect to see them behind the name of the average small-business IT administrator. It is sad, but the CISSP has been a handy stick to use when trying to whack intransigent vendors. I don't always get the answers I want, but the BS factor drops dramatically when big business IT and security people think they have a worthy adversary. (I would rather be a valuable customer than a worthy adversary, but that's a rant for another day).

Information on the CISSP certification is available at the ISC² website.

Also, while not directly related, there was a recent bit of confusion about the nature of the CISSP- Daniel Miessler recently wrote a negative post on CISSP; I don't think he really understands the cert. Martin McKeay later responded with a good commentary on Daniel's post.