The CISSP is not a technical certificate…

Here is a great article write by Martin McKeay check it out

Repeat after me, “The CISSP is not a technical certificate, it’s a management certificate”

I’ve held my CISSP for coming on 5 years now.  I earned my CCNA around the same time, though I’ve let it lapse.  Last year I received the SANS GIAC Systems and Network Auditor.  I even earned my B.S. in Information Security Management from the University of San Francisco in 2001.  Each of these has a place in the security field as do most of the other (though not all) certifications out there.  Each one shows that the holder has attained a minimum level of knowledge by whatever testing method the certifying company choses.  To varying degrees almost every security related certificate will help you get one step closer to a job.  Currently, the CISSP is the top of the heap when it comes to certificates, though the CISA and other ISACA certs appear to be gaining ground in the management level certifications.

I have several pet peeves when it comes to certification.  First, being certified denotes very little other than you passed a test.  I don’t care if it’s the CISSP, GSEC or any other certification you care to mention, all the cert proves is that at a particular point in time, you had the knowledge required to pass the test.  It doesn’t mean you retained the knowledge, it doesn’t mean you understood what you were being tested on.  Most importantly, it doesn’t mean you’ll be able to do the job you’re being interviewed for.  I’ve met met CISSP’s who don’t understand the basic concepts of security, I’ve met CCIE’s who couldn’t figure out a basic subnetting problem and I’ve met some brilliant security professionals who never held a cert and never wanted to.  They just wanted to work in security because it’s what they’re passionate about.  If you think that someone can do the job you’re hiring for just because they hold a certain certificate, then your probably going to get a rude awakening some day soon in your hiring process.

Another of my pet peeves is people who complain about the CISSP because it’s not “technical enough”.  There’s a very simple reason for that: the CISSP is not a technical certificate!  It is not now, nor was it ever meant to be, a technical certification.  I know that’s hard for some people to believe, but it’s the truth.  If you look at most, if not all, of the technical certifications, they cover a very limited portion of security, while the CISSP tries to cover everything from encryption to physical security.  Technical certifications cover security at a very high level or they might cover a very narrow field in depth, but they’re limited in breadth of the knowledge they expect the person being tested to know compared to the CISSP.  The CISSP has often been referred to as being “a mile wide and three inches deep.”  But it’s not a technical certificate, never has been advertised as a technical certificate and most of the people who hold it agree that the CISSP is a management certificate that’s mainly aimed at showing that you’ve been in security for a few years and are serious enough about it to sit for the test.  It’s also one of the certs that’s most likely to get past that HR drone.

I kind of like Daniel Miessler’s writing and think he has some good posts, but he totally misses the point of the CISSP when he complains about CISSPs who can’t program a home network.  The CISSP isn’t aimed at testing someone’s ability to program their Linksys router, it’s aimed at testing someone’s ability to think about the philosophy of security.  Do they understand the general business drivers behind security, do they understand the the basics of encryption, do they have a clue as to all ten of the domains that the ISC2 is testing for?  The testing method the ISC2 uses has some problems, I’ll freely admit.  I’m sure there’s a better way to administer the test, even if I don’t know what it is.  I hate the fact that the ISC2 has not only allowed but encourages the “cram and test” approach to taking the CISSP test.  But I’m not sure that the SANS courses are any different; SANS is just a bit better about providing training while you cram for the test.  Every testing strategy has it’s strengths and weaknesses, and some of the choices around the testing are quite plainly made with financial considerations in mind rather than what would make the test a better measure of skills and talents.

When you’re interviewing for a position, you’re interviewing a person, not a certificate.  If you’re interviewing a CISSP to be a router jockey, you better hope they have a couple of other certs to back up their claims of knowledge.  Or you better have some really good questions for them, preferably both.  By definition, the CISSP shows no in depth knowledge of any particular aspect of security. So why would you ever expect a person holding to be an expert in any discipline or even have more than a 3″ depth of knowledge?  Because if you do, you don’t understand what the CISSP was designed to show.

Before anyone starts to consider me a CISSP-apologist, let me say that I’ve been seriously considering letting my CISSP lapse for the last couple of years.  I haven’t been happy with the direction the ISC2 has taken the last few years.  I think diluting the CISSP certificate by creating additional certificates of both lower and higher levels was a mistake aimed at making more money.  I don’t think the ISC2 contributes much back to the community at large.  And I’m doubtful the board members even understand the needs of the security community any more.  The only thing that’s kept me sending in my $85 each year is that holding the CISSP fills in one more box on the HR checklist.  Given where I am in my career, I may consider putting ‘former CISSP’ on my resume good enough in a couple of years.

I began programming in C++ when I was in college. Odd for a business major, but hey I am a Dork. After college I got a job as System Administrator. As a System Administrator I was in charge of web administration. My journey as a PHP web developer had begun. Since that time I have gained an in depth knowledge of CSS, Javascript, XML and MySQL. With changes and advances to technology I have also began learning AJAX. I started Blue Fire Development to do freelance work in my spare time.

Posted in Security