While talking with a friend tonight, the topic of CISSP certification came up. Lately I have been lamenting the loss of this certification as the most recent version of the MCSE. As many are probably aware, the MCSE was once an impressive credential showing one's proficiency in Windows, but grew to be nothing more than a few letters required by HR to get your foot in the door at large companies with draconian hiring policies. This was largely due to the poor experiences real Windows administrators had working with other "MCSE"'s who knew nothing more than what was on their test. These less-proficient professionals became known as "paper" MCSE's - an MCSE on paper, but not in practice.

Once an identifier of dedicated security professionals, it seems that the CISSP is heading in the same direction. I make this statement from personal experience alone, and not any empirical data, but I have had more negative experiences with people holding CISSP's than those without. By "negative experiences," I'm referring to a serious lack of general InfoSec-specific skills, or a serious lack of practical implementation and use of such skills.

That being said, the CISSP is still a great way to get a foot in the door for InfoSec, or to round out a resume that might be light on security-specific experience. It's also a way to make it past the first round of cuts when looking for a job. It would be the perfect "next step" for recent college graduates, or IT professionals looking to specialize. But insofar as practical expectations are concerned, I've grown to become cautious of individuals who emphasize their CISSP certification as evidence of their own personal InfoSec prowess over other, more concrete achievements.


Mike Helmick said...

This is a problem with all certifications that are offered by corporations : Microsoft, Apple, Sun, HP, etc. Their exams exist so that they can sell more products.

Contrast this with the two other options (used in other professions) state licensure, and academic acomplishment.

I tend to think that we need to look at combining both of those things for certian positions in the information technology field - most notably developers . All "Software Engineers" should have to go through the same process as other engineering fields: (1) get a degree (2) work with another PE (3) take the test after about 5 years and become a PE yourself.

Let's see this also sounds like...hmmm...doctors.

My reasoning behind this: Technology is creepting into our lives more and more and more. Do you really want a high school drop out to write the software that controls your digital IV drip? hmmm? would you put YOUR life on the line for that. - I wouldn't. I want a properly trained software engineer that has been licensed to preform the work. - think about it.

Michael Cloppert said...

Mike - First off, thanks for the pointer for getting comments to be posted to the blog. For those of you wondering, you'll need to store a username and password for FTP/SCPing the updated blog in your settings at blogger.com. Be careful to limit the rights of this user to be safe!

Second, I agree with your sentiments about Microsoft et. al. using their certifications as a source of revenue (whether directly or indirectly). This can and has contributed to the problem I mention here. However, the CISSP is technology and vendor-independent, so this isn't a factor here. And, to provide one counter-example, Cisco's CCIE certification is still the mark of superior networking skills, despite being a vendor-sponsored certification. I have never worked with a CCIE who wasn't very intelligent and skillful in a variety of aspects of networking.

Mike Helmick said...

That's why I used software development as an example. I agree that in different realms of IT certifications may or may not have merrit.

In software development/software engineering - they don't.