Your CISSP is Worthless - So Now What?

Thursday, August 23, 2012

Dave Shackleford

1b061b1cec6b5898e5326992d9461610

OK, so it’s not really worthless. It can help you get a job or a contract. But in the scheme of today’s infosec world? It’s really broken, in my opinion.

Let me break down my thought process, since I’m typically pretty upbeat about things.

Over the years, I have had more than a few laughs with both clients and SANS students about various aspects of the CISSP. Few seem to *really* take it seriously. That’s a big indicator.

Second, there are far too many things in that cert/test that are completely and totally useless to 99% of us in infosec.

As the Information Systems Security Professional, I do not need to know a damn thing about fire extinguisher types, fence height, or lighting. Sure, it may be interesting knowledge.

But not relevant to most people’s infosec jobs, and thus extraneous in the cert.

Third, the CISSP demonstrates no hands-on skills. The test itself, completely insane in its wording and content in some cases, just makes you memorize a bunch of concepts. We don’t need many, if any, theoreticians today. I need tangible, real skills that can be put to good use immediately.

You may argue that theory and research and risk and has its place. Sure it does. But I don’t need that in a cert like this. I want someone who can walk in the door and DO things. Not think about doing things. Or talk about doing things. Or answer obtuse questions about things without being able to perform hands-on tasks.

I’ve had some people tell me – “I’m proud of my CISSP.” Really? Of what, exactly?

  • Studying for a test
  • Taking and passing a long, obnoxious test
  • Doing WORK for 3-4 years (wow, welcome to a CAREER)
  • Having a college degree (in some cases)
  • Acquiring CPE credits for random bullshit-able things
  • Getting someone to attest that you are smart. And/or awesome.

People, it’s broken. HR offices are essentially discriminating against people who don’t have one, for really no good reason. This cert is ridiculous. If you have to get one for work, or compliance, or DOD 8570, or something…

OK. But don’t strut around and act as though this really means you have something unique or special… you don’t. I know way too many CISSPs who can’t dissect a packet, configure a firewall or IDS, write a script, perform a real in-depth risk analysis, and so on.

That does NOT bode well for the future of information security. If you argue that it’s meant to be a broad, “theory” cert – well, I argue we don’t NEED those. We need more DO-ers.

So what do I propose? I say scrap the whole thing. Start over. Build a cert and program that tests fundamental skills and means something to employers who really need things done. Offer existing cert holders one year and a free test to get the new one. Otherwise, they’re out.

We need to weed out the people BSing their way through infosec on the back of a bunch of stupid CPEs. I’d love for the CISSP to mean something, and see the industry rally around it as a useful and legitimate indicator of knowledge and skill.

We have friends of mine like Wim Remes on the ISC2 board, and Dave Lewis and Boris Sverdlik running for the board now. I would love to see more awesome folks like these guys steering the ship. But it needs an overhaul regardless.

Pic courtesy of Boris’ site at http://www.jadedsecurity.com.

Cross-posted from ShackF00

Possibly Related Articles:
92205
Security Training
Information Security
Certification CISSP Training Careers Security Infosec Professional Board of Directors ISC2
Post Rating I Like this!
Default-avatar
Michael Yardley A CISSP is totally worthless. It is too expensive to get, so why bother with it? Kevin Mitnik does not have one, I do not have one. I do not want one. Who cares what the job ads want. I have been braking into Networks for twenty years, been a member of anonymous for six years(now retired).Just throw up a web site and do Consulting Work at £450 per day plus travel expenses.
1346278403
Default-avatar
Jamie Braun YESSS! Thank you for this article! I see so many people strutting it as if it's the ultimate certification! HR needs to realize that it is NOT a technical cert by far, in fact I don't see much of anything beyond simple port numbers on it for technical content! It may not be worthless, but it's not something you want to gloat over towards a person who holds an OSCE, CREA, or similar.
1392253933
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.