Your CISSP is Worthless - So Now What?

Thursday, August 23, 2012

Dave Shackleford


OK, so it’s not really worthless. It can help you get a job or a contract. But in the scheme of today’s infosec world? It’s really broken, in my opinion.

Let me break down my thought process, since I’m typically pretty upbeat about things.

Over the years, I have had more than a few laughs with both clients and SANS students about various aspects of the CISSP. Few seem to *really* take it seriously. That’s a big indicator.

Second, there are far too many things in that cert/test that are completely and totally useless to 99% of us in infosec.

As the Information Systems Security Professional, I do not need to know a damn thing about fire extinguisher types, fence height, or lighting. Sure, it may be interesting knowledge.

But not relevant to most people’s infosec jobs, and thus extraneous in the cert.

Third, the CISSP demonstrates no hands-on skills. The test itself, completely insane in its wording and content in some cases, just makes you memorize a bunch of concepts. We don’t need many, if any, theoreticians today. I need tangible, real skills that can be put to good use immediately.

You may argue that theory and research and risk and has its place. Sure it does. But I don’t need that in a cert like this. I want someone who can walk in the door and DO things. Not think about doing things. Or talk about doing things. Or answer obtuse questions about things without being able to perform hands-on tasks.

I’ve had some people tell me – “I’m proud of my CISSP.” Really? Of what, exactly?

  • Studying for a test
  • Taking and passing a long, obnoxious test
  • Doing WORK for 3-4 years (wow, welcome to a CAREER)
  • Having a college degree (in some cases)
  • Acquiring CPE credits for random bullshit-able things
  • Getting someone to attest that you are smart. And/or awesome.

People, it’s broken. HR offices are essentially discriminating against people who don’t have one, for really no good reason. This cert is ridiculous. If you have to get one for work, or compliance, or DOD 8570, or something…

OK. But don’t strut around and act as though this really means you have something unique or special… you don’t. I know way too many CISSPs who can’t dissect a packet, configure a firewall or IDS, write a script, perform a real in-depth risk analysis, and so on.

That does NOT bode well for the future of information security. If you argue that it’s meant to be a broad, “theory” cert – well, I argue we don’t NEED those. We need more DO-ers.

So what do I propose? I say scrap the whole thing. Start over. Build a cert and program that tests fundamental skills and means something to employers who really need things done. Offer existing cert holders one year and a free test to get the new one. Otherwise, they’re out.

We need to weed out the people BSing their way through infosec on the back of a bunch of stupid CPEs. I’d love for the CISSP to mean something, and see the industry rally around it as a useful and legitimate indicator of knowledge and skill.

We have friends of mine like Wim Remes on the ISC2 board, and Dave Lewis and Boris Sverdlik running for the board now. I would love to see more awesome folks like these guys steering the ship. But it needs an overhaul regardless.

Pic courtesy of Boris’ site at

Cross-posted from ShackF00

Possibly Related Articles:
Security Training
Information Security
Certification CISSP Training Careers Security Infosec Professional Board of Directors ISC2
Post Rating I Like this!
Jim Kesselring There needs to be a foundation exam for security and the CISSP has potential, but I agree, it needs a major overhaul before it becomes anything I value as weight in reviewing a resume. I
Barry Kortekaas In the interest of full disclosure, yes I hold the CISSP and other certifications. The CISSP does not need to be “fixed”. Updated maybe but not fixed. Please remember the CISSP is not meant to be a technical exam for a specific discipline in InfoSec but a management level certification demonstrating broad high-level knowledge. Some of the seemingly obscure topics like the fire extinguisher example are pertinent to the InfoSec community but rarely in the technical roles. When an InfoSec professional has to interact with auditors and is asked a question about fire suppression agents then the value is clear. When a company only has a single information security professional that will likely wear many hats then the CISSP many be a good choice but if hiring for an internal penetration tester maybe the OSCP is a better choice. ISC2, ISACA, and SANS have certifications for both technical and management skills so I suggest, as InfoSec professionals, we work with hiring managers, directors, and HR teams, to help them understand the difference between the CISSP, CISM and the GSEC. I have used, with great success, a technical scenario based test during the hiring process and quickly eliminate the paper experience from the real world experience. Rather than changing the CISSP we need to change the understanding of the CISSP.
Carmelo I like how you wrote "HR offices are essentially discriminating against people who don’t have one, for really no good reason."

I can understand a shop being a Microsoft Gold Certified, requiring most of their staff to have Microsoft certifications. But I'm truly confused about many infosec job requiring a CISSP.

Most job boards I've ventured onto have job postings as "firewall expert, must have CISSP" or "contract job to encrypt data at rest, must have CISSP". It is ridonkulous!

I do think that part of the problem is Human Resources. Perhaps they need to be educated on what is feasible and practical?
Lisa Simpson I've just finished our annual PCI compliance audit. You want to talk about a joke.... let me tell you about our "required" PCI audit. Apparently the only thing you need to conduct a PCI audit is to have some warm, breathing knuckle-dragger who can push enough buttons to run the software package du jour. The company, which was selected off the PCI approved vendor list, actually informed us that being able to obtain the FQDN for our on-line store from DNS was a security threat. I actually had to explain to the auditor that without the ability of people outside to resolve the FQDN, our store would be largely unreachable and therefore broken.

Then wanted to fail us because our server detected the full-speed spam-scan in progress and blocked them. This lead them to assume that the server had died. Once again, I had to explain to them that a failure to be vulnerable is not a vulnerability and does NOT need "fixing". It performed exactly as expected.

Even more surreal is our corporate headquarters is demanding that we provide documentation of firewall rules, etc. which they plan on turning over to the id10Ts who are conducting our audit. It's even more ridiculous when they're still taking credit card numbers over the phone and writing them down on Post-It notes.
Lisa Simpson On another note, I see a LOT of people who are forging the required experience in order to get a CISSP. Any CISSP is supposed to have a minimum of 5 years of hands-on security experience. Not theory. Not classroom. Hands-on day to day work experience. Which means you should know how to do more than talk, pontificate, or theorize about security. You should know how to do something.

What that something is may be an entirely different matter. I have one friend who does NOTHING but physical security. He works for a company that designs and builds high security data centers. Would you hire him to manage your network traffic? I wouldn't advise it.

I have another friend who does nothing but BCP and DRP. Would you really want him to configure you Windows Domain? Probably not since Access Control isn't his thing.

Assuming that all CISSP are the same is like saying that a skateboard, a bicycle, a car, and an 18-wheeler are all the same because they are all forms of transportation.

And yes, you are quite correct that HR Departments are the problem. They need some criteria that they (the HR peeps) understand to weed through the hundreds or thousands of resumes that may be received for a single job posting. Understand that the HR peeps will not and should not need to understand what we do. It is our job to educate them on what to look for and how to rank the resumes.
Carmelo I wonder if I change my signature quote to #DoesThisCountForCPECredits on Information Security Forums.

Keith Glass People. . .relax. CISSP is to security what PMP is for management. And as for the requirement, blame DOD for making one of the "required" certifications to do ANY kind of Infosec work.

Just like PMP doesn't make you a manager, CISSP doesn't make you a security guru. Both have the function of proving that you've studied the BASICS. The fact that the HR droids don't know any better is not our fault. . .
kursoul Brakous i think u right and hoping your dreams will come true....
Ian Tibble Most of our problems in infosec come back to a lack of trust with our customers...they would be C-level execs, other BUs, other businesses, home users. CISSP is an inch think and a mile wide. It is, without any shadow of doubt, a Mickey Mouse accreditation. The target is not management as some have said. The target is everybody - analysts, literally all security pros.

When there has been an incident, security pros will get out the trump card phrase "no silver bullet"...collect the pay check and depart the scene of the crime. Non-repudiation, CIA triads, SDLC doesn't really work when things get bad - although "non-repudiation" has that neat little double whammy thing going on so its nice to use in meetings, when things aren't so heated.

Most CISSPs will never see a command shell in their lives, or actually understand the output of SIEM (even in the unlikely event it has been well-configured). So when there has been an incident, most security pros can't even tell anybody what the chuff just happened. This is bad.

Who can blame anybody for not trusting us? When there is a lack of trust, security deteriorates down the levels of bare compliance, because when an alternative strategy is proposed, the advice is ignored/ not trusted. All our problems relate back to trust.

We need a path of graduation from sysadmin, dev into security, perhaps with a vendor cert behind them. Once qualified the pro can be a Security Analyst (no "senior" qualifiers, "thought leader" (tm), "SME", evangelist, ...). Then after 5 years as an analyst - Security Manager or Architect.

There is space in the analysts' world for a SMALL NUMBER of specialisations. Appsec, databases, with a core tech bias of Windows, Unix, Cisco/Juniper. <10 specializations please ...but the job title is still Security Analyst.

Single body of accreditation please. One professional accreditation program to bind them all.

Michael Johnson I largely agree with Carmelo. It's the guys and gals without that work experience who would gain the most from a CISSP. These people may have put in hours of their spare time studying, and could therefore have gained a high degree of understanding that should warrant recognition. Incidentally this could apply to many hackers with skills lacking in the corporate security field. ISC2 should either:
a) Scrap the five year requirement and assess on the applicable skills and knowledge of security. Ideally some practical stuff as well.
b) Have some kind of tiered cert thing, like CCNA.
CP Constantine Listening to people describe how the "CISSP is meant to be a management-level cert" is like listening to folks explain how "Oh, that's just a metaphor" about parts of the bible that modern society disagrees with.

If the CISSP is meant to be a theory-level management cert, *why are we seeing as a requirement for hands-on roles* ? It's one or the other, the same goes for the apologists that explain "It's not meant to be the gold standard of certifications" (That's from the mouth of ISC2's own legal council, btw), but then they market it to businesses as being the de-facto standard of infosec ability. Want to fix the CISSP? fix the glaring levels of hypocrisy and apologism surrounding it.
Keith Glass @CP Constantine: Why is it a requirement ?

1. ISC2 is excellent at one thing: Marketing. Which SANS, btw, sucks at.

2. Please point out almost ANYTHING technical that the HR Droids get right. I can recall, in particular, the job requirement for "5 years experience with Windows 2000 Server". . . in September 2000. . .

3. Blame DoD. They require certain certs, and everyone else follows. . .
Lisa Simpson Again, this is why it is incumbent on those of us who DO know what is correct and what is not to educate the HR peeps on how to sort through the resumes for any given posting or do said sorting ourselves.

The HR Droids (@Keith Glass) usually only know what they've been told, often by non-technical managers. If you abdicate your candidate selection to someone who obviously has no understanding of the job at all, who's fault is that?

I know that here we posted a very simple programming job. We got 793 resumes. About 500 of those included people who had no programming experience in any language whatsoever. They were simply desperate for a job.

The other 250+ took some picking through by the technical staff to get an appropriate "short list" of viable candidates.
Michael Ziakas Worthless... Bummer! I do agree it has content that one will never use, but hey, show me a cert that doesn't. Maybe instead of a new cert just remove the BS and add some meaningful structure. I'll help! :)
Martye Joyce The CISSP is USEFUL!!!

Tell that to any Organizational Leader, Operations Manager, SCIF Facility Manager, and they will clearly say that such belivers are quickly becoming the widget guys who understand little about building communications concepts, working with existing offerings and players, across the government, DoD enterprise, industry, and academia, regarding convergence of many technologies onto the global network. It is a team approach! Yes, this even includes CCTV, fencing and other physical tools and technologies. Moreover, the CISSP is meant to be theoretical, thus, allowing technical professionals to apply critical and analytical thinking whereby a holistic approach is applied to all things cyber. In critical times in cyber, which we are all affected by, scrapping CISSP and starting over would set Cyber back years...the goal is the build on the value of CISSP and other certifications.
The CISSP is also the industry defacto standard given the 8570 mandate and mirrors to IAM and GIAC certifications. Therefore, contractors are required to understand critical security concepts across the enterprise. Professionals who fail to understand the value put enterprises at risk when they lack situational awareness skills because they fail to connect the dots with security and cyber transformation. The CISSP and other certifications are merely the first step to understanding the essential knowledge of cyber education.
Having engaged communications with (ISC)2, industry, and colleges and universities, I have designed such a program that includes useful lab activities, understanding the externalities and critical issues surrounding cyber while obtaining the CISSP and GIAC certification. Do not dismiss the value of the CISSP and other security certifications. These concepts are a huge value for those professionals needing to understand the holistic value of all things digital in information security.
Michael Johnson But can it be done holistically, or as a palatable abstract we call 'cyber'? Should it?
It couldn't be the first step to understanding security. For that, a solid basis in computing is needed first. We need to understand the intricacies of things like the boot process, the mathematical and programming aspects of encryption, the properties of transmission media, the mechanics of how something like Metasploit can hijack a process, program or daemon, the implications of causing a program to fail, how a given routing protocol could be manipulated to crash an entire ISP's network. This is the perspective decent hackers will attack networks from, by exploiting the weak points in the technology itself, and they can think critically in order to find them.
If people entrusted with security only know things as an abstract they call 'cyber', they have an immediate disadvantage against the proper hackers.
Kathleen Jungck First off, Dave, thanks for starting the debate on the CISSP certification. However, I respectfully disagree with your final conclusion.

Certified INFORMATION SYSTEMS Security Professional is not a certificate limited to just those who specialize in SYSTEMS security. Information Systems security also includes network security, database security, physical security, information security, governance, cryptography, and other sub-disciplines. A security professional who is involved in designing a secure data center, an IT heavy office building, or other site where security is a concern will worry about the lighting, types of security monitoring, natural barriers, traffic control and other considerations. I’ve been there. During my career I have been involved in the design of the IT infrastructure and support services for an office building, manufacturing complex, and integrated office and manufacturing complex. If you’d like to see an example of this, check out the Gates Foundation building in downtown Seattle, and see how they’ve used many of these concepts to protect the facility without resorting to iron bars and obvious security measures.

Would you consider a doctor who is not a surgeon to still be a physician? Specialization is becoming a similar trend within information security. While I am no longer a Systems Administrator, Network Administrator, Systems Analyst, software developer, or data & cryptography analyst like earlier in my career who is implementing patches, tuning operating systems, configuring a firewall, examining packets, or considering program architecture or database design for security, I am no less an information security professional. Honestly, working on the “human” end of things with security literacy (some refer to it as security hygiene and security awareness), governance, policy, and access control is at times a considerably more difficult but just as valid a part of information security. Imagine what your job in systems & technical security would be like if I didn’t do mine and reduce the attack surface from ill prepared users and poorly trained IT staff, poorly constructed applications and architecture, or internal malfeasance. Good security is about cooperative layers, and not relying on a single methodology. I believe the CISSP certification represents this.

The CISSP was never intended to be solely a technical certification if you read the history of its development. It was intended for more senior practitioners, often those in management, administrative, or consulting positions who would benefit more from a wide breadth of experience. If you’re looking for a technical certification, GSEC and other GIAC certifications are much more applicable, and are accepted by the DOD standards. I agree that most HR reps have no clue what the CISSP is really about, and I’ve had to educate several recruiters on the breadth of the subject. Most people outside of information security have little grasp of the true breadth of our field.

I do agree, however, that the testing for the CISSP could be improved. Many of the questions, to be blunt, are terribly written, and even those that are well written often disadvantage those who do specialize in a single subspecialty. Personally, I think the exam could be improved to allow specialization and be split into multiple exams like many vendor or GIAC certifications. To achieve the new CISSP certificate, members would then pass a certain number of the subspecialty examinations. For example, there could be exams covering management of information systems (policy, governance, ethics, legislation, security awareness, access control, and physical security); systems security & network security; computer forensics, e-discovery, and ethical hacking; and so on. Basically, flipping the current exam configuration where you obtain the general CISSP certification first, then the specializations. I would, however, be leery of technical testing for generalist knowledge with the wide range of applications, systems, vendors, and equipment out there. And don’t get me started on the vocabulary – how many different meanings each for “policy” and “MAC” to provide a few examples.

I also didn’t consider the screening process for the CISSP to be trivial. I was required to submit a tailored resume including my education and work experience which was thoroughly vetted. I was also required to submit the testimony of a colleague with the certification in good standing who could vouch that my experience, knowledge, and ethical standards were consistent with the requirement of the CISSP. At first I was a bit resentful that it relied on the “old boy’s network”.

Personally, I do not believe the current CPE system is “bogus”. How to do I acquire my CPEs? I attend ISSA and IEEE meetings where I get feedback from my colleagues in a wide variety of specialties and reports from vendors and other practicing in the field, many of which include real world reports and analyses – although you’d probably feel that updates on computer forensics and e-discovery techniques and laws accompanying a report of the Victor Stanley II decision from the main analyst involved in the case from Guidance, a dissection of the RSA breach and lessons learned, and reports from vendors on their experiences in the changing attack landscape were “bogus” from your posting since they didn’t involve firewall or IDS tuning. I read a wide breadth of literature on the subject – including SANS communications, attend webinars on new technologies in my field, attend conferences, and attend training sessions. I also train future security professionals, write for security publications, and have been invited to present at an international information security conference, but I haven’t counted those for CPEs to date.
Jan-Tilo Kirchhoff I am glad that so many fellow CISSPs believe that change is necessary and also possible. There is a lot of merit in the the things the "four horseman" are suggesting.

Personally I think that Barry Kortekaas, Martye Joyce or Kathleen Jungk have a point when they state that the CISSP is not and was never intended to be a purely technical certification. The concept of the ten domains is great and should be kept even if details regarding the certification test and CPEs need to be updated.

Personally I have chosen the CISSP exactly because it's neither a technical cert like the CCNA nor an "organisational" one like the CISA. It covers a lot of stuff that network/web centered information security experts would never look at but that's just what makes it great because it forces you to look at things you would normally ignore. So maybe a pentester or malware analyst who wants to be a CISSP has to read up on risk management and security evaluation standards while an IT manager coming from the desktop/PC or if business mananagement side will have to brush up on his networking and firewall skills. In the end all of them have a "common body of knowledge" which enables them to understand the different points of view better.

Regarding the endorsement process I agree that this seems to be broken, but that's basically our (the CISSPs) own fault. If it was taken seriously the CISSP endorsing the SCCP / candidate would call up a few of the references given in the CV to check out that work experience is in fact valid.

When I became a CISSP I was actually afraid that my experience would be found lacking as I do not and never have held any job that had security in the title. I did my bit of software/tool development in Software QA, worked as a trainer for a PBX-cum-DSL-router system teaching firewall and VPN configuration evaluated and fixed security risks when these systems where integrated into customer networks, analyzed Gigabytes of packet capture looking for VoIP related problems and found a virus eating up network resources. So I wrote all this in my CV, contacted my former bosses to have them read through it and tell me if they would go on record stating the points I listed were true. Were they ever contacted?

So now I am a CISSP and proud of it because a lot of effort went into the certification, I believe I got my bit of work experience, even if only a part of my 14 years in the telecommunications industry was directly security related and I am what I always was a security enthusiast. So for my CPEs I listen to more podcasts then I could ever put on record, took a (free) online class in Cryptography from Stanford (Thanks Dan Boneh, looking forward to part 2) and kept my contacts in the security/h***** (bad word not to be used by CISSPs) community alive by going to cons and fairs. If other CISSPs are faking it, shame on them. But please keep in mind that not everyone will get/have the funds for a $3000 training course every year.

Finally the CISSP has enabled me or at least given me the confidence to improve the security stance of the company I work for by being able to formulate technical issues in terms of risk and way to solve them in form of business processes.

So from my point of view, not all is bad/lost. If Boris, Chris, Dave, Scot and of course Wim can make change happen and the new local chapters get their act together to provide "controllable education opportunities" we can hopefully turn the CISSP into something that not only a can be proud of.
Martye Joyce Thank you Kathleen. You have explained what our focus on cyber should be and the CISSP justification so well!

Think of the CISSP as the Model T car in its infancy. Fast forward ten years even 5 years from now and look at the Lincolncar. The technology is totally integrated and has evolved technologies not eventhought of 10 years ago. In fact, the Internet is forecast to introduce over 2.1 billion new users across Asia alone! Shift happens and the technologies used for the future surrounding electro magnetic and other developing technologies with vastly differ tomorrow from what is currently in use.

The CISSP provides the generalist knowledge and shared language on the 10 domains positions and is intended to allow analytical thinking from a framework of completion, new innovations intechnology such as cyber high-performance computing (HPC), considerations for new generations of leadership with a focus towards a demand for privacy, technology modernization,globalism with the Internet’s expansion for structured communications, global cooperation and interoperability along with increased bad actors because of Internet users quickly growing. This is the reasoning behind discussions surrounding business intelligence BI, human resource management behavior analytics big data cloud, grid and all matters surrounding spectrum, national priorities and intelligence.

Our objective is to remove all objections within the hiringprocess. One measure is to work within the framework of government and industry compliance's and standards. I posted my response to you in the columns commentssection. I hope that he will read it andrealize he could potentially burn numerous bridges, which he will need formodifications to current policy standards.
Everett Vinzant Funny, I just used this in the CISSP class I taught:

"Oh, your proud of your SANS certification? Why is that?"

* didn't have to study for the test, you had your materials with you IN the test.

* don't have to have any time OTJ IN the security field?

* a college degree (in some cases)?

* NOT having to update your skills (and get CEU's) to maintain some semblance of validity?

* no third party involved in attesting to the validity of facts supplied to the central authority?

Yeah, that's SOOOOOO much better than the CISSP ;)

I could write this same article with the title "Your SANS (insert specific cert here) is Worthless - So Now What?" I could illustrate how someone with a SANS based cert wouldn't know how to do physical site security for a data center, wouldn't be able to write security policy, wouldn't know the basic legal ramifications of the security policy they are recommending, and in short would be completely worthless.

Let me ask, how are SANS certs better that OSCP?

We could sit here all day with our Stanley 50' talking about size, but when it comes down to it, certs do one thing. Create a minimum expectation. Anything above that is a failure on the part of the person expecting something more.

Nothing to see here... move on.
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.