Archive

Archive for August, 2012

Your CISSP is Worthless. Now what?

August 22nd, 2012 30 comments

OK, so it’s not really worthless. It can help you get a job or a contract. But in the scheme of today’s infosec world? It’s really broken, in my opinion. Let me break down my thought process, since I’m typically pretty upbeat about things.

Over the years, I have had more than a few laughs with both clients and SANS students about various aspects of the CISSP. Few seem to *really* take it seriously. That’s a big indicator.

Second, there are far too many things in that cert/test that are completely and totally useless to 99% of us in infosec. As the Information Systems Security Professional, I do not need to know a damn thing about fire extinguisher types, fence height, or lighting. Sure, it may be interesting knowledge. But not relevant to most people’s infosec jobs, and thus extraneous in the cert.

Third, the CISSP demonstrates no hands-on skills. The test itself, completely insane in its wording and content in some cases, just makes you memorize a bunch of concepts. We don’t need many, if any, theoreticians today. I need tangible, real skills that can be put to good use immediately. You may argue that theory and research and risk and <blah blah blah> has its place. Sure it does. But I don’t need that in a cert like this. I want someone who can walk in the door and DO things. Not think about doing things. Or talk about doing things. Or answer obtuse questions about things without being able to perform hands-on tasks.

I’ve had some people tell me – “I’m proud of my CISSP.” Really? Of what, exactly?

  • Studying for a test
  • Taking and passing a long, obnoxious test
  • Doing WORK for 3-4 years (wow, welcome to a CAREER)
  • Having a college degree (in some cases)
  • Acquiring <puke> CPE credits for random bullshit-able things
  • Getting someone to attest that you are smart. And/or awesome.

People, it’s broken. HR offices are essentially discriminating against people who don’t have one, for really no good reason. This cert is ridiculous. If you have to get one for work, or compliance, or DOD 8570, or something…OK. But don’t strut around and act as though this really means you have something unique or special…you don’t. I know way too many CISSPs who can’t dissect a packet, configure a firewall or IDS, write a script, perform a real in-depth risk analysis, and so on. That does NOT bode well for the future of information security. If you argue that it’s meant to be a broad, “theory” cert – well, I argue we don’t NEED those. We need more DO-ers.

So what do I propose? I say scrap the whole thing. Start over. Build a cert and program that tests fundamental skills and means something to employers who really need things done. Offer existing cert holders one year and a free test to get the new one. Otherwise, they’re out. We need to weed out the people BSing their way through infosec on the back of a bunch of stupid CPEs. I’d love for the CISSP to mean something, and see the industry rally around it as a useful and legitimate indicator of knowledge and skill. We have friends of mine like Wim Remes on the ISC2 board, and Dave Lewis and Boris Sverdlik running for the board now. I would love to see more awesome folks like these guys steering the ship. But it needs an overhaul regardless.

Pic courtesy of Boris’ site at http://www.jadedsecurity.com.

Categories: Information Security, Musings, Rants Tags: