As the overpriced beers flowed and dusk approached in central London pubs surrounding the venue of RSA Europe last week, talk often turned towards the (ISC)2 security certification body. (ISC)2, which administers the widely recognised Certified Information Systems Security Professional (CISSP) qualification, was "a waste of …
Waste of space and my money
Was CISSP for 6 years, return on investment ziltch. To keep up the CPE's you have to attend expensive courses because you cannot sensibly get the CPE's for other sources, such as vendor presentations which just waste everyone's time unless you are going to use their product, or reading books (1 book a year can only count)
Did the MSc in InfoSec at Royal Holloway instead, great foundation in information security and the networking afterwards keeps you up to date far better than scraping round to gather CPE's. I agree the (ISC)2 are out of touch, I meet committee members from time to time and their focus is on increasing membership, not infosec issues.
Your whisky identification guide.
Jack Daniels, quoted multiple times in the above article, is a variety of bourbon, while Jack Daniel is a ZZ Top lookalike and much-loved infosec community figure.
There is no benefit to being a CISSP unless you are actively looking for an infosec job where the recruitment is being managed by someone with little or no knowelge of infosec.
Re: No benefit
So in short, anyone looking for an infosec job needs a CISSP. God knows most HR departments have no clue about the profession aside from worthless bits of paper
Most annoying certification on the planet...
So as an Infosec professional of (too) many years standing, I have to congratulate ISC2 on their brilliant strategy in pushing CISSP as the one cert to rule them all...
I'm constantly fascinated by the obsession of recruitment agents with this particular certification, above experience and other actually useful certifications. I've even been asked, "So you've got 20 years experience, all these SANS/GIAC certs and a CISM, but do you have a CISSP?"... You can imagine what my reply was!
I was even more fascinated when many years ago someone showed me their Australian Visa application form where you can get extra points for having one... On what planet does that make any sense?
In 20 years of working in the industry, I have seen a lot of trends come and go, but hats off to ISC2, they've managed to maintain the CISSP = Security trend far longer than I ever thought possible...
I have never had one, I will never have one, I decided a long time ago that I will only do Certs from organisations that I feel contribute to the industry (Hence SANS/GIAC and ISACA) and not ones that are just self perpetuating nonsense...
I will always associate CISSP with that horrible period in the industry when it all went very compliance oriented and all these little CISSP monkeys were running around talking about "controls" without a clue between them of how to implement one...
Re: Most annoying certification on the planet...
There were "monkeys" like me who knew how to design, implement, monitor and test controls, but the overlords prevented us from doing our job as they bowed to the control-averse clients who paid more for ignorance and wiping audit reports clean.
That was pre-Arthur Andersen failure; pre-bank bail-out; pre-B Madoff. The beginning of the end was in 1993 when The Associates announced the end of compliance-oriented audits and proclaimed that each department would now "assess themselves."
It's a racket.
These schemes normally start with a handful of founding members promoting a high degree of assurance (and an implied commitment that the pool of members will be small and therefore certification will be perceived as valuable), they tend to grow quickly and eventually become totally fee-driven. At this point the scheme fragments and an alternate body is established by dissatisfied members of the first. This cycle then repeats every few years.
Dont take my word for it, I've only been around in the industry for 20 years, try this guy:
“I’ve met too many bad security professionals with certifications and know many excellent security professionals without certifications.” - Bruce Schneier, Cryptographer & Author.
Great little piece on the "value of certification"
Section 2 (specifically 2.2) of this white paper, which talks about certifications and their usefulness gave me a chuckle.
CISSP helped me a lot ... in 1997-2004
Earning the distinction of being one of the first female CISSPs in Chicago in 1997 was a heady thrill, and the designation got me in the door of Fortune 500 companies many times. But the lack of industry respect for audit and IT controls and risk management has reduced respect (and, from the sound of it, ethics) all across the board since. That's too bad; I was thinking of re-certifying.
I'll just dust off my solid wooden CISSP Certification plaque and proudly display it as I would an old yearbook or band camp ribbon...