Saturday, August 25, 2012

Help fix the CISSP

I got my CISSP in 2001.  Times were different back then.  I wanted a non-vendor security certificate because that was what I was doing and that seemed to be the only game in town.  The only other security certs I knew of were vendor ones, firewalls, etc, which I had already.  There were no books or study guides you could buy at the book store.  There was one book you could buy directly from the author, which I did, but it was unreadable garbage and totally worthless.  Getting a CISSP without taking any training seemed daunting.  So what I did was searched the Internet and found HTML formats of some presentations that looked to be some basic training.  I read those and made my own study guide based on the information that was totally new to me. Stupid Orange Book levels and physical security terms that I have never had a use for to this day.  But whatever.  The economy sucked in 2001 (by standards up until that point anyway) and I had two weeks of unpaid vacation I had to take.  So I took them before the test and studied every day.  I was really trying hard to pass this test, one I heard was very hard to pass especially without taking the training.

So I took the test and I was done in about an hour and I felt like I just wasted those two weeks.  It seemed very easy to me.  I couldn't believe it.  Yes there were some Orange Book and CCTV questions, but I really only needed to study for that for a few days.  I really over did it.  But whatever, I passed (so I found out weeks later) and life is good.

Now over the past decade or so since then here is what I have noticed:

  1. The worst security  professionals  I've ever met had a CISSP
  2. Most of the really bad security  professionals I've met had their CISSP
  3. I've met a lot of CISSP's that had no real world security experience and were using the cert to try to break into the industry, some have never even worked in IT
  4. A large number of really good security professionals don't have their CISSP
  5. I personally know a lot of people who have taken the test, and I have yet to every meet anyone who hasn't passed it, I'm not sure anyone fails it 
It turns out I'm not the only one that has noticed those five things.  This has lead a to a large number of leaders in the security community to call out the CISSP as worthless, or worse.  It doesn't give any assurance that the holder of the cert is competent or experienced.  Heck, it doesn't even do the job of establishing a common language in our community.  What this means is the cert is getting less valuable, which is bad for everyone that has it.  And I think bad for the industry, I think a generic cert like the CISSP could ad a lot of value if done right.  I know others disagree, but I'm an optimist.

What this means for you:  
If you don't have a CISSP, don't get one until this is fixed!  Seriously, stop using it to try to get a job.  If you have a job, look elsewhere to advance your career, you won't learn anything worthwhile getting a CISSP as it is today.  

If you do have one, then vote for new leadership!  Go here:  and sign the petition for those four fine people who are looking to fix these problems and when the time comes vote for them, and only them.  And every time you get those elections emails from the ISC2, don't ignore them.  Look for reformers and vote them in.  It make take some time but let's get enough reformers on the board to get this cert and all certs by ISC2 fixed!

First Blog.

I'm starting a blog and we will see how it goes.  This is going to be a professorial blog, not a personal one.  My goal is to blog about security architecture, leadership, and pen testing.  All three are topics of great interest to me and areas I feel I have knowledge and the ability to contribute to the greater good.  I'll also blog about the security industry in general.  Enjoy.