Digg this story   Add to del.icio.us  
A Certified Waste of Time
Jon Lasser, 2002-03-13

In which your intrepid columnist hands over $450 to sit for the CISSP exam, only to conclude that it measures little of value.

This past Saturday, I felt like I was seventeen again. And, at least in this case, that's not a good thing.

For more than three hours, I filled in little bubbles with a number two pencil and gnawed nervously at my fingernails. I was taking the CISSP certification exam, from the (ISC)^2. (That's pronounced "ISC Squared," if you're curious, and it stands for International Information Systems Security Certification Consortium. CISSP stands for Certified Information Systems Security Professional)

While I would guess that I passed the exam (I'll find out in a few weeks), overall I was not impressed. If you want a test that proves that the taker has absorbed a large body of largely meaningless and mostly irrelevant data, this does the trick.

The test consists of 250 multiple-choice questions (twenty-five of which are being tested for future exams, and are not scored) taken from ten "security domains," that collective form what the organization calls the "Common Body of Knowledge" (CBK) -- a very broad, but very shallow, overview of computer security that the (ISC)^2 Web site claims "is a compilation and distillation of all security information collected of relevance to Information Security."

That's quite a tall order. But even if all security information could be distilled into a body of facts, it would be of use to almost nobody.

And that's the problem with the CISSP test. The facts on the exam are the wrong sorts of facts: things that should be looked up in books when necessary, because they're not relevant on a day-to-day basis. If I need to know how many rounds are used by the DES cipher, I can look it up.

Passing the test does not demonstrate in-depth technical knowledge in any of the security domains: a CISSP is not necessarily qualified for one job or another. The abstract "security expertise" upon which the CBK is premised would not suit an intrusion analyst, a VPN designer or a security-conscious system administrator. I certainly wouldn't hire a professional to audit my systems on the basis of the certification.

Nor would I look for the certification in hiring a manager of security professionals. To be sure, a broad base of security knowledge is needed by managers who deal with information security issues, but they least of all people should be concerned with the sort of detail present on the test: not even the most anal-retentive manager needs to know the number of rounds in the DES cipher.

I should point out that the "number of rounds of DES" was a question I had on a practice test, and is not one of the questions from the exam, which I'm prohibited from revealing. This is one of the big laughs about the test for me: they're practicing juvenile cloak-and-dagger security through obscurity. They make you sign a sheet of paper saying that you won't discuss the questions on the test -- not only when you're taking the test, but afterwards as well.

You don't even find out what your score was, only whether or not you passed, they won't admit to scoring on a curve, nor will they share the "passing score" if there is one -- as though these measures will protect the test.

Ponying Up the Dough
In my experience, this sort of test rewards people who are good test-takers, and who can absorb a large body of free-floating facts and pseudo-facts. The CISSP exam is too broad to demonstrate suitability for any particular job.

A truly meaningful certification would be more specific, concentrating on a single job function or area, and would have some way to measure the broad problem-solving ability which seems to be the single most important qualification for security people.

One advantage promised to test-takers by the (ISC)^2 is that it is a "career differentiator," but at the test I took, I would guess that there were 100 candidates for the test. The test is given at a number of locations every month --- nearly twenty-five tests are scheduled for April alone. If thousands of people a year get the certification, soon it ceases to differentiate.

In the meantime, of course, the (ISC)^2 and the sites that administer the test get $450, plus the proceeds from whatever courses people take from them to prepare, plus sales of books, review materials, and the rest of it.

Why would a company specifically want to hire a CISSP? The Web site claims, among other reasons, that the CISSP exam "Provides a solutions-orientation, not specialization, particularly with the broader understanding of the IS CBK." Does that clear things up?

Perhaps corporations looking to hire CISSPs are aware that they are unable to evaluate computer security professionals, and are looking to offload some of that burden. But "solutions orientation" is not enough: companies need to evaluate the specialized skills relevant to the open position. The CISSP fails them in that regard, while helping few professionals in any other visible respect.

People whose careers are tied directly to certifications in general or this certification in particular should take the test: if your job requires the cert, or if it will get you a raise, you should absolutely go for it. If not, I would think long and hard before signing up and handing over your money.


SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:
The answer is 16 2002-03-13
Anonymous (1 replies)
The answer is 16 2002-03-15
Anonymous (1 replies)
The answer is 16 2002-03-18
Arthur Dent
A Certified Waste of Time 2002-03-13
Jim Rodgers
A Certified Waste of Time 2002-03-13
Anonymous
A Certified Waste of Time 2002-03-13
BaijuShah, CISSP
A Certified Waste of Time... not for me! 2002-03-13
Aaron Higbee (2 replies)
No real correlation 2002-03-13
Anonymous (1 replies)
No real correlation 2002-03-15
John Whorfin <johnwhorfin@lectroid.net>
A Certified Waste of Time 2002-03-13
Anonymous (1 replies)
A Certified Waste of Time 2002-03-15
Anonymous
A Certified Waste of Time 2002-03-13
Anonymous
A Certified Waste of Time 2002-03-13
cray@ttlunlimited.com (1 replies)
A Certified Waste of Time 2002-03-13
Anonymous (1 replies)
A Certified Waste of Time 2002-03-20
Anonymous
A Certified Waste of Time 2002-03-14
Anonymous (1 replies)
A Certified Waste of Time 2002-03-24
Anonymous
A Certified Waste of Time 2002-03-14
Ian Simpson
Congratulations 2002-03-14
auto318190 (1 replies)
A Certified Waste of Time 2002-03-14
Anonymous (1 replies)
A Certified Waste of Time 2002-03-15
Anonymous2
A Certified Waste of Time 2002-03-14
Coldman
Trivial Pursuit 2002-03-14
Mike R
Go to SANS 2002-03-14
Chris (3 replies)
Go to SANS?! 2002-03-14
Anonymous (1 replies)
Go to SANS?! 2002-03-24
Anonymous
Go to SANS 2002-03-14
HD, CISSP (1 replies)
Go to SANS 2002-03-18
Anonymous
Go to SANS 2002-03-15
Tim (2 replies)
Go to SANS 2002-03-20
Anonymous
Go to SANS 2002-03-24
Anonymous
A Certified Waste of Time 2002-03-14
Terry Atkison
Certs 2002-03-14
W. Allen (1 replies)
Certs 2002-03-21
Anonymous
A Certified Waste of Time 2002-03-14
Louis Dolton
A Certified Waste of Time 2002-03-14
Anonymous
A Certified Waste of Time 2002-03-14
Surreal
Pass it and respect it. Do not pass it and blame the test. 2002-03-14
From someone who doesn't know anything but it is a CISSP
A Certified Waste of Time 2002-03-14
Anonymous CISSP
Take it for what it's worth 2002-03-14
Anonymous
A Certified Waste of Time 2002-03-14
Anonymous
A Certified Waste of Time: John Lasser 2002-03-14
David Hawley, CISSP
It's so easy to criticize, Isn't it? 2002-03-14
Dr. Mike Ewing (2 replies)
now that you mention it .. 2002-03-17
No One of Consequence (1 replies)
now that you mention it .. 2002-03-21
Anonymous
A Certified Waste of Time 2002-03-14
Anonymous, CISSP, SSCP
A Certified Waste of Time 2002-03-14
Anonymous
A Certified Waste of Time 2002-03-14
Anonymous
A Certified Waste of Time?? 2002-03-14
matt@whatuwant.com
What is your basic problem? 2002-03-14
Anonymous
A Certified Waste of SF Goodwill 2002-03-14
Chris (2 replies)
A Certified Waste of SF Goodwill 2002-03-18
Anonymous
Prove Your Point 2002-03-14
Anonymous
A Certified Waste of Time 2002-03-14
Anonymous
A Certified Waste of Time 2002-03-14
Arnie Jackson
Specialists vs. Generalists 2002-03-15
Robert Alberti, CISSP
A Certified Waste of Time 2002-03-15
Anonymous
Obviously written by someone who doesn't understand security 2002-03-15
Chris Thatcher, CISSP, MCSE
A few more thoughts... 2002-03-15
Rick Ewart, CPA & CISSP
A Certified Waste of Time 2002-03-15
Edward J. Liebig CISSP, CBCP, MCP - Director, IT Security
A Certified Waste of Time 2002-03-15
MCurry
A Certified Waste of Time 2002-03-15
Anonymous
More to it than that 2002-03-15
Don Helms CISSP
CISSPs in Europe? 2002-03-15
gmflash@web.de (1 replies)
CISSPs in Europe? 2002-03-20
Salvatore Cagliari <cks@s-cagliari.de>
A Certified Waste of Time 2002-03-15
Jim Webster, CISSP
A Certified Waste of Time - NOT! 2002-03-15
Chris Hare CISSP, CISA
What... 2002-03-15
Anonymous (1 replies)
What... 2002-03-18
Anonymous
A Certified Waste of Time 2002-03-16
teLi, CCNP (1 replies)
A Certified Waste of Time 2002-03-18
Anonymous
A Certified Waste of Time 2002-03-16
Samuel Yeung, CISA, BS7799 Lead Auditor (1 replies)
A Certified Bunch of Crybabies... 2002-03-16
Mr. Andre Robitaille, I wonder how many acronyms I can put after my name? (1 replies)
A Certified Bunch of Crybabies...AND Talk about Anally Retentive!! 2002-03-25
Dr. E. W. c.r.t.f.q., c.b.o.h.i.c.a, c.w.g.a.s., cv43, LEO
Lasser's Waste of Time 2002-03-16
CISSP and Happy about it
The CISSP replies 2002-03-16
Guy Unconvinced, TLA BFD EIEIO IMHO
Certification epiphany? 2002-03-17
David Byrne, CISSP, MCSE, MCP+I
A Certified Waste of Time 2002-03-17
Anonymous
A Certified Waste of Time 2002-03-18
Anonymous
A Student's View 2002-03-18
Frank Reid
CISSP is for Security Management 2002-03-18
Chris Shepherd
A Certified Waste of Time 2002-03-19
Security Expert
Beware Of Consultant LIke Jon Lasser 2002-03-19
Scott Sattler (5 replies)
Beware Of Consultant LIke Jon Lasser 2002-03-20
Not Impressed by a Sting of Certs (1 replies)
Beware Of Consultant LIke Jon Lasser 2002-03-20
Robert Banz, (this space for rent)
Beware Of Consultant LIke Jon Lasser 2002-04-03
Mike Rose (mbr@eclipse.net)
What does it measure? 2002-03-19
Anonymous
Lasser is both right, and wrong. 2002-03-20
Bill Schmidt, CISSP
A Certified Waste of Time 2002-03-20
Anonymous CISSP
Something to ponder 2002-03-20
jj
Get a Life 2002-03-21
Anonymous
A Certified Waste of Time 2002-03-21
Jack
A Certified Waste of Time 2002-03-21
Anonymous
A Certified Waste of Time 2002-03-21
Patric
Certificates 2002-03-21
Ernie
A Certified Waste of Time 2002-03-22
Anonymous
Value 2002-03-22
Troy McCarty
there goes the brain 2002-03-24
Mr Morrow
A Certified Waste of Time 2002-03-25
Anonymous
SANS?! GIMME A BREAK! 2002-03-25
Anonymous (1 replies)
SANS?! GIMME A BREAK! 2002-03-26
Anonymous
A Certified Waste of Time 2002-03-25
Anonymous
What about SCNP?? 2002-03-26
Anonymous
Remember the P in CISSP 2002-03-26
Robert Kerby, CISSP
The top domain is english. 2002-03-27
Anonymous (1 replies)
The top domain is english. 2002-03-27
Anonymous
Lasser works for SANS 2002-03-28
Truth in Journalism Seeker
It's Too Early. 2002-03-31
Colin Rous (emphatically NOT a CISSP)
My Response 2002-04-02
Jon Lasser (2 replies)
My Response 2002-04-03
Not Really Anonymous
Well done 2002-04-03
Anonymous
(ISC)2 vs ethics 2002-04-06
Anonymous
A Certified Waste of Time 2006-11-08
Paul S. Vincent (1 replies)
Re: A Certified Waste of Time 2007-01-07
Paul Henry CISSP
Don't Take This Author Seriously 2007-05-20
Anonymous
Poor guy! 2007-08-09
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus