Certifiably Certified

I just recently took and passed the CISSP exam. Then I found at a conference a book on passing the CISSP. I looked it over, and wouldn't you know that it basically shouted out the answers to the exam.

My motivation for taking the CISSP was to show that I knew a lot on security. I didn't really study for the exam because I figured that I should know enough with my experience, which turned out to be true.

When I saw that book, I came to realize that the CISSP was becoming just like an MCSE, worthless as an indicator of true knowledge. "You too for the price of a book can get your CISSP certification."

If I had my way, I guess that I'd follow a plan like that for a Professional Engineer (PE). A hopefull PE must first graduate from an accredited school with an Engineering degree. Second the potential PE must pass the Engineer-in-Training (EIT) examinations. Then after four years of on-the-job training under a licensed PE, the soon to be PE will take another practical exam. After passing all of this, the person is now a PE.

A true Security Professional should pass something similar as a PE. They should demonstrate that they have some level of knowledge either through a degree or experience. Second they should take a battery of exams to demonstrate some basic knowledge. This is where the current CISSP exists today.

But a true professional should continue on after the exam to practice the skills under a mentor for a number of years. This would be like a journeyman under a trade. Then I'd pass this person through either a board of Security Professionals or a practical exam (not multiple choice) for a understanding of the person's true knowledge on how to design/ develop/ operate security measures in real world situations.

This is what the industry really needs. The current CISSP should be used to show that the person is wanting to make computer security a profession. However, it should not be an indication of any mastery of the area. The problem is that it seems that HR folks look at CISSPs as masters of the subject.

My .02

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/118/16970#16970

Certifiably Certified 2002-10-25
Marcus Green

Right on! 2002-10-25
Gary L.

Certifiably Certified 2002-10-25
windows311@hotmail.com (SPAM avoidance)

Qualifying Experience 2002-10-26
Regular guy

Certification as barrier break 2002-10-27
Anonymous

Responsibility is on the manager 2002-10-27
Rob Dao

Certifiably Certified 2002-10-28
Anonymous, CISSP, GSEC, GCIA, GCFW, CCNA, CCSE (1 replies)

Certifiably Certified 2002-10-29
Brad Bemis

Certifiably Certified 2002-10-28
Brad Bemis

Please send me my certification... 2002-10-30
D3M (1 replies)

Please send me my certification...here it is 2002-11-01
Henk Pretorius

Certifiably Certified 2002-11-01
Tommy

Certifiably Certified 2002-11-03
Jeff Schmidt

Certifiably Certified 2002-11-05
Bob Radvanovsky, Certified Technological Sanitation Disposal Engineer (CTDSE)

And another thing... 2002-11-05
Bob Radvanovsky, Certified Technological Sanitation Disposal Engineer (CTDSE)