I'm not a CISSP, and I haven't taken the test yet, so I can't assess the quality of the questions. What I would say, however, is that I don't think the CISSP is meant to be (or is advertised as) a highly specific network security or application security or perimeter defense or any other kind of technical security certification. It's supposed to be a process certification. Look at the CBK - cryptography and network security are part of it, but so are law and ethics and security policies and operations security. Jon touches on the point, when he says the certification would be more appropriate for a manager. Unfortunately, he seems to think it stops there.

Some infosec roles are mostly technical. Other certification programs may be more relevant to a given position. For example, a firewall/VPN engineer might be better off pursuing a GIAC (www.giac.org) GCFW certification, which includes a practical exercise, to go along with a multiple choice exam. But like they say, security is a business process, not a product. There are plenty of people who have the technical side of security down cold, but whose eyes glaze over if told to write a policy (coordinating with legal and HR along the way), who wouldn't know a change-control procedure if it bit them on the (rear end), and who have absolutely no idea when it comes to standards of reasonable care, or privacy issues, or GLBA, or ISO 17799, or HIPPA, etc., etc. Alot of managers I have met have been genuinely frustrated by this as many infosec roles require that knowledge, either as their core responsibility or to go along with the technical knowledge. Alot of those same managers accept the CISSP as showing a baseline of knowledge in areas like the ones I mentioned.

If Jon's gripe is that the CISSP is poorly written for its objectives, or that corporations aren't supplementing it with other certs, or that corperations are too willing to accept the CISSP by itself without further evaluation of a candidate, then maybe he has a point. Again, I can't evaluate the exam, but many hiring managers do have trouble with determining how much value to place on a certification (any certification). If the point is that all security certifications should be highly specific and technically oriented, then I think he's being short-sighted.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/67/10992#10992