To re-hash my voiced opinions at dc.securitygeeks meeting: It's now your responsibility to "fix" the test if you don't agree with its focus or depth. When I took the test I filled out 6 of the "I don't agree with this question" forms. Contribute, Participate, improve it.

Personally I can say that that going through the process and getting certified has made me a better security consultant. Before the test I was deeply immersed in my area of focus and had far more technical knowledge and depth on the subjects I liked. The common bodies of knowledge I had an intimate acquaintance with were not challenging and could not determine whether I was an expert or not. Getting a broad understanding of all the 10 domains (specifically the ones I rarely have contact with) made me step back and take in the big picture. I think a lot of people in the security industry are too quick to fixate on their forte and lose sight of the big picture. Too often we lump ourself into the:

I'm a firewall guy
I'm a network security guy
I'm a pen-tester
I'm a IDS watcher
I'm the scary unix security guy (I have the doc martens and pony tail to prove it)

When originaly looking at the 10 domains I thought "BC and DR? bah! Policy Development? yeck!" --- sure I may not get excited about all aspects of security but understanding how it all fits together improved my focus areas.

Maybe your forte is unix security. How well you know and implement Unix security wont save you when the backupexec account on your companies NT domain has the password of "seagate."
You might have every patch and every buffer-overflow accounted for. You might be up to date with every 0-day sploit that affects your unix world. But when your companies poor password policy allows an attacker to crack every password your organization uses from that overlooked backupexec account ... and when that attacker uses your cracked password or someone else's to ssh right on in... good unix security or not... game over.

I don't think there is "one" security Cert that is the be-all end all. However if I was in a hiring a Firewall guy I'd pick the one with the CISSP/CCSE over the 'I memorized phoneboy and can tell you every Nokia IPSO quirk' guy. The firewall guy with the CISSP might have a clue that a firewall by itself does not equal security. The firewall guy with a CISSP will appreciate the fact that if a firewall isn't backed up with a sound policy, its not longer a firewall. It is expensive swiss cheese.

I'm glad I went the the CISSP certification process. I know a lot of people in this industry that need to come up for air and learn about how everything effects security. I know that I look at things differently now. I'm not worried about anyone thinking I'm not technical because my business card says CISSP.

--Aaron Higbee, CISSP
Network Security Consultant
Lucent Technologies, McLean VA



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/67/10999#10999