I have a CISSP and I found that what was useful in getting it was the study beforehand. I took a weekly course for 12 weeks and by having an ordered view and review of Information Security, I was able to put a framework around the field. So the discipline of learning the facts to pass the test was very useful.
But the test didn't really cover security understanding, but knowledge of conventions and conventional wisdom.
I agree with John that a CISSP does not really differentiate security savvy people from good test takes.
The SANS GIAC courses on the other hand do require in-depth analysis of real problems to acquire. So does the Cisco CICE. Multiple choice test can never reveal ingenuity, resourcefulness, creativity since they, by definition, test already known answers.
It is a bit like the study of NP problems in Computer Science. If you know an answer, it is pretty easy to prove it correct. But finding that answer in the first place is hard.
ISC2 has revised the qualifications for CISSP a bit for next year, now requiring a B.A or better. But this still doesn't test whether somebody "gets it" in security, it just restricts the test takes to a smaller set.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/67/11140#11140