
, 2002-03-13
In which your intrepid columnist hands over $450 to sit for the CISSP exam, only to conclude that it measures little of value.
A truly meaningful certification would be more specific, concentrating on a single job function or area.
For more than three hours, I filled in little bubbles with a number two pencil and gnawed nervously at my fingernails. I was taking the CISSP certification exam, from the
While I would guess that I passed the exam (I'll find out in a few weeks), overall I was not impressed. If you want a test that proves that the taker has absorbed a large body of largely meaningless and mostly irrelevant data, this does the trick.
The test consists of 250 multiple-choice questions (twenty-five of which are being tested for future exams, and are not scored) taken from ten "security domains," that collective form what the organization calls the "Common Body of Knowledge" (CBK) -- a very broad, but very shallow, overview of computer security that the (ISC)^2 Web site claims "is a compilation and distillation of all security information collected of relevance to Information Security."
That's quite a tall order. But even if all security information could be distilled into a body of facts, it would be of use to almost nobody.
And that's the problem with the CISSP test. The facts on the exam are the wrong sorts of facts: things that should be looked up in books when necessary, because they're not relevant on a day-to-day basis. If I need to know how many rounds are used by the DES cipher, I can look it up.
Passing the test does not demonstrate in-depth technical knowledge in any of the security domains: a CISSP is not necessarily qualified for one job or another. The abstract "security expertise" upon which the CBK is premised would not suit an intrusion analyst, a VPN designer or a security-conscious system administrator. I certainly wouldn't hire a professional to audit my systems on the basis of the certification.
Nor would I look for the certification in hiring a manager of security professionals. To be sure, a broad base of security knowledge is needed by managers who deal with information security issues, but they least of all people should be concerned with the sort of detail present on the test: not even the most anal-retentive manager needs to know the number of rounds in the DES cipher.
I should point out that the "number of rounds of DES" was a question I had on a practice test, and is not one of the questions from the exam, which I'm prohibited from revealing. This is one of the big laughs about the test for me: they're practicing juvenile cloak-and-dagger security through obscurity. They make you sign a sheet of paper saying that you won't discuss the questions on the test -- not only when you're taking the test, but afterwards as well.
You don't even find out what your score was, only whether or not you passed, they won't admit to scoring on a curve, nor will they share the "passing score" if there is one -- as though these measures will protect the test.
In my experience, this sort of test rewards people who are good test-takers, and who can absorb a large body of free-floating facts and pseudo-facts. The CISSP exam is too broad to demonstrate suitability for any particular job.
A truly meaningful certification would be more specific, concentrating on a single job function or area, and would have some way to measure the broad problem-solving ability which seems to be the single most important qualification for security people.
One advantage promised to test-takers by the (ISC)^2 is that it is a "career differentiator," but at the test I took, I would guess that there were 100 candidates for the test. The test is given at a number of locations every month --- nearly twenty-five tests are scheduled for April alone. If thousands of people a year get the certification, soon it ceases to differentiate.
In the meantime, of course, the (ISC)^2 and the sites that administer the test get $450, plus the proceeds from whatever courses people take from them to prepare, plus sales of books, review materials, and the rest of it.
Why would a company specifically want to hire a CISSP? The Web site claims, among other reasons, that the CISSP exam "Provides a solutions-orientation, not specialization, particularly with the broader understanding of the IS CBK." Does that clear things up?
Perhaps corporations looking to hire CISSPs are aware that they are unable to evaluate computer security professionals, and are looking to offload some of that burden. But "solutions orientation" is not enough: companies need to evaluate the specialized skills relevant to the open position. The CISSP fails them in that regard, while helping few professionals in any other visible respect.
People whose careers are tied directly to certifications in general or this certification in particular should take the test: if your job requires the cert, or if it will get you a raise, you should absolutely go for it. If not, I would think long and hard before signing up and handing over your money.