Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Martin McKeay

Security Matters

Devaluing the CISSP

2 comments

IT TOPICS:Security

Is the CISSP going the way of the Dodo? Or at least going down the same path of devaluation that has haunted the MCSE for some time? I don't think so, but Sean Walberg seems to think so. The ISC2 is working on a program that will allow colleges to teach the 10 domains that are covered by the CISSP exam. The students will be allowed to take the CISSP exam and if they pass they will become Associate CISSP's with 5 years to accumulate the experience necessary to be full-fledged CISSP's. I think Sean is 100% wrong on this subject and that these courses will actually strengthen the CISSP certification.

The MCSE became a target of derision shortly after it was first created because the questions on the tests became public knowledge. Anyone who had a good memory for unconnected facts could visit a brain dump site and pass the tests with relative ease. A number of one-day 'cram-and-pass' classes allowed people to learn all the answers and take the tests on the same day. The MCSE became known as "Must Call Someone Else" or "Minesweeper Certified Solitaire Expert". Many people were able to pass the test by rote, not because they actually understood the technologies or theories behind the questions that were asked on the test. Microsoft is still fighting the damage done to their certification to this day.

I've held the CISSP for over three years now, but shortly before I became a CISSP, I took (and passed) the CCNA exam. The local junior college offered two semesters worth of official CCNA preparatory classes, which I took full advantage of. I'd been a systems administrator for several years already at that point, but I knew there were holes in my knowledge that books couldn't adequately fill. The CCNA courses filled many of those holes, and rather than making me a weaker CCNA, I believe the hands-on experience made much stronger than I could have been on my own.

Will some of the Associate CISSP's try to pass themselves off as full-fledged CISSP's? Probably, but those are the same people who would try to pass themselves off without ever having taken the test. Which means that this is not really much of a concern for the Associate program, or at least no more of a concern than already exists concerning false CISSP's. I think that the value of a long term commitment to education far outweighs the concerns over possible fraud on the part of the students.

I'm not worried about this program devaluing the CISSP. I think it will actually strengthen it by providng the students a firm grounding in the realm of security before they go out to work in the Real World. Even if they never gain the experience required to become full-fledged CISSP's, we'll have a crop of students who at least have the knowledge to understand security concerns. Which is lot more security knowledge than most colleges are teaching right now.

Email this

Digg this

What People Are Saying

Add new comment

You said that you took your

Submitted by Sean Walberg on May 16, 2006 - 10:01 P.M.

You said that you took your CCNA course while doing work as a systems administrator, which I think helps make my point.

I think that the study of the 10 domains should happen alongside work experience. As you found out, it enhances your learning. Studying the 10 domains without ever having worked in the field amounts to learning a bunch of facts. Why not teach them something they can use more directly out of school?

On the experience front, if you consider entry level experience as valid for the CISSP, then it will become an entry level cert. The (ISC)2 has guidelines on what's considered valid, many centered around supervision. Who is going to get a job fresh out of college as a senior security manager?

Take care,

Sean

Report this comment

Martin, I just wrote in my

Submitted by Michael R. Farnum on May 12, 2006 - 8:44 A.M.

Martin,

I just wrote in my blog a kind of "tongue-in-cheek" post about certifications and the experience needed to get a job and needing a job to get the experience. And though I had not really thought this to be a big problem, (ISC)2 really takes care of any argument I have by coupling the five-year experience requirment with the courses. Like I said in my post, the issue with the CNE and the MCSE was that you could pass the test and yet have no experience. Hence, a "paper-CNE" or "paper-MCSE" was getting to be the norm.

I think this is a great idea, and I think it will cause an upsurge in quality security professionals in the years to come.

Great post.

Report this comment

Spam culture, part 3: Nigeria (and 419 scams)

Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM

Your next stop ... the Password Zone

Latest threat vector: Our mobile devices

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.

Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.

Why Email Must Operate 24/7 and How to Make This Happen
Learn how to avoid an email outage by implementing a hosted email continuity solution.

Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!

All White Papers | All Webcasts