Pages

Friday, June 20, 2008

My reply to the Article about CISSP certification


I posted the reply to the Article about CISSP certification http://www.tssci-security.com/archives/2008/06/19/rip-cissp/#comment-7927 at TS/SCI Security.

Well, I have written an article in 2002 when the certification craziness was in its highest spot (http://www.rtek2000.com/Good/Why_we_have_to_fight_with_hypes.pdf). If you spend 10 min to read the article you will understand my point regarding who particularly benefits from all 5000 existing certifications. It is still the case with some exceptions. I have been an employer and I am an employee, so I know both sides of job market. There are many cases when the certification is a big plus if you want to be hired for certain positions, and as much as I don't like certifications I have to admit that I have few including CISSP that I got last year.
While I was learning the material for about 4 months, I got my horizon expanded. I learned about risk management, disaster recovery strategies, and cryptography. I know for sure that I would never touch those topics otherwise. The CISSP certification is intended mostly for managers who plan the security and risk management within their firms. It is not in any way a substitution for hands-on experience. In fact (and many folks know it) the CISSP certification is about two inches in depth knowledge about 10 CBK domains but two miles wide (a little bit about everything). So, we are talking about generalists here, not hands-on professionals - if you are talking about hands-on knowledge, it has nothing to do with it.

Why it became a popular certification? Mostly due to the good marketing by the ISC(2) marketing team. They were able to penetrate the DoD to make CISSP a standard for any security professional. All other vendors including CompTIA failed to reach such a degree of popularity.
I passed the exam to prove something to myself, and currently I have no benefits of having it in addition to $500 exam, and $85 yearly fees. But you'd be surprised that my resume with the magic letters attracted many job recruiters. The CISSP certification may bring some benefits to job seekers.

Feel free to look for CISSP certification resources here: http://www.rtek2000.com/courses/CISSPresources.html

1 comment:

Patti said...

First off, thanks for stopping by my blog!

I didn't really get the opportunity to see much of college as my parents died when I was young. I was good with computers (my dad bought my first real one when I was 11, but I had been working with smaller ones long before that) so I jumped right into the work force. At my second job (back in the days when companies hooked straight up to the internet without a care in the world) I was assigned the task of building my employer's first firewall; and that was my start in the security world. Although I do go to college part time in the evenings now, pretty much everything I've learned in my 12-year career has been self-taught and trial and error.

I've known for some time that I would eventually be held up because I don't have a degree, so that was my motivation for sitting for the CISSP. I thought (and my husband agreed) that while I don't have a degree to my credit, passing the CISSP exam would help me get just a little farther before hitting the wall -- and it gets me firmly into the DOD requirements for IT security subcontractors.

I was initially afraid to register for the exam because I was viewing the results as a reflection on me and my skills; but eventually came to realize that it truly is 50 feet wide and 1 inch deep. I know a lot of very smart people who have failed the exam multiple times, and know of some really stupid managers who passed on the first try. This week I realized that passing or failing wasn't really a reflection of me and my ability to do my job (currently as a Common Criteria evaluator and consultant) but of my ability to properly select the correct "perfect world" answers. Regardless of whether I pass or fail, I'm good at my job. My employer knows it, my co-workers know it and my husband knows it... and that's all that matters, right?

(But I do think I passed. :) )