My reply to the Article about CISSP certification

I posted the reply to the Article about CISSP certification http://www.tssci-security.com/archives/2008/06/19/rip-cissp/#comment-7927 at TS/SCI Security.

Well, I have written an article in 2002 when the certification craziness was in its highest spot (http://www.rtek2000.com/Good/Why_we_have_to_fight_with_hypes.pdf). If you spend 10 min to read the article you will understand my point regarding who particularly benefits from all 5000 existing certifications. It is still the case with some exceptions. I have been an employer and I am an employee, so I know both sides of job market. There are many cases when the certification is a big plus if you want to be hired for certain positions, and as much as I don't like certifications I have to admit that I have few including CISSP that I got last year.
While I was learning the material for about 4 months, I got my horizon expanded. I learned about risk management, disaster recovery strategies, and cryptography. I know for sure that I would never touch those topics otherwise. The CISSP certification is intended mostly for managers who plan the security and risk management within their firms. It is not in any way a substitution for hands-on experience. In fact (and many folks know it) the CISSP certification is about two inches in depth knowledge about 10 CBK domains but two miles wide (a little bit about everything). So, we are talking about generalists here, not hands-on professionals - if you are talking about hands-on knowledge, it has nothing to do with it.

Why it became a popular certification? Mostly due to the good marketing by the ISC(2) marketing team. They were able to penetrate the DoD to make CISSP a standard for any security professional. All other vendors including CompTIA failed to reach such a degree of popularity.
I passed the exam to prove something to myself, and currently I have no benefits of having it in addition to $500 exam, and $85 yearly fees. But you'd be surprised that my resume with the magic letters attracted many job recruiters. The CISSP certification may bring some benefits to job seekers.

Feel free to look for CISSP certification resources here: http://www.rtek2000.com/courses/CISSPresources.html

Going for a Big one

I remember the time when the CISSP certification was criticized by my staff instructor who actually was one of the first who passed this "tough nut" exam. His argument was that the exam is out of real life of the security practitioners and geared toward the management staff only; that the exam tests the crazy collection of knowledge from various (not always related disciplines); that the exam tests not only the background but rather your ability to memorize huge number of abbreviations of IT protocols, technologies, law definitions, terms, etc. At that time, we developed our own security training course, and later, we liked more the SCNP exam as the one that checks the hands-on knowledge, the knowledge that really matter in the real world of the cyber war (I hope you agree that this war is a matter of a fact).

Well, time has changed our perceptions because the CISSP exam became the number one exam in the cyber security world. I assume that several factors attributed to this change. First of all, then, in 2000, we had no idea what can happen just in one year - the major attack in NY. This factor was the most important in the growing popularity of the CISSP certification.

Also, more and more companies realized that protecting of their infrastructure and IT resources becomes the task number one. It is obvious that the expertise in this area is required unless you want to outsource this matter to a third party. It wasn't 100% safe to rely on someone (even with enough expertise) if you really care about your business. So, many companies tried to hire the security experts to solve the problem internally being able to control the process to higher degree.
The first pros who were hired: hands-on gurus in the cyber protection area who knew the firewalls, routers, sniffers, and were good LAN/WAN troubleshooters. As it always happened, the HR departments began to look for the definition of the professional level for this tough job. Unfortunately, the reality is that none of the HR people knows anything about the Information Security, and as it happened in a past, the certification became the definition of the professional level. Not the hands-on knowledge, not the real-world experience, not the achievements, but one exam that made the difference (see my article about IT certifications hypes written in 2002).

I have to admit that the folks at (ISC)2 were smart enough to push their certification up to the point when the Department of Defense requested all security professionals who work for DoD to be CISSP certified. Even Alan Paller and Steve Northcutt from SANS institute were not able to push hard enough their GIAC Certification Program (and those guys are good entrepreneurs and are pretty successful). So, the CISSP certification became a mainstream certification in the security world, and the de-facto standard.

Many folks around the world are jumping on this wagon and trying to pass one of the toughest certification exams. Just imaging: 250 written questions, 6 hours, $450 per test, and 10 security-related domains (including the domain with a criminal/cyber law!). The collection of knowledge required to pass the exam is described as being "2 miles wide and 2 inches in depth".

Well, considering the today's value of the CISSP certification as never before, I have decided to go for a Big one, too. I have to admit that during my study I gathered some useful knowledge that "widened my IT horizon". For instance, I was never interested to find out in-depth what the technology Microsoft uses for an authentication in Windows 2003 server except knowing that it's called Kerberos. I learned even some pieces of criminal law that might help in understanding better one of those lengthy TV serials about crime investigation (as Shon Harris mentioned in her DVD-based training course).

Only 10 days left for study, and I am overwhelmed with a stream of information that I must memorize. It's not hard to understand, but to memorize...

Wish me good luck and strength for 6 hours on March 31st!

I will add more information to this topic later. So far, if you interested, reply to my blog with your certification-related questions.

Best to all of you (but spammers)!

The Cyberteacher