
What if everyone let his (or her) CISSP lapse? - gapanalysis
http://securityskeptic.typepad.com/the-security-skeptic/2011/08/what-if-everyone-let-his-or-her-cissp-lapse.html
======
tptacek
I'm reasonably sure nobody at Matasano has a CISSP. I'd be surprised to hear
they have certs of any kind.

At the high end of information security, these things do not matter at all.

~~~
Charde
Disclosure: I have a CISSP (previous employer paid for study / exam).

I would agree that within technical circles, the CISSP is not worth much at
all (in certain crowds, it's harmful). If you're well-connected in the
industry when job hunting and you have a known body of work, there's little
benefit.

Rightly or wrongly, though, it still holds pull with recruiters and
management. Getting the current de facto seal of approval from a third party
saves them the effort of having to make an initial skills assessment
themselves. Buzzword-filtering corporate recruiters lap that stuff up.

I know that I've seen a lot of job ads which (wrongly) ask for a CISSP as a
requirement. Additionally, when I went to work in Japan, the CISSP formed the
centrepiece of evidence in the work visa application as to why I was an
"expert" they needed to go overseas to hire.

~~~
tptacek
Normally I'd be squeamish about talking down a credential that many of my
clients might view as instrumental to their careers. But in this job market
(and by "this market", for security pros, I mean the last 3 years), it's
simply unnecessary. It should be possible to get a job in infosec at any level
of your career in 2011.

It is actively harmful to hold a CISSP in the field of software security
(which is where we work), but we're all a bunch of douches.

------
16s
I'm an ISO (Information Security Officer). I am responsible for IT security
for a large organization.

I don't have a CISSP, although most other ISO's I know do. I've worked in
security for about six years. It's a real mixed bag. Some ISO's are just high-
level managers, while others are much more hands-on and technical. I do have
several SANS GIAC technical certifications, although I don't consider those
better or worse than a CISSP. Certs are really just a requirement if you want
to work in IT security.

Like all certs, the CISSP is not a good measure of practical knowledge. I've
met hundreds of people who hold various certs and various degrees. And none of
that really matters.

What matters is prior computing experience and interest. Have they coded? What
languages? Do they have a real interest in general computing. Can they show
code they have written? Do they have github accounts (or similar)? Have they
been a sys admin or network admin? Do they know OS fundamentals (file systems,
user accounts, IPSec, firewalls, logging, shell scripting, etc).

If you find someone who has that past computing experience and a keen interest
in general computing, and who has a college degree (major doesn't matter) and
who holds a CISSP or SANS GIAC certs, then they'll work out great. But you
don't want to hire the guy or gal with an MBA and a CISSP who has never
administered a system unless you're only looking for a manager and you have
security analysts/engineers to do the heavy technical lifting.

And I think this is where the problem comes in. These kinds of people (MBAs
with no experience) are hired, then when the sys admins and other technical
staff meet them they are shocked and amazed at how little they know about
general computing and wonder how on earth they're going to "secure" systems
when they've never installed an OS or configured iptables/pf or brought up a
SPAN interface on a Linux box running snort or sent a PGP encrypted email
message. In these cases, you have to have analysts and engineers to do the
actual work and the managers can do the policies/documentation/audits.

So it's important to be very clear on the technical requirements and
expectations (if any) of the security positions. You don't want to find out
later that your "security guy" doesn't know what a bit or byte is and has
never heard of IPv6 and thinks it has something to do with car engines.

Just my experience.

~~~
gapanalysis
Good points. I think setting expectations is critically important. I see a lot
of oversell in certification programs (this certification proves you are
elite) and too much blind acceptance of the oversell. These are serious
problems.

------
radioactive21
"What I want from the CISSP or any certification program is that it be hard to
pass."

On exam difficulty, try CCIE certification. There are two parts, the written
($350 per an attempt) and then the lab part which cost $1500 per an attempt.
The lab part has a 26% pass rate over the history of the exam. In comparison,
the CA Bar exam has a 35% and 55% pass rate, which is the lowest in the US.

You also can't just take it anywhere, you have to travel to a designated lab
testing center, and depending on where you are that means cost of travel and
lodging.

------
reduxredacted
I thought about this one for a little bit and threw it into the bucket of
"well, most certifications are worthless", but I don't think I fully believed
that.

Our security team consists of individuals that I would consider _great_ and
folks that do some of the leg work required of a security department at a
large company. We have folks who audit and provision access, a job that would
require knowing the basics of RBAC most of the time.

I think the point this article is making isn't entirely correct. I've yet to
find a _test_ that magically ensures that someone is competent, be it a large
number of tests required to pass a degree program or a single test required to
pass a certification. It is part of a broader picture. A resume with zero
experience/visible work that includes a degree in CS is going in the bin
unless it's a person targeting an intern position. A resume with zero degree,
a few years of experience and solid examples of their work is going to get
attention (and depending on the work, it won't matter if you have traditional
corporate experience).

In InfoSec it's possible to get the equivalent. Companies who care enough to
fix the problems in their software grant credit that can be cited in a
resume/CV. Some will pay bug bounties if you find a vulnerability and follow
their disclosure requests.

~~~
gapanalysis
I'm not sure that the article really tries to say that a certification is a
magical elixir. I think he's saying that they are sold as being magical. I
also think he's intentionally calling attention to qualities and criteria that
are _not_ easily measured. But that's my read.

------
Maven911
Even though people consider the CISSP cert useless, it is still better then
what the current alternatives. Security+ and CEH are even worse. Though it is
no excuse for not having a useful cert because all your "competeitors" are
worse...

~~~
m0nastic
I disagree that being less shitty than the other shitty certifications is a
vote for getting a CISSP.

Whenever people ask me if they should do it, there are pretty much two
instances where I recommend it:

1.) You work in corporate security (maybe a CISO, or work for an internal
security group within an organization) where you will actually have to deal
with security across the many domains that the CISSP covers. Depending on
where you work, it might either be required or strongly encouraged. In which
case, I'd say, knock yourself out.

2.) You're looking for a job. There are a lot of places that list it as a
requirement for a job, as it's one of the few things a recruiter or HR person
can flag a resume for. Now, you might say to yourself "I'd never want to work
for a place where they actually considered having a CISSP a requirement", to
which I'd reply "Good for you, you've moved along the path of security zen".
But the reality is, people need jobs. So if you need a job, and this is
something that could get you a job (even a job that grizzled security veterans
would sneer at), have at it.

Infosec is a young industry (birthed from a very anti-corporate community),
and there isn't anyplace that any large number of people consider
authoritative enough to offer a certification that isn't considered laughable.
That may change in the future (it'd be nice), but I wouldn't bet on it.

If you're really just looking at getting a CISSP to get a job, however, I
think you'd be much better off becoming a PCI QSA. You'd pretty much never be
out of work. Weigh that against what doing PCI for a living does to your soul.
Everybody needs to make that decision for themselves.

So the plus-side of having a CISSP is if you're looking for work, and the
downside is attracting the ire of the security community (which may or may not
bother you, depending on where you hang out at nights and on weekends). Also
having to pay to keep it current, and not associating with any evil hackers
(while at the same time having to submit CPE credits for attending conferences
put on by evil hackers).

~~~
tptacek
... on the other hand, since PCI QSA status only helps you if you work for a
company that _does_ PCI audits, getting that test might be a ticket to a
pretty miserable job. It's not like a CISSP, which might help you (but won't)
in a variety of different companies.

~~~
m0nastic
That is true. I think being a QSA would be a nonrefundable ticket to a
miserable job (although I know some folks who came from doing government C&A's
who are happy doing it).

I just meant that if it's really just a situation where having a job is more
important than what that job is, I think you'll have an easier time finding
work as a QSA.

EDIT: Actually, you know what, even with that said I retract my suggestion.
You'd have to already be working for a company that is approved to even get
your QSA, in which case it's not really applicable for a general person
looking for a job. And it's terrible work.

------
camiller
I had to Google what CISSP meant. Which perhaps answers the question?

~~~
tptacek
Anyone who does infosec professionally knows what the CISSP is, but this
article is definitely too narrow for HN.

