Tuesday, June 21, 2005

CISSP: Any Value?

A few of you wrote me about this post by Thomas Ptacek in response to my recent CISSP exam post. Tom has one of the best minds in the security business, and I value his opinions. Here are my thoughts on the CISSP and an answer to Tom's blog. (I did not realize Tom has despised the CISSP for so long!)

On page 406 of my first book I wrote:

"I believe the most valuable certification is the Certified Information Systems Security Professional (CISSP). I don't endorse the CISSP certification as a way to measure managerial skills, and in no way does it pretend to reflect technical competence. Rather, the essential but overlooked feature of the CISSP certification is its Code of Ethics...

This Code of Ethics distinguishes the CISSP from most other certifications. It moves security professionals who hold CISSP certification closer to attaining the true status of 'professionals.'"

In my book I compared the CISSP Code of Ethics to the National Society of Professional Engineers (NSPE) Code of Ethics for Engineers, which I first wrote about two years ago.

The second point of the NSPE code is "Perform services only in areas of their competence." This is similar to the following CISSP code excerpt:

"Provide diligent and competent service to principals."

My book made this comment:

"I find the second point especially relevant to security professionals. How often are we called upon to implement technologies or policies with which we are only marginally proficient? While practicing computer security does not yet bear the same burden as building bridges or skyscrapers, network engineers will soon face responsibilities similar to physical engineers."

Given this background, from where does the CISSP's value, if any, derive? I believe the answer lies in the values one wants to measure. First, the CISSP and other "professional" certifications are not designed to convey information about the holder to other practitioners. Rather, certifications are supposed to convey information to less informed parties who wish to hire or trust the holder. The hiring party believes that the certifying party (like ISC2) has taken steps to ensure the certification holder meets the institution's standards.

Second, I would argue the CISSP is not, or at least should not, be designed or used to test technical competence. Certifications like the CCNA are purely technical, and I believe they do a good job testing technical competence. The CCNA has no code of ethics. I severely doubt the ability of anyone without hands-on Cisco experience to cram for the CCNA and pass. Even many of those who attend a boot camp with little or no previous hands-on experience usually fail.

Third, there is nothing wrong with stating what would seem obvious. Tom reduces his argument against the CISSP Code of Ethics to the title of his blog entry: "Don't Be Evil." I agree, and I do not see the problem with expanding on that idea as the CISSP's Code of Ethics does.

So, what is wrong with the CISSP? I previously posted thoughts on credible certifications as described by Peter Stephenson and Peter Denning. Here are Stephenson's criteria, with my assessment of the CISSP. Keep in mind I think the CISSP should be a certification reflecting security principles, not technical details.

  • It is based upon an accepted common body of knowledge that is well understood, published and consistent with the objectives of the community applying it. No. The CISSP CBK looks barely acceptable on the surface, but in practice it fails miserably to reflect issues security professionals actually handle.

  • It requires ongoing training and updating on new developments in the field. Partially. The CISSP CPE requirements ensure holders need to receive training prior to renewal, but I am not sure this equals exposure to new developments. If you attend Tom's Black Hat talk, you get 16 Continuing Professional Education (CPE) credits! :)

  • There is an an examination (the exception is grandfathering, where extensive experience may be substituted). Yes.

  • Experience is required. Yes. Experience is required for the CISSP, mainly in response to this 2002 story of a 17-year-old receiving his CISSP.

  • Grandfathering is limited to a brief period at the time of the founding of the certification. I am not sure why this matters, other than Stephenson needed to justify his involvement in the CIFI forensics certification.

  • It is recognised in the applicable field. Well, the CISSP is certainly recognized. Unfortunately it is often mis-recognized as a technical cert, when it should be strictly a symbol of adherence to professional conduct.

  • It is provided by an organization or association operating in the interests of the community, usually non-profit, not a training company open to independent peer review. Partially. I began to worry when I saw ISC2 offer $2500 review seminars, and now they have the Official (ISC)2 Guide to the CISSP Exam, pictured above. I am not convinced this element matters that much anyway, as I think Cisco's certification program is excellent.


I think the root of the problem is the concept that the CISSP somehow measures technical competence. The CISSP in no way measures technical skills. Rather, it should measure knowledge of security principles. It does not meet that goal, either. At this point we are left with a certification that only provides a code of ethics. That brings us back to my original point.

From a practical point of view, I obtained my CISSP four years ago to help pass corporate human resource departments who screen resumes. Back then I had two choices when looking for employment. I could either work through a friend who knew my skills, or I could submit a resume to a company with an HR department. Rather than rely completely on the former, I decided to keep the latter as an option. Getting through HR departments usually required a CISSP certification.

Does this mean I will renew my CISSP when it expires? I am not sure. If I see improvements in the certification, such that it reflects security principles, I may. If it continues to fail in that respect, I probably will not.

What are your plans? Why or why not do you pursue the CISSP?

30 comments:

GeekMom said...

Back when I started working in security, the CISSP hadn't really taken hold yet, so I didn't bother getting certified. However, five years out of the workforce and two children later, I have discovered on my job search that just about everybody asks about it, even if they don't absolutely require it. I suspect that my resume was junked a lot of times because it didn't have those magic letters on it. So as soon as I can get my company to pay for the exam fee, I'll just take it and get it over with.

Martin said...

Richard,

I pursued the CISSP for reason's similar to yours: I knew what I knew, but getting past the HR drones to get an interview was extremely difficult without it. I viewed it as similar to getting my Bachelor's Degree. Everyone knows that a BS doesn't mean you know anything about the real world, but it does mean you've spent the time and money to pursue the degree. It shows a certain level of committment to your own education and personal improvement.

The CISSP was never meant to be a test of someone's technical skills, it's meant to show that the holder has a broad, general knowledge of security. It's a certificate meant for middle management and up, not for the guy on the keyboard daily configuring your servers. It's a way to prove that the owner has a high level understanding of security in general, not necessarily the knowldege to rebuild and secure a *nix server from scratch. It does not denote technical knowledge, something many of the owners of the CISSP forget, as well as most of the people viewing it from the outside.

If you're expecting technical expertise, look for someone who has a CCSP, CCIE or CEH. Unluckily, most of those aren't nearly as readily recognized by the HR departments as being 'security certificates'. For better or worse, the CISSP is the cert to have if you want to get past the gatekeeper to the initial interview. And for me, that's what it was all about, the tools I needed to get past the first test in the hiring process.

Joe said...

I too pursued CISSP purely for the enjoyment of HR/Recruiters. It has helped. Unfortunately, I am up for renewal and I am late, so a late charge has been applied...grrr...still deciding whether or not I should pay to keep it.

Keydet89 said...

Richard,

I obtained my CISSP in '99. I took one of those seminars where they tell you that the purpose of the seminar is not to prepare you for the exam...but that's exactly what it was. I got the cert in order to help the company I worked for market our skills.

In Nov, '99, I attended the CSI conference in DC, manning my company's booth. ISC2 was there...offering 40 CPE points if you sat and took the practice exam. Let's see...1 CPE per hour of attendance at the conference, but 40 points to sit down and blow through a practice exam in 4 hrs or less? Why does the term "self-serving" come to mind?

I let my cert lapse a bit ago, and 6 months later, I got a call...if I paid the $100 reinstatement fee, and submitted my accumulated CPEs, I could get my cert back. So, since I sensed that I'd be back on the market soon, I did it. Like you, I put the CISSP on my resume in order to get past the HR recruiters. For me, that's been the benefit of the cert.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Anonymous said...

Richard,

I have only recently qualified for CISSP, and plan to pursue this as a goal for the latter half of this year.

I have no intentions of "pimping" this cert as a testament to my technical proficiency, but it does help show people I have some knowledge of security practices and principles.

The most important thing to me is the code of ethics, like you mention, and the testament to my experience.

I do plan to pursue more technical merits, including a CCNA in the next half dozen years or less, but a CISSP is a nice start to someone just gaining credibility and looking to move on up. Something like a Security+ or Network+ is just not the same...

LonerVamp

Axel Eble said...

I find Thomas' criticism a bit on the pathetic side. After all, if everything would be so clear and obvious we wouldn't have to have it anywhere else. The code of ethics does indeed state the obvious - however, it's the sworn adherence to the code that gives some reliability to someone holding a CISSP.

I'm up for renewal in August and while I'd have a lot to say to and about (ISC)² I *will* renew. It's a marketing factor and, as others have said, a CISSP is a hint that the holder has a basic grasp of security. It is not, as Martin has mentioned above, a technical certification - nor was it meant to be. I'll grant you that the exam does ask a lot of technical questions for a managerial certification. That's one of the things I don't like about it, as is the Not-So-Common Body of Knowledge.

Axel Eble said...

What I forgot to mention as another reason to keep the cert is the community I got to know in the CISSPForum.

Dana Epp said...

Having a CISSP certification is more than an HR thing. As mentioned, its not about technical skills and merit. It's about having a professional understanding of the 10 bodies of knowledge and being able to apply that thinking in an infosec kind of way. It is purposefully "an inch deep, and a mile wide" for a reason.

In the realm of information security, before we even THINK about technical safeguards we have to understand the real problems. The real risks. The real threats. The biggest failure in the industry right now is having geeks think they are information security professionals. It is rather sad to see a person with an A+ Security cert or Cisco Security cert try to sit around a table and talk about applying qualitative risk analysis to determine what assets need to be protected, and to what degree. They fail miserably because they were taught that security was a technical problem, and not a business one. Big mistake there.

I always look at it like this. A CSO/CISO/security consultant would have a CISSP. The people that report to him and apply the technical safeguards to meet corporate security policies would have a SANS GIAC or something similar.

Is the CISSP a good cert to have? Absolutely. It means you have a good understanding of the 10 bodies of knowledge and can have a competent conversation with other infosec pros in the process of doing your job function. And if you take the certification seriously, it also shows that you follow a code of ethics in how you conduct yourself and your work in the field. I really wish security vendors would have more CISSP... then we wouldn't see so much FUD being spread around.

Is the CISSP essential to show your 'leet Snort skills? Absolutely not. But it wasn't designed for that. Combining a cert to show you understand deeper, more important infosec principles and practices (ie: CISSP) with a technical cert like GIAC gives you the breadth of knowledge needed to be an infosec pro in this day and age.

I don't think you are giving yourself the credit you deserve. The security principles and practices that you learned and had re-enforced are now part of you. It can't be taken away. And that might be why you look back and think it doesn't echo your views on how security principles should be taught. I have no idea of your full background, but if you are like most, the CISSP looks trivial NOW because you already went through it. A combination of real world experience and the 10 CBK have given you a stronger foundation than most people in the field. Don't give up on it so quickly.

Renew.

Security Practice Manager said...

Well, heres the bad news. When review security resumes, and I see CISSP, I immediately think "newbie". Yes, thats completely unfair, but its becoming more and more the norm. Entry level security folks know that if they get the CISSP they can get past the HR drones, the really senior people rarely seem to have the CISSP, as they have the obvious experience in the field to not warrant it. The CISSP is, all frankness, the MCSE of the security field. And, as everyone has pointed out, its not a measure of technical acumen - so whats the point? If you have a CISSP, it seems to say "New guy, doesn't have any real certs or experience". Just my two cents, and I imagine this will be taken as a troll - but I'm telling you, the CISSP isn't helping with the firms where it matters. If an HR drone drops your resume because it doesn't say CISSP, then the position was a real security one to start with - probably just some C&A position.

Anonymous said...

So, everyone seems to be agreeing that CISSP isn't about technical ability to do a job. A few (including Richard) are backpedalling by saying that's okay, because it's not supposed to be about technical ability.

But they are belied by soome of the first words found at the ISC2 website: "CISSP Certification was designed to recognize competency in the practice of Information Security."

I'm a sysadmin with more than a few years of strategic & tactical experience securing systems - and cleaning up the aftermath of insecure systems. So a friend of mine, studying for CISSP, used me as a sounding board as she worked her way through Shon Harris' CISSP book. Along the way, I pointed out many errors, examples of outdated information, and examples of 'strategic' thinking that simply couldn't be carried out in the trenches.

My friend got her CISSP cert, and for the past year has been finding out the hard way that she's a paper tiger. The problem is, she can talk a good game in the conference room, but when it's time to look at actual systems and processes, she's dead in the water. So, she can never really know whether or not she's being taken seriously, whether or not the tactical hewers-of-wood and drawers-of-water are actually following her advice.

And *that's* the weakness of a certification based entirely on theory without practice.

Axel Eble said...

@security practice manager: the CISSP requires several years of practical experience. If you see a practicioner/professional holding the cert yet without the required experience, by all means report this to (ISC)². This usually means that they lied on their application form.

@anonymous: If you think "practice of Information Security" means "technical prowess" you don't understand Information Security. As to your friend: either she learns to communicate (and that means both reading people and talking to them) and learns the way organizational politics work or she'd better look for another job that's easier on her. Dealing with processes can be learned. Dealing with systems can be learned. If she has no experience with it, she should at least have some experience with other security related stuff. That's what the certification process requires. If she hasn't, she has lied in her application and should have her cert taken from her.

I do believe that (ISC)² should background-check the applications more thoroughly and that they should not go for numbers of certified people alone. Sometimes I am given that impression, however.

Anonymous said...

axel able,

In the case of my friend, her application was not falsified. She used her degree and three years of test lead experience to meet the requirements.

And no, I don't think it means 'technical prowess' alone. However I do think it should mean what it says: "technical competence". Among other things, of course. I certainly don't mean to imply that strategy is less important than tactics. What I am saying is that strategy *without* supporting tactics won't win any battles. And a general who can't tell good fighting from bad fighting will only be good at drawing lines on a map - not winning battles.

Richard Bejtlich said...

Any thoughts on periodic audits of CISSP membership, to include meeting a board of peers for an in-person interview?

GeekMom said...

It's a floor wax AND a dessert topping!

I agree that ISOs need a much broader view of security and how it ties into business, and they need a lot more savvy. But it's my view that ONLY having that view is useless without a technical foundation; there's no THERE there. So HR departments might be forgiven for thinking that CISSP = certified security management, if that's the only certification they can find that fits the bill. But I agree that just taking enough cram courses to get the CISSP without actually having gotten your hands dirty doesn't mean you're good at security. Too many people see it as a quick way to the top without putting in the time in the field.

Dana Epp said...

Richard,

I think periodic audits should be mandatory. But in a slightly different way.

I think mandatory CPE credit(s) should be earned by writing AT LEAST one security related paper every so often, which would include a presentation of that paper to our peers. I think presenting to a security conference, ISSA meeting, CIPS Security SIG etc would suffice in this regard. It does two things... (1) Shows ACTUAL competence that can be rebutted by peers (2) Forces the member to work on furthering the field, if we could somehow police for new content (ie: We don't need 50 people presenting on LUA, and regurgatating the same usless drivel).

SANS does this on some technical certs, and it seems to work well. One failure I have seen is BAD papers which just have WRONG research and conclusions which are not refuted by anyone. So for an audit to be useful, it has to go through a formal process so things don't fall through the cracks.

From some of the comments I see here, it seems a big problem is the disconnect of THEORETICAL experience vs. ACTUAL. Maybe as part of the audit a more thorough background check is needed to ensure the credentials of the member are valid. Unfortunately... this has an associated cost, and I am unsure who would be the right person to bare it.

YMMV of course.

Anonymous said...

Yes, a periodic interview/audit would raise the value of the cert (and the people who hold it!) in my eyes.

Dana's suggestion is also interesting. In this way we could look up papers written by CISSP's we're thinking of hiring, and make a value judgement based on those papers. So okay, let CISSPs publish their papers both good and bad. I would actually value the bad papers just as much as the good - they help in the weeding process!

As to who pays for such extra QA on CISSP-holders - clearly the CISSP should pay for this. Even a few hundred bucks a year would (imho) be a small price to pay for the salary increase most CISSP's wish to command.

Dana Epp said...

Security Practice Manager: If you believe that CISSP is the equiv of an MSCE for this field, what do you recommend as a more trusted cert?

I think anyone who believes that without technical acumen a certification is useless, needs to reconsider what the role of a ISO is supposed to be.

Anyone who things technology can solve all of their security problems doesn't understand their problems and doesn't understand the technology. A CISSP is SUPPOSED to be able to see above that, and understand the REAL problems as it relates to the principles and practices of information security.

Technical safeguards may very well be needed as part of risk mitigation strategies. But there is a LOT of thought and understanding of what NEEDS to be mitigated that needs to be addressed before you worry about HOW you will do it.

So I argue that it is possible to have infosec pros that may NOT have in depth knowledge of how the next wiz bang Cisco VPN concentrator works. That doesn't make them any less a professional. A real professional will know their limits, and bring in the technicians when they are not capable/able to do something. I RARELY find technicians who can look above the technical issues and do the same when its time to think strategically and assess the real risks in the environment. Or properly communicate the risks that matter to senior management, in an effort to get buy in from the top down.

This is of course just my opinion. I would love to try to understand what you consider a "real certification".

Anonymous said...

Dana,

To some extent I agree with you - which is why I mentioned both systems *and* processes in an earlier post.

It's certainly not all about a practitioner's m@d sk1lz at the firewall, in the server room, or out at the desk. It's also about understanding people and organizations. How they work, what they're trying to accomplish, and what cultural norms might be hampering security effectiveness.

I don't mean to simply trash the CISSP. Like other certs, it's a nice *layer* in one's overall system of knowledge. People are attacking it in part because they see a major uptick in the number of cases where CISSP is the *only* major pre-requisite to the job - and in more than a few cases where the job itself isn't at a level where CISSP skills will actually make the difference.

Let's face it - in a lot of situations, the CISSP is placed in a role where he/she will produce a report about changes that need to be made - a report that will never really be acted on, for a variety of reasons. Or worse, the CISSP is placed in a security operations role, where such a report would never even be welcomed, and the CISSP may not have the actual technical abilities to resolve the issues. And CISSP holders are actually taking those jobs, when they should be holding out for the strategy-level jobs they trained for. To me this indicates a fundamental problem somewhere in the program.

It's a tough nut to crack. The headlines show that most business are not (yet!) seeing the need for strategic, tactical, and cultural changes to resolve the growing infosec problem. Maybe the ISC2 people need to begin spending a few more resources on spreading that message than on growing the body of CISSP-holders?

Anonymous said...

Echoing what other folks have said:
The cissp is not the the "all in 1" wonder security cert. As with most jobs in i.t. you need to converse/translate to the geeks and the beancounters(mgmt). If you want to be in security/i.t. mgmt, you need a baseline of some certs.
CISSP is good baseline security mgmt cert.
A SANS GCIA,GCFA could be good baseline tech cert.
And a mcse or rhce couldn't hurt eiether.
Everyone needs to stop bashing the cissp like its a "paper mcse". It is what it is.
I've got 10+ yrs in i.t. and I'm aware the game never ends, but this cissp bashing,sheesh..

Anonymous said...

If the CISSP cert says little or nothing about technical competence, but hiring managers need a warm fuzzy that J. Random Applicant has some broader clueset, then perhaps ISACA's new CISM cert will gain some market traction.

If I were ISC^2, I'd feel threatened by it, anyway.

Security Practice Manager said...

The long and short of it is the CISSP has hurt the field, not helped it. Everyone seems to be dancing around the issue: Its a paper cert. It says that the person is, at best, a high level theoritician, that knows a great deal of trivia about security. It does say they can apply that knowledge, and as the CISSP does not measure practical skills or practical experience, its not a good cert for a field that is all about practical skills. Theory is worthless in security and risk management.

There are too many people running around with the CISSP that have no business giving advice about security matters, and we have all met them. The fact that these people can get the CISSP proves that the bar is too low. Just look at how broken the ATO and C&A processes are broken in the federal government, and the head long push not to look at why its broken - but to get more people to get the CISSP.

Security is not about theory, you can't manage risk by simply being a a high level person - and thats all the CISSP says about a person. Its a dangerous cert, it gives people a false sense of - dare I say - security in the CISSP's abilities. Too often I seen ISSO's with a CISSP and way way way too much confidence in themselves.

SANS seems to have it right. You have to prove competence via practical effort. The GSE is an excellent example of that. Too bad the CISSP doesnt require a practical. Its time to call a spade a spade, the CISSP is a paper cert. Its hurting the field, not helping it.

Ayisha said...
This comment has been removed by a blog administrator.
Ayisha said...
This comment has been removed by a blog administrator.
annerose said...

These comments have been invaluable to me as is this whole site. I thank you for your comment.

Anonymous said...

Well, at all certification happens the same, there are people who take it, but doesn't understand really the concepts.
There are people who don't have certifications and have more knowledge.

CISSP is not deeper in concepts but is highly recognized around the world, and certifies you have a base.

If you are thinking to make the exam, I suggest a site:

CISSP EASY

Anonymous said...

Well, at all certification happens the same, there are people who take it, but doesn't understand really the concepts.
There are people who don't have certifications and have more knowledge.

CISSP is not deeper in concepts but is highly recognized around the world, and certifies you have a base.

If you are thinking to make the exam, I suggest a site:

this link is the correct:
CISSP EASY

Anonymous said...

I wonder how many people who post on here that claim to be CISSP, actually are? There are so many correct comments and so many obviously bitter, stuck in their ways, been passed over for promotions, that it is hard to tell. The CISSP while not perfect is one of the better yardsticks to measure security management by. I agree that it is not a technical certification however you have to have a fairly deep technical understanding to pass the exam. That being said, you have to look at CISSP for what it is, a management certification. If you want a hands on technical person, look for more than just a CISSP when you hire the person. I had to laugh when I read that someone had compared the CISSP exam to the MCSE, OMG….. Having taken and passed both along with CEH, Security +, and a host of DoD certifications, I can tell you that they are not even in the same league let alone ball park. I passed MCSE and Linux certification like they were written on bar napkins, I struggled over each of the 250 questions on the CISSP exam. This forum kind of pisses me off because of the negative attitude I see in here. If you want the best, recruit and hire them. However, be prepared to pay what we require in salary. Years of experience and a fruit salad of certs don’t come cheap. Quite often that is the root of the negativity that I see toward CISSP, other security people who can’t believe “how much they are paying that guy and he doesn’t know shit about our system”. Well if you want the big bucks go out and get the management experience (you probably already have the technical experience), the certs, be willing to look beyond the technical nose on your face. There is a ton of demand for technical people who can move beyond putting their hands on a keyboard every day. People who can chain the business needs and the technical capabilities together. Unfortunately the key skill set for this very well compensated position is not your l33t hacker skills, (you do need those as well), but your ability to communicate with the C-level folks.

Just my thoughts

Cappy

dghnfgj said...
This comment has been removed by a blog administrator.
Anonymous said...

Hello,

I am a Recruitment Professional seeking a Cyberforensics Analyst for our Waterloo, Ontario Canada office. Does anyone know of anyone they can refer? My email address is cataylor@rim.com

Thank you.

Anonymous said...

I was a very early taker of the CISSP, way back in 1999-2000. I already knew enough about IT and security to pass it without any special study. In my opinion it is a completely useless qualification. The assessment (by multiple-choice) is shallow, most of the content is irrelevant to what a real-life IT security consultant needs to know, both technically and in terms of security principles.

It even has its own Catch-22. The only reason most IT professionals want it is because employer's give it credence. But to obtain the CISSP you must already have experience of IT security work. Well, if can get employment in IT security why would anyone waste their time on a qualification that neither confirms my existing useful skills, nor equips me with new ones.

So all that is left is "conforming to a code of ethics". That is pretty weak. We are meant to behave ethically anyway, and the various ways of behaving unethically are usually covered in out contracts.

So what is the CISSP? It is a way to make money for self-selected bunch of people that set it up in the first place.