Friday, May 18, 2007

Thoughts on Latest CISSP Requirements Change

You all know I am a big fan of the CISSP certification. (If you don't recognize that as sarcasm, please read some old posts.) I wasn't going to comment on the press release (ISC)²® to Increase Requirements for CISSP® Credential to Validate Information Security Expertise, but no one else really has.

First, a little history. The last time a requirements change was announced was January 2002, in the press release (ISC)² TO IMPLEMENT NEW CISSP REQUIREMENTS IN 2003. That article stated:

...new requirements for the Certified Information Systems Security Professional (CISSP) certification, effective Jan. 1, 2003.

As of that date, the minimum experience requirement for certification will be four years or three years with a college degree or equivalent life experience. The current requirements for the CISSP call for three years of experience...

The "equivalent life experience" provision is intended for mature professionals who did not obtain a college degree but are in positions where a college degree would normally be required...


You may remember these changed were announced about a month after 16 year old Namit Merchant passed the CISSP exam, according to a December 2001 SecurityFocus report.

I passed the CISSP in late 2001 as well (I was almost 30, not 16) so all I needed was three years of relevant work experience. Since 1 January 2003, you could have three years experience plus one of the approved credentials. Those include many certs from SANS, for example.

The new requirements for the CISSP, announced this week, are:

Effective 1 October 2007, the minimum experience requirement for certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK®, a taxonomy of information security topics recognized by professionals worldwide, or four years of work experience with an applicable college degree or a credential from the (ISC)²-approved list.

Currently, CISSP candidates are required to have four years of work experience or three years of experience with an applicable college degree or a credential from the (ISC)²-approved list, in one or more of the 10 domains of the CISSP CBK.


I am not sure why (ISC)² is increasing the experience requirement. I don't think an five years of "experience" are going to make that much of a difference when compared to four years of experience plus a degree or credential. Honestly, equating a degree with a certification like CompTIA Security+ (on the "approved list") is really a joke, or should be.

Experience is not the only change:

Also effective 1 October, CISSP candidates will be required to obtain an endorsement of their candidature exclusively from an (ISC)²-certified professional in good standing.

Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The professional endorsing the candidate can hold any (ISC)² base certification – CISSP, Systems Security Certified Practitioner (SSCP®) or Certification and Accreditation Professional (CAPCM).


This is an anti-fraud attempt. I think it is too late. From the rumblings I've heard, cheating on exams like CISSP is not uncommon. One bad apple can "earn" the CISSP and then "endorse" all his buddies.

Maybe (ISC)² is finally starting to behave like employed French workers, protecting those who already have the certification at the expense of those on the outside? In other words, are there too many CISSPs chasing too few jobs? The latest press release states:

“With an estimated 1.5 million people working in information security globally, the nearly 50,000 CISSPs remain an elite group of professionals that are leading this industry,” Zeitler said. “(ISC)² will continue to assess its certification criteria and processes, as well its examinations and educational programs, to ensure that remains the case.”

50,000! Less than five years ago the press release (ISC)² RECOGNIZES 10,000th CISSP said only 2,000 CISSPs were certified in 1999, and 10,000 was reached in October 2002.

I still think the CISSP exam, and the certification in general, is a waste of time. For the latest example why, read How I Prepared and Passed CISSP:

I chose a self study route, and devoted around 2 months for the preparation. Locked myself in and had very little to no time for the family, I’d told them what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with the physical and mental tensions I did 45 minutes yoga in the morning and 20 minutes meditation in the afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies.

That is ridiculous. I would expect someone who wants to be considered as a "security professional" to be well-enough versed in the CISSP material to not require seven straight days of 12 hour studying sessions, beyond the previous seven weeks of study.

I prepared for the test in 2001 by reading the first edition of the Krutz and Vines CISSP guide, followed by the Exam Cram the night before. That was it. No boot camp, not study marathons, no weeks of study groups. I had about four years experience and I figured that if (ISC)² required three years, I should be ok. I finished the test in 90 minutes and that was it.

If you're wondering how I would replace the CISSP, please read my 2005 post What the CISSP Should Be. I think Peter Stephenson's requirements for certifications are good guidelines as well.

23 comments:

Jordan said...

The sad part is that many people still don't understand what is, and (mostly) isn't valuable about a CISSP certification.

At RSA earlier this year I was in an "editors briefing" with many of Cisco's senior security executives, PR folks, and a couple dozen writers, journalists, etc. It being my first actual "press conference" type event, I was more than a little nervous, but couldn't help but get involved in a discussion about the value of a CISSP. I quoted the oft-repeated line about it being a mile-wide and an inch deep. Someone in the audience (who is apparently on the board of CISSP or supposedly had some other knowledge about it) took offense and tried to argue that it went into great depth into many topics.

At this point, someone else in the audience asked who in the room actually /had/ a CISSP. In the room of 40 or so folks, I was the only person to raise my hand. The conversation quickly moved on a different subject.

Security Retentive said...

I can't tell you how happy I am to see another thoughtful analysis of exactly this topic.

Your statements about studying reflect my experience pretty accurately. If you've been working in InfoSec for multiple years and are generally studious and curious about things and have actually learned in those years, you shouldn't have a lot of trouble with the material that the test should cover.

What you probably will have problems with are some of their inane overly specific questions about exact RFCs, encryption algorithms, products, etc. If you haven't studied for that nonsense by doing some rote memorization you might miss a few things on the test, and who knows how important that will have been.

I'm pretty bound and determined to not perpetuate the value of the CISSP by making it a requirement in my hiring practices. Perhaps if more of us do that when hiring the certification will lose a bit of its appeal?

Niranjan said...

First of all let me tell you that I've your and other security blogs in my RSS reader. I regularly skim through the posts. It was a pleasant surprise to see you linking and talking about my post. Thanks! I understand that certifications alone don't reflect what a person is capable of, and to some extent I agree with you on the value of certifications. In this real IT world you need them to climb up the ladders. I'm sure you were proud when you passed your CISSP in 2001 for whatever reasons you took it, and didn't think it was a waste of your time, then. For the exams preparation way, I disagree with you because not everyone is a super like you -- go to exam just by reading one guide, and exam cram the night before. My marathon preparation was necessary for me. I'm not saying everyone should prepare the way I did. Does my preparation method puts a question to my security professional status??? I don't think so. For me CISSP is just another jewel in crown that taught me something during the preparation and now validates which I was already capable of. I didn't want a half-assed effort in preparation, maybe would have passed with that too :). BTW, I don't understand why (ISC)2 would make it a 6 hours long test if everyone could finish just in 90 minutes.

Cheers,
Niranjan

Richard Bejtlich said...

Hi Niranjan,

I should have made clear that I'm not questioning your abilities. Unfortunately, your story is not uncommon. I think a test that is supposed to validate security professionalism should not have such study practices associated with it.

I believe the reason the test is so long revolves around the questions being so lousy. That is a universal theme, mentioned by everyone who takes the exam. Everyone I've ever met who has taken the CISSP left the event wondering if they passed. That's a sign of a lousy test.

Also, I am definitely not "super." I just quickly recognized the majority of the CISSP questions would not benefit from exhaustive analysis and second-guessing, so finishing as fast as I could would be as effective as using all 5 hours.

Anonymous said...

This industry is a real mess at this point due to the amount of jobs open across a wide range of areas (auditors, designers, incident response, etc). I am starting to be of the opinion that the CISSP should be obtained by non-security types (IT managers, CIOs, network engineers) to understand the basics of security (so that they can apply it to their daily duties, of course this could reduce the overall need for psuedo security professionals to stand over their shoulder).

This would leave a gap for certifications for real security experts (which would be a smaller field if the above happened), with specializations in specific functional areas. This group would need something more advanced to be certified (picture the PE model of specific degree in a computer or engineering related area, hard test, experience, and a governing body). We have that type of framework for those who build bridges, but not for the ones that protect all of our private data (hmm).

ISC approached me six months ago about helping them craft a specialty exam in a certain area I focus on, I politely said no and hung up the phone. I might have sold out by taking the CISSP, but I sure wasn't going to torture others with another ISC cert.

Keydet89 said...

Richard,

When I prep'd for the CISSP exam in '99, my company sent me to one of the two-week prep courses. The first day, the instructor told us, "This course is NOT intended to prepare you for the CISSP exam." Oh, goody! It turns out that the instructor was also the person responsible for the Legal domain, and when he went through the material, he "threw out" about 50% of the slides.

The three of us in the course ordered the grey-bound study guide with sample questions online, and found that there were not only some similarities in sample questions that appeared in the course manual, but even when the questions were the same, verbatim, from both sources, the answers were different.

My study for the exam consisted of pouring over Unix and Internet Security, from O'Reilly, a couple of days before the exam.

To this day, I believe that the key to taking the exam was not to know the correct answer, but to know the answer that the ISC^2 organization wanted you to know.

Richard Bejtlich said...

Harlan, you said

I believe that the key to taking the exam was not to know the correct answer, but to know the answer that the ISC^2 organization wanted you to know.

That is fine if the question makes sense. If the question is lousy, then the result is horrible. Harlan is absolutely right.

Security Retentive said...

To Niranjan's point about why take the exam, were people proud, etc...

I took it because I was job hunting and lot of silly automated resume scanning tools look for keywords like CISSP. I knew that if I didn't have one I'd be at a disadvantage for people doing this automated screening.

On Monday I'm going to go into the office and have CISSP requirements removed from the two open positions I have posted. With that out of the way and telling my recruiters to stop focusing on that as a certification perhaps I can make 1 small dent in the perception that a CISSP is a requirement for a good security job.

If the folks in charge of hiring security professionals start to ignore CISSP as a certification, sort of like people very quickly started ignoring MCSE, then we can start influencing how popular the CISSP is by reducing its value.

I didn't consider passing my CISSP an accomplishment in anything other than learning how to answer arbitrarily written and arbitrarily scored questions.

Realistic said...

I have been around infosec since long before there was a CISSP. Let me assure you that the CISSP has never done anything but merely assert the barest, *minimum* competency.

It is a low bar, for sure. Anyone who asserts that it is anything besides an inch deep and a mile wide is naive and inexperienced. The only thing that the CISSP tries to do is suggest that the holder has had some exposure to some of the broad spectrum of topics that make up "infosec" - as defined by those of your "peers" who participate in its continuing design and implementation.

Since it is a multiple choice test, you might even be able to guess your way through the whole thing.

The same thing goes for the new experience requirements. I am sure that the idea behind this is to recognize the increasing complexity and the need for real experience. I am also sure that they want to keep raising the bar to keep the certification selective. After all, what would the certification mean if all x million people in the field had it? It is still a very low bar and does not attest to any particular level of expertise or experience except what the endorser asserts.

As Richard has written, one thing of value is the code of ethics. It, too, has evolved over the years.

I sat through many of the meetings where the CISSP was conceived many years ago. Trust me, the CISSP cert was designed by a committee of "peers" from all walks of the infosec community. It is currently maintained by your "peers." Hence, it is broad and much less than certain factions wanted, by definition.

So it is today. The cert demonstrates *minimum* competency and is part of infosec's progress toward becoming a real profession. Don't kid yourself. It is nothing but the barest of minimums across only a minimum number of infosec topics.

I have taught the official ISC(2) CISSP prep class and I never asserted that it was anything but a way to reveal areas where you might need additional study. There were plenty of errors and inconsistencies in both the practice questions and the course material itself. In case you have not looked, there are errors and inconsistencies across the literature in the field, and plenty of disagreements between your "peers."

However, in the main, in the hands of a competent instructor, a reasonable prep course generally helps most people focus on where they needed to brush up. For instance, common areas that people needed to work on included physical security and operations.

Don't expect the CISSP or its specializations to ever be anything but a *suggestion* of the barest, minimum competency. We all know CISSPs who do not know their ass from a hole in the ground and who have done nothing of substance. And, we all know people who are very, very good at what they do, have made major contributions to the field, and who don't have any certificates, certifications, or degrees. Just like a degree, a CISSP cert merely *suggests* that you can have a reasonable "peer to peer" conversation with the holder. We all know people with advanced degrees who are idiots.

In the meantime, consider signing up as a volunteer to help make the CISSP (and other certifications) better. We could all use your help.

Roman said...

Richard, you said:
50,000! Less than five years ago the press release (ISC)² RECOGNIZES 10,000th CISSP said only 2,000 CISSPs were certified in 1999, and 10,000 was reached in October 2002.

Heck, just wait until DoD 8570.1 finishes making the rounds, considering that Technical Level III, Management Level II and III all can be met with the CISSP. And considering that at least one high-level organization within a certain ground war-based military branch is standardizing on the CISSP to meet those levels, you'll get to watch the numbers fly upwards.

What gets particularly bothersome is that some of the positions getting designated as CISSP (or equivalent) required are only "security-related" in one area, such as application development. The CISSP will supposedly teach an application developer about security? Well, that's what the regulation says it will.

ISC(2) couldn't have asked for a better godsend than 8570.1; I wonder if there was some backchannel negotiating going on, eh? :)

blacksite.org said...

Richard,

The CISSP is a joke for more reasons than you listed. The main reason I think it is a questionable exam is due to it's multiple-choice format. It is quite easy for an experienced test taker to easily eliminate two of the four choices on each and every question. That gives you a 50% chance of being right on almost any question.

I'll put it to you this way, I consider myself to be a good test taker, and while I have a lot of experience in the "10 domains" I'm no expert. I'm probably a much better test taker than I am a security professional.

I studied about two hours prior to the CISSP exam. That was it. I was sure I had failed it, just based on the fact that I (due to my own procrastination) was so poorly prepared. It was that same procrastination that prevented me from canceling it and (so I thought at the time, sure of my failure) minimizing my losses.

I passed. The only thing the book helped me on was the various models presented in the exam, such as Bell LaPadula (or whatever it is) which I wasn't aware of at the time and hadn't encountered in my work.

I basically passed on accident. That's how bad the test is.

This is not to say that I don't know what I'm talking about. I think I'm a pretty good engineer and a pretty hard worker, but at the same time the test is supposed to be "a mile wide and an inch deep" and if something is supposed to accurately gage your skill NO candidate should be able to pass on accident.

It's a terrible cert for those reasons alone. Though, hey, it's definitely on my resume, because I do think it adds value.

Given that you think the CISSP should be something else entirely, do you know of any certs out there that better meet your idea of a good certification for information security folks? Would love to hear what you think.

Thanks,

Mike

Richard Bejtlich said...

Hi Mike,

The only certification I hold which I feel was a worthwhile experience is the CCNA. A query for Lammle lists my posts on my experience and why I like the CCNA. I hope to work on the CCNP before my CCNA expires in the spring of 2008.

Keydet89 said...

...consider signing up as a volunteer to help make the CISSP (and other certifications) better.

Ugh. I have to say, I tune out when I hear someone say that...due to the simple fact that when I did try to do so in 2000 (shortly after receiving my notice that I had passed the exam) I really had to stay after the ISC^2 to get a response, and when I did, I (and the other person who was trying to assist along with me) were offered menial tasks that had nothing to with what we were asking to do.

I think that over the years I've heard or seen a great deal of discussion regarding what constitutes a "good certification". To be honest, all I've really gotten out of that is that the community as a whole (not just infosec, but specifically computer forensics) is pretty fragmented.

oleDB said...

The biggest mistake by far the ISC2 ever made was the decision to only audit a fraction of the applicants. That alone has reduced the quality of the cert more then anything. I know several people that have passed without the proper security experience. Despite the high cost of candidate verification, the result is much more costly. A watered down cert, which in most experienced security professionals opinion is a very broad, security 101, history of security type exam. I know they are planning to add another domain soon, which would make it more relevant, but still too me they're missing the mark. Its not about the test so much, as it is about certifying someone as having 4 years of direct security experience. Why we need to pay 500 dollars for this is another story, but thats what I think a CISSP should be. Someone with a proven IT security background.

Anonymous said...

I was studying for the CISSP because everyone at my school was (including teachers) and they were promoting the heck out of it. I paid over $100 for the official guide and the shon harris book. Read them both and then something in my head clicked and asked me if they were all jumping off a cliff...would I?

I took and passed the CCNA instead and now I am working on CCNP. I now feel that I am actually learning something.

The concept of a CISSP-type certification is great, but in practice it fails miserably.

JD said...

On Friday, we had a panel of "experts" (read: employers) at my technical college sitting about "discussing" the "IT industry". (Yeah, I know...lots of quote marks. I can't help it that these three weren't experts in anything at all, didn't discuss anything except the pre-canned questions, and then claimed to represent an entire industry!)

One fellow mentioned he was working for the state. He said he wouldn't consider non-CISSP's for the job openings in his department. The state government is for some reason requiring a CISSP for...get this...an ENTRY-LEVEL network administration job. Um...does anyone else see a problem here?

As a soon-to-be job seeker, I've also been casually looking during weekends at what's available. A job posting listed an internship job as needing a CISSP and if one didn't have that, one could have a Sec+ and six years of experience.

For an internship.

Why?

Is there hope for the beginner with a few years on firewall admin and IDS analyst duty who DOESN'T have the CISSP because they don't have the required experience?

oleDB said...

@jd

I think IT is one of the industries where your apt to see more non-college graduates move up the ranks quicker based on hardwork then any other industry. I'm constantly amazed at how many IT managers don't have degrees or became director of IT at some small company at 23. So there is plenty of hope. However at the larger companies you must get past the idiot gatekeeper, known as HR. They only see certs and diplomas and key words. That can be a challenge and its just another case of people with no clue interpreting the CISSP for something its not. Firewall and IDS skills are very much in demand, so I think you will be able to find a job in this market.

Anonymous said...

recently the chair of isc was stating that the foundation for an infosec career is a degree from one of the NSA CAE schools. This would be a costly investment in both time and money. I currently have a CCNA, MCSE, Security+, Net+, and A+. Would I be better off focusing on security certs and experience, or spend the time getting a degree?

Anonymous said...

recently the chair of isc was stating that the foundation for an infosec career is a degree from one of the NSA CAE schools. This would be a costly investment in both time and money. I currently have a CCNA, MCSE, Security+, Net+, and A+. Would I be better off focusing on security certs and experience, or spend the time getting a degree?

Richard Bejtlich said...

Anonymous,

Get the degree.

Anonymous said...

I took the test June 22nd. The actual test questions themselves were horrible. All best answer questions. Poorly written. I felt I knew the material but after taking the test I was totally freaked out by the questions and I have been in INFOSEC for over 5 years.

Dan said...

I started down the path towards a Masters from one of the NSA CAE schools and was very disappointed by the quality of the education. It really felt as though I was just paying for a piece of paper. The classes at 10 weeks a piece were only able to begin to scratch the surface of the topic. One class we spent half the time essentially giving book reports on different chapters of Ross Andersen's book. I felt like coming out of this program, I would hardly have been a master of the subject matter. Perhaps (hopefully!) some of the other programs are more thorough but I'm suspect of these degrees given my experience.

Anonymous said...

Don't take any certs too seriously really. Nine times out of ten, they will have nothing to do with your day to day tasks on the job. They are just ornaments for a resume that say, this person has the where-with-all to pass a test based on security concepts or what have you. And that hurdle, small as it may be, keeps zillions of people out of the job pool.