tag:blogger.com,1999:blog-4088979.post113349068831481237..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Should I Accept New ISC(2) Certification Agreement?Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger19125tag:blogger.com,1999:blog-4088979.post-51450851568254481322010-02-17T15:33:22.322-05:002010-02-17T15:33:22.322-05:00With all the comments trashing CISSP as basically ...With all the comments trashing CISSP as basically useless, what about all those folks that took the exam several times and still failing? Are they even qualify to be working in their field?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1150817133309365412006-06-20T11:25:00.000-04:002006-06-20T11:25:00.000-04:00I think this sums it up<A HREF="http://esler.is-a-geek.net/2006/06/cissp-is-overrated.html" REL="nofollow">I think this sums it up</A>Joel Eslerhttps://www.blogger.com/profile/05018134738510159518noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1134096312059108102005-12-08T21:45:00.000-05:002005-12-08T21:45:00.000-05:00In the end isn't up to the CISSP's themselves to r...In the end isn't up to the CISSP's themselves to raise the standard to an acceptable level?<BR/>We can all moan and groan about what it has become but how many of us have invested time and effort to help ISC2 increase the standard(s)?<BR/>As far as the initial question goes - Richard illustrates some valid points - The fact that the number of questions being deemed a "secret" that can not be discussed by CISSP's is ridiculous. How many of you remember the "Puzzle Palace" book and the stir it caused in the government - "secret" words that can't be confirmed or denied (I know there was much more too it - simply generalizing for a moment). In the end even the government recognized that you can't stop people from uttering the phrases top secret or even god forbid spoke, umbra, etc... it is an unenforceable rule that serves no purpose.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1134077934306459372005-12-08T16:38:00.000-05:002005-12-08T16:38:00.000-05:00Wow, sure sounds like the last guy/gal works for I...Wow, sure sounds like the last guy/gal works for ISC2. I took this exam last May and passed. It took me two hours and 40 minutes to finish the beast and the questions read like Greek to me. I following the advice of a wise man and just answered the questions without changing any answers. I swear my test was a testbed version because of the type of questions I had. I haven't been to one event which grants CPE's since I took the test. I am a member of the ISSA-NOVA chapter, but I seem to be out of town everytime there is a meeting. I'm sure I'll be faced with the same dilemma you are Richard when my expiration date comes up. Should I care, maybe. I'll just put on my resume for my next job that I'm a former CISSP. If the interviewer ask me about it, I'll say I was too busy doing actual information assurance task to maintain my standing with ISC2.<BR/><BR/>OUTAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1134051111496361042005-12-08T09:11:00.000-05:002005-12-08T09:11:00.000-05:00I'm sorry but this is just so much blather.If you ...I'm sorry but this is just so much blather.<BR/>If you don't want a CISSP then don't take one.<BR/>BTW the website you enter the CPE information on is dead simple to use so if the author has "hundreds" of credits he "forgot" to enter...he really has no excuse. <BR/>BTW the language he highlights in the agreement seems designed to combat "brain dump" type sites for those who wish to cheat on the exam.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133812020884711102005-12-05T14:47:00.000-05:002005-12-05T14:47:00.000-05:00I'm not a CISSP but from my experience certificati...I'm not a CISSP but from my experience certifications have been valuable in measuring potential employees. Sure, its not a perfect measurement, but it means more to me than years on the job. It means that they sought out the certification and did the work. I don't think a college diploma means all that much either butmost organizations today will not consider a candidate without one.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133621047158694052005-12-03T09:44:00.000-05:002005-12-03T09:44:00.000-05:00Not wanting to start a flame, but here goes. I hav...Not wanting to start a flame, but here goes. I have been in IT Sec since 96. I have seen flames erupt with any cert change. This is no different. When SANS dropped the practical, immediately there was a brouhaha on the watering of the cert. Get real people, all groups such as ISC2, SANS, MS, AICPA use their certs to make money. To those of you who say they won't get a CISSP because of this, consider it in a different way. The SANS Cert, The CISSP Cert, are a ticket. Do you want a ticket to play in a broad spectrum IT security realm or just be a Firewall admin. Make your choice. btw, I have a GIAC advanced Cert, CISSP, and a CISA. They have been my ticket for a higher level positionAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133587126575222122005-12-03T00:18:00.000-05:002005-12-03T00:18:00.000-05:00I have to say with all sincerity that donut Friday...I have to say with all sincerity that donut Friday rocks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133554768691210252005-12-02T15:19:00.000-05:002005-12-02T15:19:00.000-05:00The first rule of CISSP is, "Do not talk about CIS...The first rule of CISSP is, "Do not talk about CISSP."DavidJBiancohttps://www.blogger.com/profile/09760835714791462863noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133553494849406242005-12-02T14:58:00.000-05:002005-12-02T14:58:00.000-05:00Hmm. It's a lot of language which, so far as I can...Hmm. It's a lot of language which, so far as I can tell, basically adds up to <I>ISC2's CISSP info is a secret, and ISC2 expects you to help maintain that secret</I>.<BR/><BR/>How standard is that clause, and others like it?<BR/><BR/>Personally I wouldn't use this as a reason to decline a CISSP certification or drop an existing one ... there are so many <I>other</I> good reasons!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133552749171942142005-12-02T14:45:00.000-05:002005-12-02T14:45:00.000-05:00When was the last time any of us were out drinking...When was the last time any of us were out drinking a beer with other security people and someone DIDN'T make a joke about the CISSP being lame?<BR/><BR/>The CISSP is a joke. The world has changed and is changing too fast for that cert. Technical and non-technical issues have come up that it doesn't address. Worthless.<BR/><BR/>I wouldn't even use it to "get past HR" in the resume pile. If you are a good security professional word of mouth will take you places. If you are looking for a foot in the door, take a job as a sysadmin, network eng, etc. and make your way to the top like the rest of us CISSP-lapsing prima donnas.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133552529797763872005-12-02T14:42:00.000-05:002005-12-02T14:42:00.000-05:00I agree with the person above me, being a relative...I agree with the person above me, being a relative newcomer to security as well. In fact, I will still welcome the ability to include CISSP on my resume, but hearing information like Richard's and other posters at the very least keeps me grounded in how I view the cert, and gives me a better sense of judging other certs as well.<BR/><BR/>I will not deny though, that a cert (even one I may not respect highly after 3-5 years experience) does help one out when still in the infancy of their career.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133537863402174022005-12-02T10:37:00.000-05:002005-12-02T10:37:00.000-05:00I have been considering pursuing the CISSP certifi...I have been considering pursuing the CISSP certification. I am still a beginner in the InfoTec Security world, so I thought that maybe in a couple of years it might be worth it. After having read all the input so far, I am now considering otherwise. Who knows maybe in a couple of years, it will be different.<BR/><BR/>In reality if the certification is not a requirement in your job, then why bother. Is it just to have the letters after your name. In some way maybe it does reflect the fact that you have the experience, but I imagine there are a number of people with the cert and no real world experience. I could be wrong on this, since I have not done any studying for the cert at this time.<BR/><BR/>I think that a person in your position, would not need any certifications especially in InfoTec Security. IMHO experience speaks louder than certs. Of course in the end the decision is solely yours to make.<BR/><BR/>G'Day,<BR/><BR/>RogerAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133536046584449742005-12-02T10:07:00.000-05:002005-12-02T10:07:00.000-05:00CISSP is a title like all the others, it proves no...CISSP is a title like all the others, it proves nothing more than you have passed the exam, and that for a brief moment you remembered all the concept needed for the test. This certification has gain prestige not by its body of certification but by the people who got certified.<BR/>I fear that the prestige is now dilute by the vast number of certified. <BR/>Every certifications that I know of, progress folling the Gartner Hype Cycle. It appear that CISSP is now in the disillusionment phase. I hope it will move on to the slope of enlightenment. So many don't...<BR/><BR/>As for your question, Yes I have clicked on accept the agreement even if I don't really agree with all the terms. Then again, what difference does that make? How many CISSP have infriged the Agreement or the code of ethics? Too much to count I'd say.<BR/>I have high standards of ethics and I stand by it. In face of contradiction, incoherence or plain stupidity, I use my good judgement and go on.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133533270812933022005-12-02T09:21:00.000-05:002005-12-02T09:21:00.000-05:00Get yourself a nice SANS/GIAC cert. It includes a...Get yourself a nice SANS/GIAC cert. It includes a week's worth of training and a 6-month lab assignment.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133533166839527362005-12-02T09:19:00.000-05:002005-12-02T09:19:00.000-05:00Hello,I've been an info security professional for ...Hello,<BR/><BR/>I've been an info security professional for the last 10 years at a Fortune Global 10 company. Various people have tried to get me to take the exam for years but I've resisted. <BR/><BR/>Quick poll, how many of us will every have the chance to design a secure data hosting facility? What's that? None you say? So how does it do me any good to know that some schmoo has decreed that a 10 foot tall perimeter fence is necessary? Why not 12? Why no barb wire? How many of us will have the chance to decide on Halon* or CO2, and why should we go with CO2 like the course recommends? <BR/><BR/>IMHO it is a paper certification and cheesy continuing education requirements. <BR/><BR/>I also know several people who got the certification while they were out of work for a year or two. Cuz yeah, those are the qualified and talented people I want working for me.<BR/><BR/>Finally, I will admit that having 'CISSP' in your resume will get you past the first round of circular filings by the departmental secretary. I hope the rest of the resume and personal contacts will get me around that hurdle, should it be necessary.<BR/><BR/>* And yes, I worked around Halon in the service and saw all of the training films. It isn't toxic until it hits 900 degrees F. - at which point you have other problems.<BR/>www.oseh.umich.edu/haloappa.pdf <BR/><BR/><BR/>Sorry for the rant, blame it on donut Friday. :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133532425574182992005-12-02T09:07:00.000-05:002005-12-02T09:07:00.000-05:00I had my bureaucratic run-in with (ISC)² back in 1...I had my bureaucratic run-in with (ISC)² back in 1997, before the CISSP was 'cool', and subsequently became a pimped-out cash cow for them. At that time, I swore that I'd never sit for the cert exam or play any of the rest of their silly games. I'm glad that others in the community may now be seeing the cert, and the organization, for what I've always felt they were.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133531676560417112005-12-02T08:54:00.000-05:002005-12-02T08:54:00.000-05:00I remember when you were certificationless. You e...I remember when you were certificationless. You expressed being proud of this fact in 2000.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-1133507214917773632005-12-02T02:06:00.000-05:002005-12-02T02:06:00.000-05:00Although, when I first obtained the CISSP, I didn'...Although, when I first obtained the CISSP, I didn't expect it to be a great benefit, I am about to allow my certification to lapse.<BR/><BR/>There are a few reasons:<BR/><BR/>1. The main thing that interested me about the certification were the code of ethics and the requirement for professional experience. In real life, I have never heard of a single case where either have been enforced, and several cases where they have been violated, rendering them useless.<BR/><BR/>2. The CPE system is both hard to use (as evidenced by the fact that both of us have literally hundreds of CPEs that we have not entered) and seems more geared towards advertising and promoting seminars than measuring 'ongoing work in the field'.<BR/><BR/>3. The certification is, in some circles, actually considered a negative - in other words one is thought to be <I>less</I> technically capable than if one did not have the certification at all.<BR/><BR/>In other words, it seems that, worse than having no positive value, it may have a negative one.<BR/><BR/>Your post here only emphasises the decision I'd already made.Anonymousnoreply@blogger.com