Thoughts on Latest CISSP Requirements Change
You all know I am a big fan of the CISSP certification. (If you don't recognize that as sarcasm, please read some old posts.) I wasn't going to comment on the press release (ISC)²® to Increase Requirements for CISSP® Credential to Validate Information Security Expertise, but no one else really has.
First, a little history. The last time a requirements change was announced was January 2002, in the press release (ISC)² TO IMPLEMENT NEW CISSP REQUIREMENTS IN 2003. That article stated:
...new requirements for the Certified Information Systems Security Professional (CISSP) certification, effective Jan. 1, 2003.
As of that date, the minimum experience requirement for certification will be four years or three years with a college degree or equivalent life experience. The current requirements for the CISSP call for three years of experience...
The "equivalent life experience" provision is intended for mature professionals who did not obtain a college degree but are in positions where a college degree would normally be required...
You may remember these changed were announced about a month after 16 year old Namit Merchant passed the CISSP exam, according to a December 2001 SecurityFocus report.
I passed the CISSP in late 2001 as well (I was almost 30, not 16) so all I needed was three years of relevant work experience. Since 1 January 2003, you could have three years experience plus one of the approved credentials. Those include many certs from SANS, for example.
The new requirements for the CISSP, announced this week, are:
Effective 1 October 2007, the minimum experience requirement for certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK®, a taxonomy of information security topics recognized by professionals worldwide, or four years of work experience with an applicable college degree or a credential from the (ISC)²-approved list.
Currently, CISSP candidates are required to have four years of work experience or three years of experience with an applicable college degree or a credential from the (ISC)²-approved list, in one or more of the 10 domains of the CISSP CBK.
I am not sure why (ISC)² is increasing the experience requirement. I don't think an five years of "experience" are going to make that much of a difference when compared to four years of experience plus a degree or credential. Honestly, equating a degree with a certification like CompTIA Security+ (on the "approved list") is really a joke, or should be.
Experience is not the only change:
Also effective 1 October, CISSP candidates will be required to obtain an endorsement of their candidature exclusively from an (ISC)²-certified professional in good standing.
Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The professional endorsing the candidate can hold any (ISC)² base certification – CISSP, Systems Security Certified Practitioner (SSCP®) or Certification and Accreditation Professional (CAPCM).
This is an anti-fraud attempt. I think it is too late. From the rumblings I've heard, cheating on exams like CISSP is not uncommon. One bad apple can "earn" the CISSP and then "endorse" all his buddies.
Maybe (ISC)² is finally starting to behave like employed French workers, protecting those who already have the certification at the expense of those on the outside? In other words, are there too many CISSPs chasing too few jobs? The latest press release states:
“With an estimated 1.5 million people working in information security globally, the nearly 50,000 CISSPs remain an elite group of professionals that are leading this industry,” Zeitler said. “(ISC)² will continue to assess its certification criteria and processes, as well its examinations and educational programs, to ensure that remains the case.”
50,000! Less than five years ago the press release (ISC)² RECOGNIZES 10,000th CISSP said only 2,000 CISSPs were certified in 1999, and 10,000 was reached in October 2002.
I still think the CISSP exam, and the certification in general, is a waste of time. For the latest example why, read How I Prepared and Passed CISSP:
I chose a self study route, and devoted around 2 months for the preparation. Locked myself in and had very little to no time for the family, I’d told them what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with the physical and mental tensions I did 45 minutes yoga in the morning and 20 minutes meditation in the afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies.
That is ridiculous. I would expect someone who wants to be considered as a "security professional" to be well-enough versed in the CISSP material to not require seven straight days of 12 hour studying sessions, beyond the previous seven weeks of study.
I prepared for the test in 2001 by reading the first edition of the Krutz and Vines CISSP guide, followed by the Exam Cram the night before. That was it. No boot camp, not study marathons, no weeks of study groups. I had about four years experience and I figured that if (ISC)² required three years, I should be ok. I finished the test in 90 minutes and that was it.
If you're wondering how I would replace the CISSP, please read my 2005 post What the CISSP Should Be. I think Peter Stephenson's requirements for certifications are good guidelines as well.
First, a little history. The last time a requirements change was announced was January 2002, in the press release (ISC)² TO IMPLEMENT NEW CISSP REQUIREMENTS IN 2003. That article stated:
...new requirements for the Certified Information Systems Security Professional (CISSP) certification, effective Jan. 1, 2003.
As of that date, the minimum experience requirement for certification will be four years or three years with a college degree or equivalent life experience. The current requirements for the CISSP call for three years of experience...
The "equivalent life experience" provision is intended for mature professionals who did not obtain a college degree but are in positions where a college degree would normally be required...
You may remember these changed were announced about a month after 16 year old Namit Merchant passed the CISSP exam, according to a December 2001 SecurityFocus report.
I passed the CISSP in late 2001 as well (I was almost 30, not 16) so all I needed was three years of relevant work experience. Since 1 January 2003, you could have three years experience plus one of the approved credentials. Those include many certs from SANS, for example.
The new requirements for the CISSP, announced this week, are:
Effective 1 October 2007, the minimum experience requirement for certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK®, a taxonomy of information security topics recognized by professionals worldwide, or four years of work experience with an applicable college degree or a credential from the (ISC)²-approved list.
Currently, CISSP candidates are required to have four years of work experience or three years of experience with an applicable college degree or a credential from the (ISC)²-approved list, in one or more of the 10 domains of the CISSP CBK.
I am not sure why (ISC)² is increasing the experience requirement. I don't think an five years of "experience" are going to make that much of a difference when compared to four years of experience plus a degree or credential. Honestly, equating a degree with a certification like CompTIA Security+ (on the "approved list") is really a joke, or should be.
Experience is not the only change:
Also effective 1 October, CISSP candidates will be required to obtain an endorsement of their candidature exclusively from an (ISC)²-certified professional in good standing.
Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained. The professional endorsing the candidate can hold any (ISC)² base certification – CISSP, Systems Security Certified Practitioner (SSCP®) or Certification and Accreditation Professional (CAPCM).
This is an anti-fraud attempt. I think it is too late. From the rumblings I've heard, cheating on exams like CISSP is not uncommon. One bad apple can "earn" the CISSP and then "endorse" all his buddies.
Maybe (ISC)² is finally starting to behave like employed French workers, protecting those who already have the certification at the expense of those on the outside? In other words, are there too many CISSPs chasing too few jobs? The latest press release states:
“With an estimated 1.5 million people working in information security globally, the nearly 50,000 CISSPs remain an elite group of professionals that are leading this industry,” Zeitler said. “(ISC)² will continue to assess its certification criteria and processes, as well its examinations and educational programs, to ensure that remains the case.”
50,000! Less than five years ago the press release (ISC)² RECOGNIZES 10,000th CISSP said only 2,000 CISSPs were certified in 1999, and 10,000 was reached in October 2002.
I still think the CISSP exam, and the certification in general, is a waste of time. For the latest example why, read How I Prepared and Passed CISSP:
I chose a self study route, and devoted around 2 months for the preparation. Locked myself in and had very little to no time for the family, I’d told them what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with the physical and mental tensions I did 45 minutes yoga in the morning and 20 minutes meditation in the afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies.
That is ridiculous. I would expect someone who wants to be considered as a "security professional" to be well-enough versed in the CISSP material to not require seven straight days of 12 hour studying sessions, beyond the previous seven weeks of study.
I prepared for the test in 2001 by reading the first edition of the Krutz and Vines CISSP guide, followed by the Exam Cram the night before. That was it. No boot camp, not study marathons, no weeks of study groups. I had about four years experience and I figured that if (ISC)² required three years, I should be ok. I finished the test in 90 minutes and that was it.
If you're wondering how I would replace the CISSP, please read my 2005 post What the CISSP Should Be. I think Peter Stephenson's requirements for certifications are good guidelines as well.
Comments
At RSA earlier this year I was in an "editors briefing" with many of Cisco's senior security executives, PR folks, and a couple dozen writers, journalists, etc. It being my first actual "press conference" type event, I was more than a little nervous, but couldn't help but get involved in a discussion about the value of a CISSP. I quoted the oft-repeated line about it being a mile-wide and an inch deep. Someone in the audience (who is apparently on the board of CISSP or supposedly had some other knowledge about it) took offense and tried to argue that it went into great depth into many topics.
At this point, someone else in the audience asked who in the room actually /had/ a CISSP. In the room of 40 or so folks, I was the only person to raise my hand. The conversation quickly moved on a different subject.
Your statements about studying reflect my experience pretty accurately. If you've been working in InfoSec for multiple years and are generally studious and curious about things and have actually learned in those years, you shouldn't have a lot of trouble with the material that the test should cover.
What you probably will have problems with are some of their inane overly specific questions about exact RFCs, encryption algorithms, products, etc. If you haven't studied for that nonsense by doing some rote memorization you might miss a few things on the test, and who knows how important that will have been.
I'm pretty bound and determined to not perpetuate the value of the CISSP by making it a requirement in my hiring practices. Perhaps if more of us do that when hiring the certification will lose a bit of its appeal?
Cheers,
Niranjan
I should have made clear that I'm not questioning your abilities. Unfortunately, your story is not uncommon. I think a test that is supposed to validate security professionalism should not have such study practices associated with it.
I believe the reason the test is so long revolves around the questions being so lousy. That is a universal theme, mentioned by everyone who takes the exam. Everyone I've ever met who has taken the CISSP left the event wondering if they passed. That's a sign of a lousy test.
Also, I am definitely not "super." I just quickly recognized the majority of the CISSP questions would not benefit from exhaustive analysis and second-guessing, so finishing as fast as I could would be as effective as using all 5 hours.
This would leave a gap for certifications for real security experts (which would be a smaller field if the above happened), with specializations in specific functional areas. This group would need something more advanced to be certified (picture the PE model of specific degree in a computer or engineering related area, hard test, experience, and a governing body). We have that type of framework for those who build bridges, but not for the ones that protect all of our private data (hmm).
ISC approached me six months ago about helping them craft a specialty exam in a certain area I focus on, I politely said no and hung up the phone. I might have sold out by taking the CISSP, but I sure wasn't going to torture others with another ISC cert.
When I prep'd for the CISSP exam in '99, my company sent me to one of the two-week prep courses. The first day, the instructor told us, "This course is NOT intended to prepare you for the CISSP exam." Oh, goody! It turns out that the instructor was also the person responsible for the Legal domain, and when he went through the material, he "threw out" about 50% of the slides.
The three of us in the course ordered the grey-bound study guide with sample questions online, and found that there were not only some similarities in sample questions that appeared in the course manual, but even when the questions were the same, verbatim, from both sources, the answers were different.
My study for the exam consisted of pouring over Unix and Internet Security, from O'Reilly, a couple of days before the exam.
To this day, I believe that the key to taking the exam was not to know the correct answer, but to know the answer that the ISC^2 organization wanted you to know.
I believe that the key to taking the exam was not to know the correct answer, but to know the answer that the ISC^2 organization wanted you to know.
That is fine if the question makes sense. If the question is lousy, then the result is horrible. Harlan is absolutely right.
I took it because I was job hunting and lot of silly automated resume scanning tools look for keywords like CISSP. I knew that if I didn't have one I'd be at a disadvantage for people doing this automated screening.
On Monday I'm going to go into the office and have CISSP requirements removed from the two open positions I have posted. With that out of the way and telling my recruiters to stop focusing on that as a certification perhaps I can make 1 small dent in the perception that a CISSP is a requirement for a good security job.
If the folks in charge of hiring security professionals start to ignore CISSP as a certification, sort of like people very quickly started ignoring MCSE, then we can start influencing how popular the CISSP is by reducing its value.
I didn't consider passing my CISSP an accomplishment in anything other than learning how to answer arbitrarily written and arbitrarily scored questions.
It is a low bar, for sure. Anyone who asserts that it is anything besides an inch deep and a mile wide is naive and inexperienced. The only thing that the CISSP tries to do is suggest that the holder has had some exposure to some of the broad spectrum of topics that make up "infosec" - as defined by those of your "peers" who participate in its continuing design and implementation.
Since it is a multiple choice test, you might even be able to guess your way through the whole thing.
The same thing goes for the new experience requirements. I am sure that the idea behind this is to recognize the increasing complexity and the need for real experience. I am also sure that they want to keep raising the bar to keep the certification selective. After all, what would the certification mean if all x million people in the field had it? It is still a very low bar and does not attest to any particular level of expertise or experience except what the endorser asserts.
As Richard has written, one thing of value is the code of ethics. It, too, has evolved over the years.
I sat through many of the meetings where the CISSP was conceived many years ago. Trust me, the CISSP cert was designed by a committee of "peers" from all walks of the infosec community. It is currently maintained by your "peers." Hence, it is broad and much less than certain factions wanted, by definition.
So it is today. The cert demonstrates *minimum* competency and is part of infosec's progress toward becoming a real profession. Don't kid yourself. It is nothing but the barest of minimums across only a minimum number of infosec topics.
I have taught the official ISC(2) CISSP prep class and I never asserted that it was anything but a way to reveal areas where you might need additional study. There were plenty of errors and inconsistencies in both the practice questions and the course material itself. In case you have not looked, there are errors and inconsistencies across the literature in the field, and plenty of disagreements between your "peers."
However, in the main, in the hands of a competent instructor, a reasonable prep course generally helps most people focus on where they needed to brush up. For instance, common areas that people needed to work on included physical security and operations.
Don't expect the CISSP or its specializations to ever be anything but a *suggestion* of the barest, minimum competency. We all know CISSPs who do not know their ass from a hole in the ground and who have done nothing of substance. And, we all know people who are very, very good at what they do, have made major contributions to the field, and who don't have any certificates, certifications, or degrees. Just like a degree, a CISSP cert merely *suggests* that you can have a reasonable "peer to peer" conversation with the holder. We all know people with advanced degrees who are idiots.
In the meantime, consider signing up as a volunteer to help make the CISSP (and other certifications) better. We could all use your help.
50,000! Less than five years ago the press release (ISC)² RECOGNIZES 10,000th CISSP said only 2,000 CISSPs were certified in 1999, and 10,000 was reached in October 2002.
Heck, just wait until DoD 8570.1 finishes making the rounds, considering that Technical Level III, Management Level II and III all can be met with the CISSP. And considering that at least one high-level organization within a certain ground war-based military branch is standardizing on the CISSP to meet those levels, you'll get to watch the numbers fly upwards.
What gets particularly bothersome is that some of the positions getting designated as CISSP (or equivalent) required are only "security-related" in one area, such as application development. The CISSP will supposedly teach an application developer about security? Well, that's what the regulation says it will.
ISC(2) couldn't have asked for a better godsend than 8570.1; I wonder if there was some backchannel negotiating going on, eh? :)
The CISSP is a joke for more reasons than you listed. The main reason I think it is a questionable exam is due to it's multiple-choice format. It is quite easy for an experienced test taker to easily eliminate two of the four choices on each and every question. That gives you a 50% chance of being right on almost any question.
I'll put it to you this way, I consider myself to be a good test taker, and while I have a lot of experience in the "10 domains" I'm no expert. I'm probably a much better test taker than I am a security professional.
I studied about two hours prior to the CISSP exam. That was it. I was sure I had failed it, just based on the fact that I (due to my own procrastination) was so poorly prepared. It was that same procrastination that prevented me from canceling it and (so I thought at the time, sure of my failure) minimizing my losses.
I passed. The only thing the book helped me on was the various models presented in the exam, such as Bell LaPadula (or whatever it is) which I wasn't aware of at the time and hadn't encountered in my work.
I basically passed on accident. That's how bad the test is.
This is not to say that I don't know what I'm talking about. I think I'm a pretty good engineer and a pretty hard worker, but at the same time the test is supposed to be "a mile wide and an inch deep" and if something is supposed to accurately gage your skill NO candidate should be able to pass on accident.
It's a terrible cert for those reasons alone. Though, hey, it's definitely on my resume, because I do think it adds value.
Given that you think the CISSP should be something else entirely, do you know of any certs out there that better meet your idea of a good certification for information security folks? Would love to hear what you think.
Thanks,
Mike
The only certification I hold which I feel was a worthwhile experience is the CCNA. A query for Lammle lists my posts on my experience and why I like the CCNA. I hope to work on the CCNP before my CCNA expires in the spring of 2008.
Ugh. I have to say, I tune out when I hear someone say that...due to the simple fact that when I did try to do so in 2000 (shortly after receiving my notice that I had passed the exam) I really had to stay after the ISC^2 to get a response, and when I did, I (and the other person who was trying to assist along with me) were offered menial tasks that had nothing to with what we were asking to do.
I think that over the years I've heard or seen a great deal of discussion regarding what constitutes a "good certification". To be honest, all I've really gotten out of that is that the community as a whole (not just infosec, but specifically computer forensics) is pretty fragmented.
I took and passed the CCNA instead and now I am working on CCNP. I now feel that I am actually learning something.
The concept of a CISSP-type certification is great, but in practice it fails miserably.
One fellow mentioned he was working for the state. He said he wouldn't consider non-CISSP's for the job openings in his department. The state government is for some reason requiring a CISSP for...get this...an ENTRY-LEVEL network administration job. Um...does anyone else see a problem here?
As a soon-to-be job seeker, I've also been casually looking during weekends at what's available. A job posting listed an internship job as needing a CISSP and if one didn't have that, one could have a Sec+ and six years of experience.
For an internship.
Why?
Is there hope for the beginner with a few years on firewall admin and IDS analyst duty who DOESN'T have the CISSP because they don't have the required experience?
I think IT is one of the industries where your apt to see more non-college graduates move up the ranks quicker based on hardwork then any other industry. I'm constantly amazed at how many IT managers don't have degrees or became director of IT at some small company at 23. So there is plenty of hope. However at the larger companies you must get past the idiot gatekeeper, known as HR. They only see certs and diplomas and key words. That can be a challenge and its just another case of people with no clue interpreting the CISSP for something its not. Firewall and IDS skills are very much in demand, so I think you will be able to find a job in this market.
Get the degree.