This article can also be found in the Premium Editorial Download "Information Security magazine: Defense-in-Depth: Securing the network from the perimeter to the core."
Download it now to read this article plus other related content.
Certifiable: A newly minted CISSP gives you the inside scoop on information security's most coveted -- and controversial -- certification.
I just took the CISSP exam, and I'm here to testify: Everything you've heard about it is true. It's both disarmingly easy and bewilderingly difficult. It's both legitimately challenging and totally unfair. It's both incredibly rewarding and pull-out-your-hair-and-scream-to-the-heavens aggravating. It's a mystery wrapped in riddle inside an enigma.
It's both disarmingly easy and bewilderingly difficult. It's both legitimately challenging and totally unfair. It's both incredibly rewarding and pull-out-your-hair-and-scream-to-the-heavens aggravating.
And here's the punch line: The exam is a metaphor for the CISSP credential itself. The CISSP is the undisputed heavyweight champion of infosec certifications, the gold standard, the pièce de résistance. Yet it's routinely ridiculed as a "paper certification," lacking depth or practical application. Even those who proudly use it like a third name--"Hi, I'd like to order a pizza; name's John Doe, CISSP"--privately acknowledge that the cert isn't all that it's cracked up to be.
Did I pass? Yeah, I passed. And oh, what a relief. After I finished, I had absolutely no idea how I did. OK, everybody says that, but for some reason I thought I'd be different. I walked out with this feeling like I'd simultaneously way over-prepared and yet...somehow...failed anyway. I still haven't decided if that's a good thing. It's all part of the general weirdness surrounding this exam and certification.
This article is an attempt to explore, expose and possibly resolve some of these issues. Over the past eight months, I took the "full immersion" route to preparing for the CISSP exam. I read a half-dozen CISSP prep books, including two 1,000-page tomes. I attended two week-long exam cram classes, including one offered by the (ISC)2 Institute. I completed thousands of sample test questions from a variety of print and online sources. And I interviewed dozens of current and would-be CISSPs about the exam and credential. For comparative purposes, I also studied for and obtained another IT security certification: the TICSA.
What I learned along the way should help the thousands of would-be test-takers gear up for this exam. Perhaps more importantly, the process has taught me a little about what's right and wrong about the CISSP--both the exam and the certification itself.
1. What is the CISSP?
CISSP stands for Certified Information Systems Security Professional. The credential was created in 1991 by the International Information Systems Security Certification Consortium (ISC)2, a nonprofit organization that is the sole caretaker and credentialing body for the CISSP.
(ISC)2 is very specific about the purpose and scope of the CISSP. It's not intended to certify hands-on expertise in any infosecurity technology. Nor does it certify practical expertise in any one of the 10 domains covered under its Common Body of Knowledge (or CBK--more on this later). In fact, it doesn't certify expertise in anything, other than, perhaps, mastering the material in the CBK.
(ISC)2 officials are quite vocal about this focus--in part, one assumes, to deflect criticism of the CISSP. "Its ultimate purpose is to be able to provide an independent benchmark of your knowledge of the fundamentals of information security," says (ISC)2 president Jim Duffy. "It proves minimal competency. CISSPs do not walk on water, but they certainly do understand the information security profession."
One of the things that gives the certification weight in the industry is the sheer size of the CISSP community. We're definitely not talking Augusta National here. By the time you read this, nearly 20,000 people will hold a CISSP. By the end of 2003, that number will climb to 25,000. That's up from just 6,900 in 2001.
The jury's out on whether this growth enhances or detracts from the credibility of the certification and those who hold it. Some say it reinforces the CISSP's image as infosec's de facto credential. Others say it only proves that the exam and certification process aren't stringent enough.
Either way, the CISSP has become its own self-promoting marketing vehicle. Perception is reality. The more people who obtain it, the wider exposure it gets. The wider the exposure, the stronger the perception that you've gotta have it. Run through this cycle a few times, and it's not surprising that even those who ridicule the CISSP are now lining up to get one.
2. What are the requirements for obtaining a CISSP?
There are basically three steps. I won't dwell on these, since they're explained in detail on the (ISC)2 Web site and elsewhere.
First, you have to apply for certification. To qualify, you have to have at least four years of professional experience across the 10 CBK domains. Alternatively, you must have three years experience plus a college degree. You also have to agree to the (ISC)2 Code of Ethics and provide background information on things like felony convictions and involvement with "hackers."
The second step is to pass the exam, which costs $450 a sitting. If you fail the first time, you can retake it as soon (and often) as you want, though you have to pay $450 each time.
Third, if you pass, you're required to obtain written endorsement from someone who is "familiar with your professional experience," preferably another CISSP.
The certification is valid for three years, during which time you have to accumulate 120 continuing professional education (CPE) units through activities such as serving on industry boards, delivering presentations or publishing security articles or books.
3. Why get a CISSP?
Most current and would-be CISSPs say the primary reason they want a CISSP is to increase their marketability. "The reason I put the effort into getting the certification in the first place was to advance my career," says Brian Taylor, a network analyst with New England Research Institutes (NERI). "The job postings out there frequently require or mention the certification as an advantage."
Other motivations include filling in knowledge gaps, earning peer recognition, expanding one's professional network and contributing to the development and maturation of the profession.
"It's worth the effort if it keeps one marketable in a down-turned economy," says George Johnson, a software engineer at EMC. "As for my current job, I'm not sure that it matters a great deal or means anything to my immediate line of management in the short term, but there is another process at work that is raising the security awareness of management."
One benefit of CISSP certification--for me, the largest benefit--is that in preparing for the exam, you're going to learn a lot about subjects you didn't know about before, and probably wouldn't have an excuse or occasion to learn about otherwise. I've always wanted to learn about how Kerberos works under the hood, but it wasn't until I started studying for the CISSP that I was compelled to do so. The same thing applies to hundreds of subjects covered in the CBK.
Sure, some of this material is boring and impractical. But if you're genuinely interested in information security, studying for the CISSP exam will give you a very strong knowledge base. The exam covers maybe 1% of what you study. But no matter what you think about the exam or the credential itself, the important thing is that you've learned the material anyway--provided you've done your homework, of course. And that, I think, is what sets the CISSP apart from other security certifications. You're simply not going to get as broad an overview of all-things security from other certifications.
Candidate commentsHere's what other recent CISSP candidates had to say about the exam, their study plan and the certification itself.
"I attended [the Intense School boot camp] class and studied for two hours before the test. I
didn't study outside of class or take any of the practice tests. I did take almost six hours to
complete the test, as I considered each question in the context of my own career of 15 years in
-Randy Crolley, Senior Computer Security Engineer, Department of Energy's Savannah River Site
"I came out of the exam feeling like I had underprepared. I was fairly confident that I had
passed, but not confident enough to tell people I passed. I knew that if I failed it would be very
close. I felt and continue to feel that the worst enemy you can have in that exam is to over-think
the questions. The (ISC)2 [boot camp] class was very good at making you get in the mind-set of
thinking in a manner that would allow you know what (ISC)2 was looking for."
-Dave Draper, Director of Engineering Services, GeoTrust
"The CISSP certification is widely recognized as being the security certification to have. [The
exam is] more difficult than the Microsoft certifications."
-David Burns, British Petroleum
"It reminded me of taking a Navy promotion exam--the same format, but an additional 100
questions. Because I don't use most of the information in daily [activities], the depth of the exam
questions took me by surprise. I was confused by some of the questions."
-Lt. George Konen, Naval War College
"A lot of the questions were kind of misleading. And a lot were just plain common sense. I felt
you either knew the answer or you didn't. The exam should only take three hours at the max."
"Here are some tips when taking the exam. First, don't jump ahead. The test seems to have a lot
of double negatives, so it's critical to read the whole question before answering. I brought a
magnifying ruler to the exam. I used it to force myself to read line by line. It helped immensely.
Second, if I knew the answer with 90 percent certainty, I chose the answer and never looked back.
Third, if I didn't with 90 percent certainty know the answer, I circled the test question in the
booklet and moved on. Fourth, I went back through the circled test questions and eliminated answers
I knew with 90 percent certainty were wrong. Fifth, I worked the unanswered questions one at a time
and then erased the circle around the question once I had answered. Sixth--when all else failed--I
guessed! One last thing: Save enough time to transfer the answers from the work booklets to the
answer sheet. It takes about 30 minutes."
-Tom Madden, CISO, Centers for Disease Control
"Looking back, [the exam] seemed easy. I only did CCCure tests for a few days after [the (ISC)2
exam-cram] course. Got a passing grade on most of them ("hard" level, not "pro" level). So that
gave me confidence as well. I never opened the two books I bought. I thought the (ISC)2 class
should have put more emphasis on crypto and access control."
-Venkat Perumal, CFO, AGCS Inc.
"I could have studied until I was blue in the face. However, nothing could have prepared me for
this examination. I would say that [number omitted] of the questions don't require too much
guesswork, [number omitted] are good for interpretation, and the last [number omitted], you should
bring a coin and flip it."
-Vincent Jette, Senior Network Engineer, BIC International
4. What's the exam like?
The exam is 250 multiple-choice questions. Only 225 of these questions are used in computing your score; the other 25 are "experimental" questions that (ISC)2 might use as actual questions on future tests. However, you won't know which 25 are experimental, so give your best effort on all 250. Also, don't leave any questions blank; there's no penalty for guessing.
The questions are weighted differently, adding up to 1,000 points. To pass, you have to get 700 out of 1,000. Approximately 70% of candidates pass on their first try.
(ISC)2 reveals your numerical score only if you fail the exam. Candidates who pass the exam aren't told their scores for two reasons, says Lee Schroeder, president of Schroeder Measurement Technologies, the CISSP exam contractor.
"The primary reason is that we don't intend this exam to be used to differentiate between passing candidates for things such as hiring or promotion," he says. "We don't want to facilitate a setting where an employer is looking at two CISSPs, and uses their scores to differentiate between them."
The other reason, Schroeder says, has to do with the exam's scoring system, a complex mathematical model called "item response theory." Questions are constantly cycled in and out of the CISSP exam, creating different exam forms. The objective with each form is to create a consistent range of difficulty. But since no two forms have exactly the same difficulty level, the number of questions constituting a passing score varies from test to test.
It's a valid scoring system, but one in which two candidates with the exact same scaled score (say, 750 points) may have answered a different number of questions correctly. Rather than try to explain all this to successful candidates, (ISC)2 opts to simply reveal that they "passed."
5. What subjects does the exam cover?
Before I tell you about the exam, I'll tell you what I can't tell you. Before you sit for the exam, you have to agree not to discuss the exam's content or questions with anyone during or after the test. By breaking the seal on the exam booklet, you agree to abide by these rules.
So, while I can't tell you about the exam content itself, I can tell you about the scope and type of content, at least in general terms. This may not seem like much, but the CISSP test is like no other I've ever taken, at any level. Simply knowing what types of questions to expect when you walk in that room will definitely give you a leg up.
The company line is that the CISSP exam tests the candidate's knowledge of subjects covered in the 10 CBK domains. Dozens of books and online resources dive into these domains in great detail, so I'll merely list them here:
- Access Control Systems and Methodology
- Application and Systems Development Security
- Business Continuity and Disaster Recovery Planning
- Law, Investigations and Ethics
- Operations Security
- Physical Security
- Security Architecture and Models
- Security Management Practices
- Telecommunications and Networking Security
Some of these domains cover a lot more material (and in greater depth) than others. For instance, Telecommunications/Network Security and Cryptography are both huge domains, while Physical Security and Law, Investigations and Ethics are comparatively small.
The quantity of topics and depth of detail can be deceiving. Many candidates score poorly on the Physical Security and Law sections because they over-prepare on the big domains and under-prepare on the small ones. It's unlikely that the exam will present you with an equal distribution of questions across all 10 domains. But even if I could tell you which domains were hit hardest on my exam, it wouldn't matter, because the exam constantly changes. The only safe bet is to study each domain thoroughly, and don't be surprised when the exam seems weighted toward a handful of domains or subjects.
Another common mistake is to adopt a single, uniform approach to learning the material. The domains are very different, requiring different learning techniques. Let me explain what I mean.
In some domains--for example, Crypto, Architectures/Models and Telcom/ Networking--the topics are fact-oriented and black and white. You either know the bit size of an MD5 message digest or you don't; you either know what Bell-LaPadula's star-property rule is or you don't; you either know what OSI layer IPSec operates at or you don't. Learning this material requires a lot of rote memorization. You may know some of this material from your daily work, but you won't know most of it.
While memorizing a bunch of facts and details is an effective strategy for some domains, it won't work as well for others, such as Security Management, BC/DR, Physical Security or Law/Ethics. The material in these sections is more contextual and interpretative, focusing more on standards, principles or best practices. Here, you should focus on the application of the facts, not the facts themselves.
For example, there are eight steps to perform in a business impact analysis. The exam is unlikely to ask you to identify what happens in a particular step--that much is intuitive. Rather, it would ask you to identify the appropriate order of the steps, or to determine the most or least important step within a given scenario.
These are oversimplified examples, and, of course, each domain contains a mix of factual and interpretive material. The point is that the CISSP exam has a way of exposing flaws in your study habits. If you haven't memorized enough in the "black and white" domains--or if you can't apply your knowledge in others--you might struggle on the exam.
6. How hard is the exam?
This is probably the most frequently asked question about the CISSP exam. It's also the hardest to answer.
The exam is best characterized as an "inch deep and a mile wide." Whether this makes it easy or difficult is a matter of perspective.
On the one hand, the exam is easy because it's multiple choice, with four possible answers per question. Out of the 250 questions, the slight majority are fact-oriented questions. (I'm prohibited from revealing the approximate number of questions, and I probably wouldn't anyway, since the distribution of question types changes constantly). These questions are straightforward, well-written questions with clearly delineated answers. If you do your homework, you'll answer most of these questions without any problem.
Another large chunk of questions are straightforward interpretive questions. They set up a scenario in which you have to determine the best course of action. Again, the answers are usually clear if you've studied.
One of the things that makes some of the questions easy (or at least straightforward) is that the exam is almost totally devoid of platform-, device- or application-specific material. For example, you won't be asked to create a Group Policy Object in Win2K Active Directory, convert Unix file permissions from alpha to octal characters or create FireWall-1 ACLs. You might be tested on the difference between block and stream ciphers, or between asymmetric and symmetric encryption, but you won't be required to analyze algorithms or perform mathematical computations of any sort. You might be asked to explain the difference between code assemblers, compilers and interpreters, but you won't be asked to assemble, compile or interpret code.
The remaining questions are difficult, but for different reasons. Half of these are legitimate questions about obscure facts, or legitimate interpretative questions where the answer just isn't clear. These are good, tough questions. You just have to know the answer or be able to dope it out.
However, there's a chunk of questions that are difficult for all the wrong reasons. They're poorly worded, misleading or simply evasive (see the "Preparing for CISSP exam questions" link at the bottom of the article). Evasive: that's the word that first came to mind when I walked out of the exam. It just seems like these questions serve no purpose other than to confuse and frustrate you.
It's because of these questions that you won't have an intuitive sense if you passed the exam. And it's because of these questions that the CISSP exam often gets a bad rap. Even though these questions comprise a comparatively small part of the exam, they're the ones that stick in your craw as you walk out the door.
"I felt the questions themselves were short and easy to read," says Ty Whitten, a security engineer at Guardent Corp. "But I felt sometimes that the answers didn't represent the questions well at all. Either the answers were way off base, or I would be left with two answers in which both could have been correct. I also felt the material I studied was way more detailed than the vague questions and answers that were on the test."
(ISC)2 officials contend that the CISSP exam doesn't receive an unusual number of complaints relative to other certification exams. They point to the fact that candidates are encouraged to comment on questions when taking the exam--comments that are carefully evaluated when examining test incongruities and deciding which questions should be retired.
Moreover, (ISC)2 and its test developers say that the degree to which a question is annoying is of little significance in determining its statistical validity. The goal with the exam and exam questions is to show an acceptable level of discrimination between high-scoring candidates and low-scoring candidates. If the cluster of high-scoring candidates--those who have adequately mastered the CBK--consistently answer a question correctly while the low-scoring candidates answer it incorrectly, then the degree to which the question is subjectively "vague" or "evasive" to either group is inconsequential.
"We want questions such that high-scoring candidates tend to get them right, and low-scoring candidates tend to get them wrong," says Lee Schroeder.
One other thing: the CISSP exam is long--gruelingly long, in my opinion. You're allotted six hours to complete it, and most people take at least three. It took me about five hours.
7. What should I study?
No one book covers everything you need to know to prepare for the CISSP exam. There are at least three 1,000-page "all-in-one" prep guides out there. I've read two of these, and as comprehensive as they are, neither is sufficient in and of itself.
On the other hand, you shouldn't feel compelled to dive into everything in (ISC)2's study guide. Accept the fact that you'll never have enough time to study the CBK in depth, nor should you attempt to. There's just too much information.
The first thing you should do is review the main topics in each domain. This will reveal your strengths and weaknesses. Then, take the plunge and buy at least one of the "all-in-one" books (see the link for "CISSP study plan" at the bottom of this article). As you read each chapter/domain, take the practice exams in the book and online. Among other sites, www.cccure.org allows you to develop practice quizzes targeting specified domains.
Plan to take at least two full-length practice tests before sitting for the exam. However, keep in mind that these practice exams are intended to test your knowledge and understanding of the CBK. None of the practice tests I came across adequately prepared me for the "difficult-for-the-wrong-reasons" questions.
8. Do I need to take one of the CISSP exam-cram classes?
It's hard for me to say whether you need to sign up for one of these courses. What I can tell you is that I took two of them, and they were both very useful.
The first one I took was Intense School's seven-day CISSP Boot Camp (the typical Intense School CISSP Training Program is seven days, though the course I attended was five days). The instructor was Shon Harris, who wrote one of the popular all-in-one prep books and developed all the materials for the course, including more than 1,200 pages of PowerPoint slides, 30-40 practice questions per domain and a full-length practice exam.
The Intense School course also provides you with a variety of supplemental materials, including RFC 2196: The Site Security Handbook, NIST's Guidelines for Network Security Testing, an Internet Firewalls FAQ and a half-dozen other documents. Having all this stuff in one place saves a lot of time.
The second boot camp was offered by the (ISC)2 Institute, the for-profit arm of the nonprofit (ISC)2 certification body. If you think that (ISC)2's ties to this course will give you an inside track on the exam, think again. By design, the instructors have no input into the exam itself, and they're bound by the same restrictions that all CISSPs are: they can't discuss exam content.
The five-day (ISC)2 boot camp was team-taught by Sandy Sherizen and John Glover, both of whom really knew their stuff. They traded off on domains, Sherizen focusing on the "soft" domains and Glover on the technical ones. This was mostly effective, though their different teaching styles sometimes clashed. The time devoted to each domain, the subjects covered and the depth of discussion was very similar to Intense School's approach. However, there wasn't 100% overlap. For instance, Intense devoted more time to remote authentication than (ISC)2, while (ISC)2 devoted more time to wireless security than Intense.
Intense School's course materials were marginally superior to (ISC)2's. (ISC)2's consisted primarily of a two spiral-bound notebooks with printed reproductions of the PowerPoint slides covered in class. While Intense also took this approach, the material was backed up by written documentation on each page. This helped a lot when I went back to review the materials after the course wrapped up.
After completing each domain, the (ISC)2 instructors reviewed 10 practice questions with the entire class. I preferred Intense's approach, in which you had the questions in writing and answered them at your own pace--just like on the exam. (ISC)2 also offered a practice exam at the end of the course, but it was only 100 questions long, compared to Intense's full-length, 250-question exam. Then again, the (ISC)2 class had the advantage of using retired questions from the actual exam, which to some candidates might be a real value-add.
Exam-cram courses aren't cheap. Intense's selling price ranges between $2,600 and $2,900, while (ISC)2's list price is $2,400. You get a few more frills with Intense's approach: most costs related to hotel and meals are included in the course fee. If you're going to sign up for a boot camp, the natural question arises: Should I take it before I start studying, or after I've already done most of my homework? I did it both ways, and would suggest these courses work better as a primer, not a review. They set out a framework of topics and expose holes in your knowledge. Better to have plenty of time to fill in those holes before sitting for the exam. Both courses boast successful pass rates. Including myself, 15 out of the 16 people in Intense School's boot camp passed the exam. Of the 11 students I heard from after the (ISC)2 class, nine passed. The standard pass rate for all CISSP candidates is 70%. You do the math.
If you sign up for a five- or seven-day boot camp, be prepared for your mental buffer to runneth over. Both courses I took did a good job mixing up the material by alternating technical- and management-oriented domains, but there's no way to get around the huge volume of information you have to absorb.
While Intense School and (ISC)2 courses may be the most recognized CISSP boot camps, several other CISSP classes are available, ranging from one to seven days in length. One of these is The Training Camp, which (ISC)2 recently contracted as a course "reseller."
So, to answer the initial question, if you can get your boss to pay for a boot camp, and can afford the time out of the office, do it! You won't necessarily learn anything different from an equivalent course of independent study, but a boot camp will give you a lot more confidence that you're on the right track. The instructors can help you grasp complex topics, and you can band together with fellow students to form study groups. All of these things help you get motivated to do your homework--and pass the exam.
9. What other security certifications are available? Which one is "best" for
The CISSP may be the most popular security certification, but it's far from the only one. You might be surprised to learn that there are at least 45 information security-related professional certifications, according to Certification magazine. Thirty of these of these are vendor-neutral, while 15 are vendor-specific.
I won't attempt to discuss all or even most of these. Instead, I'll discuss the basic categories, and suggest which certifications are recognized as the "leaders" in each. This ranking is obviously subjective, though I think it generally reflects how most infosec professionals feel.
- Benchmarks. These certifications are widely recognized and respected by professionals on
all levels and in all sectors in the infosecurity industry. What's more, they're increasingly a
prerequisite for many jobs, an indication that they are also recognized and respected by
non-security managers and HR.
In addition to the CISSP, I'd put ISACA's Certified Information Systems Auditor (CISA) and SANS's GIAC Security Essentials Certification (GSEC) in this group. The CISA is the CISSP for the IT audit community, plain and simple. The GSEC is kind of the "anti-CISSP." It's more technical in nature and, like most of the 11 GIAC certifications, it has gained the respect of the techy community that the CISSP lacks.
- "Foundation" certifications. There are at least a half-dozen introductory certifications
for professionals with one to three years of experience. Leading certifications in this category
include (ISC)2's own Systems Security Certified Professional (SSCP) and the CIW Security
- Vendor certifications. Many of the leading providers in the security space--Cisco,
Symantec, Check Point, Tivoli and others--offer multiple certification levels, from baseline
"administrator" to more advanced "expert" (some even offer "expert plus").
On a slightly more generic level is SANS's vendor-agnostic GIAC Certified Firewall Analyst (GCFA) and GIAC Certified Intrusion Analyst (GCIA), both of which have an excellent reputation.
- Certifications for non-security professionals. As the visibility of IT security grows in
the enterprise, so does the number of non-security professionals who have security-related
responsibilities. Several certification programs have cropped up to fulfill this need, including
SECURITY+, offered by CompTIA; and the TruSecure ICSA Certified Security Associate (TICSA).
As I mentioned earlier, I sat for the TICSA exam to see how it compared to the CISSP. In a nutshell, if the CISSP is "an inch deep and a mile wide," the TICSA is "two feet deep and 100 yards wide." Obviously, the scope and breadth of topics covered pale by comparison to the CISSP. Then again, in places the TICSA content is actually deeper--more technical, more hands-on, more practical.
(ISC)2 could take a page from TruSecure's book on question creation and exam delivery. To my recollection, few, if any, of the 75 questions on the TICSA exam were evasive or vague in the way that some CISSP questions are. Also, TruSecure partners with Thompson Prometric to deliver the exam. You can sit for the exam at any Thompson facility (there are 3,500 centers worldwide) whenever you want. And the TICSA exam is completely computer-based. As soon as I completed the exam, I was informed of my score and given a printout of how I did in each of 14 TICSA sections. See www.trusecure.com/ticsa.
- Advanced certifications. Several industry groups are jockeying to gain CISSP-like
acceptance for their "advanced" certifications, which is one of the things the industry is sorely
missing. In addition to the expert-level vendor certifications, advanced certs include SANS's GIAC
Security Engineer (GSE) and ASIS's Certified Protection Professional (CPP), a CISO-level
certification covering human, physical and information security. Neither of these has achieved
anywhere near the level of acceptance as the CISSP.
To its credit, (ISC)2 has recognized the need for more advanced (or targeted) certifications. As of May, it offers three certification "concentrations" that build upon the CISSP: the Information Systems Security Engineering Professional (ISSEP), a certification developed in partnership with the National Security Agency; the Information Systems Security Management Professional (ISSMP), which validates advanced security management expertise; and the Information Systems Security Architecture Professional (ISSAP), which validates advanced technical knowledge and expertise.
10. Does the CISSP deserve its reputation?
There are really two questions here: Does the CISSP deserve to be the industry's gold standard? And does the CISSP--and (ISC)2--deserve all the criticism it gets?
The CISSP is frequently criticized because it doesn't contain a lot of advanced material. People naturally assume that the "gold standard" should be the "best" in every way--not only the most popular or broadest in scope, but the most advanced and selective, too.
"It's not a certification that says, 'I'm a damn good information security professional," says Nan Smith, a newly minted CISSP and cybersecurity program manager for the Oak Ridge Institute for Science and Education. "To me, a certification should guarantee to the employer that you've made the effort to become good at what you're doing, at what you know. To me, the CISSP doesn't say that. It says, 'Hey, I figured out what (ISC)2 wanted me to answer on the exam.'"
In some ways, this is a legitimate critique. The CISSP is not and never will be equivalent to the "gold standard" in other fields--for example, the CPA for accountants. To obtain that level of respect, the CISSP would have to be sanctioned by regulatory and legal bodies, and recognized by communities outside of the infosecurity profession.
But we're really talking apples and oranges here. (ISC)2 never intended the CISSP to be the CPA of infosecurity. Yes, the credential has acquired the reputation of pretending to be something it's not. But that's hardly (ISC)2's fault; it's certainly not an image that was ever promoted by (ISC)2.
Moreover, it's unrealistic to expect (ISC)2 to change the fundamental makeup of the exam to make it more "technical" or "advanced"--qualities that, in the minds of its critics, would make it truly representative of a gold standard. It is what it is. While you can alter the requirements and qualifications for sitting for the exam (which (ISC)2 recently did), you can't arbitrarily decide to change the basic charter or mission of the credential or character of the exam.
More from Andrew Briney on how to pass the CISSP exam
With all this said, however, I think it's fair to criticize the CISSP on two scores. First, the exam does have some problems. Whether or not the "evasive" questions are statistically and psychometrically valid, they are evasive. Yes, in the final analysis that's my opinion, but it's not as though I'm alone in feeling this way.
The second problem is related to the first. Thanks in part to the exam, the first impression one gets of the CISSP is often negative. Whether you pass or not, nobody walks out of the test center feeling enthusiastic about the experience. It seems that the ramifications of this bad image are almost totally ignored by (ISC)2.
Can either of these problems be fixed without making the test too accessible to "test-savvy" candidates who have no business holding the CISSP credential? Good question.
Andrew Briney, CISSP, TICSA, is Information Security's editor-in-chief.
This was first published in June 2003