Is the CISSP going the way of the MCSE? Now that colleges are beginning to offer the Certified Information Systems Security Professional certification as part of their undergraduate degree programs, this highly valued certification just might lose its luster, much like the once prestigious Microsoft Certified Systems Engineer has.
This fall, Peirce College will join Florida's St. Petersburg College as the second school offering classes tied to the domains of knowledge for both the CISSP and the Systems Security Certified Practitioner (SSCP). Combined with other college courses, a student can not only enter the workforce with either an associate's or bachelor's degree, but also having passed one of the International Information Systems Security Certification Consortium's exams. Due to experience requirements for both certifications, the candidate does not actually get the CISSP or SSCP designation until the experience has been obtained. This program will not be unique to these two schools, as the ISC(2) hopes to sign up as many as 100 colleges to offer its courses.
The CISSP is designed for people in a security management position, where they will use their experience to properly assess and mitigate security risks. Though the CISSP exam itself asks concrete questions on topics from business continuity to telecommunications, the spirit and intent of the CISSP is rooted in experience. It is certainly possible to teach someone how to perform a Diffie-Hellman key exchange, but it is the experience that dictates when it is appropriate.
As laudable as it is that colleges are becoming more aware of the need to teach students about information security, let's not pretend that this marriage of colleges and certifications will help the present and future holders of the CISSP. While offering the SSCP at the college level is not quite as worrisome -- it is targeted toward junior-level infosec pros -- offering the CISSP to undergraduates devalues the credential for those with decades of experience.
It may not be long before just about anyone lacking experience in the field can be "coached up" to pass the exam. Plus, with an embellished description of one's job duties, it will become possible for a 22-year-old kid to attain the same certification as those who earned the distinction via sweat equity, working through the ranks. Similarly, it may prove to be a long-term disservice to recent graduates, since their specific degree/certification combo will send many of them on a narrow path at a time in their lives where their true interests are probably unknown.
Let's not forget that the importance of experience in a security role cannot be understated. The scope of material covered by the certifications is so broad that an understanding of a textbook does little to help someone new to the industry. Sure, certification coursework can be taught to college students, but if this learning does not happen alongside practical field experience, then it is virtually useless.
Candidates will not be fully fledged CISSPs until the experience requirement has been met, but I don't think employers will know that. It is the prospect of these inexperienced people entering the workforce holding their CISSP test reports that causes me to draw parallels to the MCSE. Not long ago, the MCSE was the mark of an experienced and knowledgeable Microsoft Windows professional, but the rise of "certification mills" offering certification in a matter of weeks has lead to the MCSE becoming little more than an entry-level classification. Answers to the questions on all the MCSE tests can even purchased on the Internet just a few dollars, leading to the certification's second name, "Must Consult Someone Experienced."
There is, however, a bright point for those already certified: a combination of experience and the certification can be used as credit toward a degree. That is, a security practitioner with his or her CISSP can go back to school and cut up to a year off the time needed to obtain a bachelor's degree.
I applaud the ISC(2) for getting involved with colleges, but I would suggest that it be in work-experience programs and courses involving more hands-on learning. Encouraging inexperienced individuals to pursue higher level security certifications will undoubtedly hurt the industry. Today, when a company hires a CISSP or an SSCP, the company knows exactly what kind of knowledge and experience that person brings. Letting that certainty slip away would be a loss for us all.
Sean Walberg is an author and information security professional based in Winnipeg, Manitoba.