While some may worry that future employers of young potential CISSPs will be fooled by the lack of experience that these recent graduates will carry to their jobs, I say companies should know better. [Editor's note: Regardless of coursework or exam passage, prospective CISSPs are unable to obtain the certification without four years experience in the field, or three years with a college degree or equivalent life experience.] Unless a firm is making its first security hire, then it should easily be able to identify those who have what it takes to make it in the field versus those attempting to fool potential employers with mere "knowledge certifications."
First, to clarify my position on the (ISC)2's Authorized Academic Center program, which enables colleges and universities to offer courses leading toward recognized security credentials, I feel students should have every opportunity to learn as much about what's going on in the world surrounding their chosen profession as possible before entering it. If taking the CISSP exam is part of that world, then so be it.
However let's be clear on one thing: The CISSP exam, like any other knowledge exam, does not prove one's abilities as an information security professional. Therefore, what difference does it make if a certified student or a certified person with 3 years experience in the workplace can lay claim to having memorized the same things? On-the-job success still comes down to ability. Through the ages, being a professional has always been about applying what you know. Two-hundred years ago, a blacksmith with only the knowledge of all the smithy best practices couldn't get a job if he didn't have the actual ability to smith what needs to be "smithed."
With so little attention being placed on applicable skills today, our nascent industry may be an interesting case study for future MBAs looking back to this Dark Age. Like so many before us, those who survive until the new era of enlightenment will blame it on the times, but those freshly minted MBAs will wonder why the masses wholeheartedly accepted information security professionals who were not certified with applied knowledge exams like all other professions, whether they be lifeguards, police officers, health inspectors, soldiers, bartenders, actuaries, air traffic controllers, accountants, architects, plumbers, and on and on.
Yet then again, security isn't the only industry that has its own policing problems. There are many, many security certifications out there that lay claim to making one into a "professional" or providing some sort of licensing with only knowledge exams. At least the CISSP, to its credit, will not be awarded to anyone without the four years of security work experience, or three years with a college degree or equivalent life experience.
But what should constitute that experience? Some may see that as inconsequential, but it does matter when the security field is so broad that three years experience in one security sector may not be nearly enough security stewardship to qualify for another type of information security role, never mind a CISSP. Last time I went to a club, you know what it said on the back of the huge, fat guy's black t-shirt as he scanned in patron's IDs at the door? Security. Which brings us back to my point that an organization that hires someone based on a knowledge certification like the CISSP without scrutinizing that person's actual experience -- as verified off the resume -- is taking a major risk.
Regardless, I say we need more than one kind of security pro. Let's not classify them as merely information security professionals (What does that mean, anyway?), but rather by the genre where they are practiced. We can have system forensics professionals and network forensics professionals. We can have information security management professionals and information security operations professionals. We can have vulnerability research professionals and vulnerability testing professionals. And each one should have guidelines by which their skills and experience can be measured, not just the knowledge to back it up.
That's not to say they need certification though. They just need to prove it in practice.
Pete Herzog is managing director and co-founder of the Institute for Security and Open Methodologies (ISECOM), which assures truth in security application deployment. Herzog specializes in scientific, methodical testing for controlling the quality of security, countermeasures, access controls, and business integrity.