Don't mistake the CISSP for a CPA
I don't mean to be mean spirited, but it really digs at me when I read articles like this from people who are not or appear to not have passed any type of certification themselves and yet are labeled as an "information security professional."
I find it interesting that most people who have anything negative to say about any of these certifications either has no certification or cannot pass the exam to become certified. That being said I am a CISSP, CISA, CISM, ISSPCS, also certified in ISS and SPI Dynamics. I serve on the board of directors of InfraGuard and my local ISACA local chapter, am a member of ISSA and am the information security specialist for a U.S. government agency.
I have a 4-year degree in financial accounting; I have over 20-plus years of experience. Let me just say that as an accountant, the school I went to emphasized that we obtain our certified public accountant (CPA). People who usually have their taxes done by a CPA usually boast that they have their taxes done by a CPA, and for some reason use those hand signals that represent quotes which helps to emphasize their affluence.
Some college grads normally sit for the exam right after they graduate and some actually pass. Does this mean they are something of an expert when it comes to all phases of accounting, auditing, tax law, cost accounting, internal controls, etc.?
Not all veteran CISSP's know how to check the configuration of a CISCO Router or even perform advanced penetration tests. Your perception is convoluted by the certification itself. Much like the high school drop out that can find all the reasons why he didn't go to college based on the simple fact that some college grad he knows can't change a car tire.
An individual needs a minimum of two years of college with at least some IT curriculum and at least three years of hands on experience that is signed off by a supervisor or another CISSP to actually become a CISSP. However, unlike the CPA certificate, the CISSP receives his certificate soon after passing the exam. Should this change? Yes, I agree that the individual can in fact pass the exam after they graduate from college but should not receive the certification until they have completed the criteria. The fact that universities have recognized the need for a CISSP curriculum will probably enact this measure.
That's really not much different than a CPA, which mandates simply two years of "financial" experience. Nothing mentions tax experience. As a matter of fact, you don't have to be a CPA to fill out a tax return. Guess that's like uncertified home users who think because they have AV installed that they're safe.
So why is it such a bad thing for universities to teach people the CISSP curriculum or (ISC)2 classes? You don't think twice about taking your taxes (which if done wrong could cost you possibly jail time) to someone with a CPA who could have little to no real tax experience.
The fact that the universities feel this is important enough to teach as part of their curriculum says a lot. Does it say that the certification is losing it luster? No -- I feel it means the certification is being noticed as a profession. In my opinion, articles like this will make people like myself push to change the criteria to make it more difficult to become certified. I think the uncertified feel this is a threat, so they find the rational to seek out the negative. (ISC)2 and ISSA are not static organizations -- they are moving into the future.
San Antonio, Tx.
Industry to blame for certification's woes
I don't understand why this article is titled "'Student' CISSP's..." when the same article readily admits these students won't be CISSPs. Additionally, conjecture that students will be able to lie easier about being CISSPs does not hold true in my experience, as I've never even been asked to show proof of any certification. However, if I were, I think it would certainly raise suspicion if I returned with a test result printout rather than the proof that was asked for. Besides, any computer science student -- or, for that matter, any 13 year old with shareware paint software -- could forge "proof" of certification. If we must create a problem out of this, I think we'd all be better served focusing on employers not having/knowing a number to call to verify CISSP certification (that would nip all these worries in the bud).
Personally I think it's the IT industries own folly that certification is considered anything more than a formality. Law firms don't assume you're a good lawyer just because you passed the bar (an exam considerably harder to pass without knowing anything). The CISSP exam -- and likewise the certification -- is yet another ruse, another buzzword, another certification that apparently even a college kid can pass without much difficulty.
By the way, shouldn't it be of greater concern that a novice with half a day of studying can pass such a supposedly elite exam? At least this explains why security is in the state it's in at most companies.
If the initials after someone's name influence your hiring decisions, you might be the only one with less experience than the person you end up getting.
Proof of experience is key
I have no problem with the colleges teaching the subject matter for what is included in the common body of knowledge for the CISSP. What I do have a problem with is that (ISC)2 allows people to even take the certification exam without being able to prove their work experience in the field.
If the work experience were required prior to taking the test, there wouldn't be an issue of people be "provisional" CISSP or whatever they call themselves. They would not have test scores to report until after they had compiled the necessary work experience. This same requirement would have stopped the flood of CISSPs that resulted from CISSP "boot camps."
Since it is too easy a solution, simply switching the order of test and work experience, I don't expect (ISC)2 to implement it.
CISSP should require 10 years of experience
I certainly agree with the writer. Studying text books and taking a test (no matter how difficult) cannot replace experience.
I think we need to up the ante to become a CISSP. I don't think three years experience is nearly enough. I have 30 years experience in the IT and information systems security fields, and I can say that one may know how to use PKI, but knowing when to use it is a completely different matter. I'm glad colleges are recognizing the need to teach computer security, and I applaud (ISC)2's efforts. However, to be a CISSP should require 10 years experience.
The problem is… everyone else
I think the biggest impact on the value of the CISSP is the lack of knowledge people in HR and business-level management have with regards to the experience of people like myself who have attained the CISSP. Until employers and HR personnel in particular raise their knowledge level on the CISSP, this certification will go the way of the MCSE as you predict … If ISC(2) really wanted to help me and other holders it would take the lead in raising the level of awareness of what CISSP's can bring to organizations.
George E. Jones Jr.
An associate is no substitute
"(ISC)2 has a program called CISSP (SSCP) associate. It allows for security practitioners to prove their knowledge about information assurance even though they do not yet have the required years of experience. Despite what the author of this article may think, I will not be known as a CISSP after passing this exam. I am only allowed to title myself as an (ISC)2 associate or CISSP associate. It should be clear to anyone that a CISSP associate is not the same thing as a CISSP. I firmly believe that earning certifications will not only validate the candidates' knowledge of information assurance and raise the overall quality of new hires into the job market, but it will help to better secure the world computer infrastructure from the threats of your time.
Diminishing the CISSP 'brand'
"CISSP seems to be a phenomenon without much basis. I'm not sure it could be diminished in any practical sense by marketing it to college kids. It has become very popular for the same reason as many other brand names -- a perception of quality by people who don't know or aren't interested in determining true value. (ISC)2 charges a lot of money, and the supporting training companies sell the premium cachet of this brand. Their sales might decline [as well as] their premium prices, if the brand is diminished. But I would invite anyone to describe what value the certification provides in any operational sense. CISSP is about memorizing some terminology and handling a multiple choice test. Securing systems requires other skills.
'Beauty' lies in the eyes of the beholder
"What [Walberg] is saying is that the value of the CISSP certification depends on the holder more than the certification. This fact is as true today as it was before there was a CISSP certification. The certification only indicates that the bearer has taken the time and effort to do the test and get it, which is true for any certification. Those who use the CISSP certification as a measurement of a person's competence in the security field are as deluded today as they would be when every 22-year-old kid has it.