One of my favorite pieces of swag from RSA was this "Not a CISSP" button that was pinned onto me by none other than Sinan Eren as I was chatting with Justine Aitel at the Immunity booth. Actually, there should have been a prize awarded just for finding the Immunity booth -- they were subletting another vendor's space for a few hours at a time, so one minute they'd be there and the next they were gone.

I digress. What inevitably happened once I started walking around with this button proudly displayed was that I would get one of two reactions. The first group -- mostly current and former co-workers and acquaintances -- understood the humor and got a good chuckle out of it. The second group would ponder for a bit and then ask, with some confusion, why I'd intentionally point out the fact that I'm not a CISSP. I'd give a brief answer and get back to talking about Veracode (we booth babes have responsibilities, you know).

So, why indeed? The long answer is that like many security certifications, it's an ineffective measure of a security professional's practical abilities. Employers and customers often assume the guy with the five magic letters on his resume is technically superior to the guy without. In my experience, it's exactly the opposite, particularly in situations where you have to sit down at a keyboard and actually DO something as opposed to talking about it. Certainly, I've encountered some very notable exceptions to this observation, but we're playing by the 80/20 rule here.

There's a good reason for this. The trend in information security is toward specialization. Security has become such a broad umbrella of varying disciplines that it's quite difficult to be a generalist. A security career is a balance between breadth and depth, and these days, the skilled pen tester, reverse engineer, or vulnerability researcher is more marketable than the guy who knows a little bit about dozens of different disciplines but can't apply that knowledge in a practical situation. The CISSP subject matter illustrates this perfectly -- you have cryptographic algorithms, site location principles, network security, and civil law on the same exam. I won't even get into the complaints I've heard about the poorly-worded, overly simplistic exam questions or the ones that simply test one's ability to memorize obscure facts.

I'm not claiming that there's no value to holding the CISSP certification. It can't hurt to have some exposure to business continuity planning, for example. The problem, as I stated in the beginning, is that the CISSP title is often interpreted as an indicator of practical abilities rather than a book-level understanding of security basics. These misaligned expectations can ultimately lead to bad hiring or staffing decisions.

DROP Table SalesPitch

Career advice, take it or leave it: If an employer or prospective employer demands that you get your CISSP in order to be hired or to progress in your career, run fast in the opposite direction and find a place where you will be valued for your cumulative experience rather than a piece of paper. Learn by doing, don't "learn the test," so to speak.

And that, in a nutshell, is why I love my "Not a CISSP" button.

By the way, here was my other favorite from RSA, thanks to WhiteHat. This one and "Samy is my hero" were the best out of a pretty clever selection... even though they forgot the semicolon after the single quote. <grin>

Veracode Security Solutions
Security Threat Guides

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (44)

TK | April 18, 2008 11:57 am

I've met many, many security professionals that are above and beyond the majority of the CISSP's in the field. Like other certifications, it has become devalued and this belief is shared by not only coworkers, but also managers in my organization as well. It may help you get a foot in the door some places, but any company that requires it gets negative bonus points in my book.

I will not be renewing my cert when it expires...

Joel Elser | April 18, 2008 12:44 pm

I am jealous of your button. That rules.

Joel Esler | April 18, 2008 12:44 pm

Helps if I spell my name right.

CG | April 18, 2008 1:10 pm

Its a good thing you aren't still on the NSA Red Team or because of 8570 you wouldn't be able to wear your "Not a CISSP" button.

Your Career Advice may work for people of your caliber and experience but for everyone else starting out its difficult to get that experience when so many people or contracts require certifications to get the get the experience.

CEng | April 18, 2008 2:04 pm

@CG: Seriously? Does DoD 8570 really require Red Team (and other DoD) personnel to have CISSPs? That's just sad if it's true... That's a perfect example of a case where the required skillset is completely misaligned from what the certification provides.

DJ | April 18, 2008 2:33 pm

Sounds like someone failed the test. And if you cannot even spell your own name, then maybe you should consider letting your cert run out and take some spelling lessons.... but it is a cool button.


Thomas | April 18, 2008 2:36 pm

This has always and will continue to be a fun debate. What I always find overwhelmingly hysterical is how critical the 'experienced people' are of the 'certified people'. Do you ever see 'certified people' walking around bashing on those who are not certified? No... not really... it is normally the opposite where people claim certification adds no value and those that do get certified are in some way just downright clueless individuals and that certification is simply a waste of time.

What certification offers, as Joel pointed out, is a way for some of us to land jobs. Some of us did not grow up tinkering with electronics, but rather waited until a bit later in life to fall in love with technology. That said, both have their benefits. Experience is a good thing, but it certainly does not mean you have a clue about the business. Certification is a good thing, but is also does not mean that you have a clue. Is it possible then to be certified and experienced? Probably…

At the end of the day, what matters most is being able to have an impact within your company. If that means having a certification, then great. But it also might mean experience means more in that particular environment. Saying one is superior to the other, in my opinion, lacks merit. Environments are all different and what makes a difference in my shop might not mean squat in the building next door.

Love the posts… keep ‘em coming…

luke | April 18, 2008 3:24 pm

I guess you won't be doing Information Assurance for the government either......

CG | April 18, 2008 3:52 pm

yes it is required...and rumor is that CISA will now be required to since they (Red/Blue Teams) are "auditors"

yes Chris, it is sad.

cyphunk | April 26, 2008 10:16 pm

i think everyone agrees that due to just the science of marketing that cert's will help you get jobs. for cissp the market for it is somewhat justified. the major distinction i see from other cert's is cissp has some emphases on policy and other non-nut-and-bolt technical details that are important for security management. and many people in corporate security these days has to review tons of specs and evaluate products or services more than they do configuring junk. i think the cissp fits that market well. it doesn't show energy or understanding of the finer technical details and it doesn't really give you much in terms of hands on. btw, this is just what I've come to understand from watching friends get this cert. but whatever, did I just write two paragraphs about cissp?????

Matt | August 25, 2008 11:13 am

The CISSP cert is a joke and half...It's also a very well played scam by Shon Harris, Michael Greig and the rest of the douchers who are riding the idiot cert wave.

I'm thinking of starting my own random certification, convincing my company and a few key government officials that it's really necessary, then I too will make millions off an unneeded, unaccredited, waste of time and superfluous exam.

By the way, i took the test yesterday, and it is retarded. Every question had a grammatical or punctuation error which served to make the question virtually invalid.

Senti | September 2, 2008 12:20 pm

I still remember going for CISSP cert in 2002. Although I was sceptical before the test, I was laughing out loud after the test. I came to do the test with something like 10 years of experience in security world. Half of the questions are totally retarded and hard to understand for non-native English speakers (like me). Quarter of the questions had retarded answers, which conflict with real-life experiences. I mean, I've been doing pentests for 6-7 years, and here I get a question like - "Who should be informed of penetration test?" - well, my experience to that point showed me that management informs whoever they want. They don't make decisions based on what CISSP question writers think.

I just saw a program at my mate's place (some Testout CISSP crap), and I was stunned after seeing so many test questions which have NO relation whatsoever to real-life experiences. I see that they've introduced some brain-damaged concepts like "zero-knowledge" pentesting teams, hahaha. Gotta keep up with buzzwords, I guess.

After I got the CISSP "cert" 6 years ago, I refused to pay the "membership" and told them to **** themselves.

Nice scam attempt, though.

Steve | September 25, 2008 4:29 pm

I took the CISSP and passed a few months ago. I agree that the CISSP is a complete joke.

My "preparation" consisted of spending a few hours the night before taking the online free versions of the test on the Internet. I was actually somewhat surprised as to how easy the real test was compared to the online freebies.

I expected the questions to be nonsensical and not applicable to the real world, which they were. Most of the questions I answered not based upon real world application but based upon what I felt ISC(2) wanted.

The test is scheduled for 6 hours. I was done after 2 hours and that was at a leisurely pace, including take a break for a snack I brought and going over the test answers again.

Luckily my employer graciously paid for this piece of crap paper which I recycled as soon as I received it in the mail.

Ron | November 16, 2008 11:52 pm

Guys, I have worked in IT for 13 years... I've done IA work for the government and I helped develop a commercial B2+ secure operating system used by the military... So, I knew a few things about security before sitting for the CISSP. That being said, the potential body of knowledge is so broad that the test questions can be just about anything you can imagine... BC/DR, Physical Security, Crypto, etc. If you don't have a broad career experience, it is very likely that you won't know much about at least one or two of these areas. So, in that respect, this is a difficult exam for a lot of people. Does it mean that I now know more about access control than I did before? No. Do I know more about legal and regulatory requirements? Sure... And that is not a bad thing. Stop whining... Prepare and take the exam-- you might end up being a more well-rounded professional. (And if you want to take technical cert exams, go get yourself a CCIE... see if that one is easy... or cheap)

LX | December 11, 2008 6:33 am

Put a CISSP in a keyboard and ask him just to find which is the domain controller in a network and probably will cry...

LX | December 11, 2008 9:58 am

The first bad thing about CISSP is that it is considered valuable and the second one that those who have it, think theirselves as supernatural creatures in the World of Security. Talking seriously though it is just a certification for managers without technical background. So when the technical guy will say i know TCP/IP they can answer i know BIA. The strange thing is how those people can be consultans and know how to secure a network infrastructure. Finally maybe it is just papers and reports that managers hold and all the actual work is being held from the underlying layer where technicians, admins, etc can cooperate.

Dont confuse CISSP with technical security!

kk | January 12, 2009 10:45 pm

So.... Not a CISSP button, eh?

Well, the world is full of sarcasm laden bunnies like you. Why don't you get a "Not a college grad" button why you're at it? It's saying the same thing.

Certs are simply a way to add value to those resumes to get you in the door, or some places ... provide the opportunity to transfer internally..

While you're at it, why don't you knock the idiots who paid $20k for a college education? Why don't you knock everyone who aspires to study and test?

The button you should be wearing at RSA "Sarcastic @ssh0le"

workin4daman | January 20, 2009 11:22 pm

This sounds like me back in the '80s and '90s. First it was the college grads with CS degrees who were totally clueless. You spend 6 months training them, and then mgmt would promote them to be your boss, and they still didn't know anything. You’d ask why and hear, “Because they have a degree.” Argh! Then the Novell certs hit, and a bunch of "clueless" idiots got those and made a pile of money. Next I worked with MCSE's who didn't know their butt from a hole in the ground. They were in demand and making money. After several years of designing and building networks (OSPF, BGP, STP, etc.), I ran into a few supposed CCIE blowhards who didn't seem to have any real world experience, couldn’t troubleshoot to save their lives....yet they were making $130K and I was making $90k….what gives?

All the while, these idiots who had the "papers" were getting hired by the peons who listed these credentials as a requirement for getting the job. They were making all the money, having any easy time finding work, etc. I decided to quit "fighting gravity" and "tilting at windmills", and go get those papers myself.

Now I have a whole crapload of "papers" – BS IT, CISSP, RHCT, CCNA, MCSE, CNA. This year, I plan to obtain an MBA and a PMP.

Does it mean I know anything? Nope. But now I'm invited in the door, where I can demonstrate my abilities. It’s about opportunity. Those with the papers are given the first shot, IMHO. Think about it. Who is running the companies? People with papers. People with papers want to hire other people with papers. Discrimination, or Human nature? Both. But in the end, who cares? Want to change it? Start your own company, and hire only those w/o papers.

Otherwise, you’re like one of those tax protesters who refuse to pay taxes. You may be right, but you aren’t going to change human nature.

izblah | January 31, 2009 5:47 pm

The sad thing about this cert and the requirement for people working under the Mil/Gov 8570 requirements is this...

Many (most) contractors (even the ones not directly working in an "IA" roles) are being required to maintain this certification to work in technical positions. But, you know what a lot of the GS managers are doing? Getting their job descriptions re-written so they are not required to pass this cert... Absolutely atrocious...

It is a sad time, indeed...

Dave | March 6, 2009 4:43 pm

Yo Chris,

Good grief this is a silly debate. Reality is that this is our industry. Stupid or not, some places simply require it. Yeah, the cool places don't, right? For the majority of us that work in private industry or gov, this is just a fact of life. They don't make you cool or prove your smart. They are an HR goon seek.

That said, it shouldn't be automatic disrespect for someone who has obtained various certs. Neither should it be a leveraging point for folks to exclude folks who have simply because they have not. I hope people judge me by what I say and do, and not by a piece of paper, but again, this may be life.

Also, you don't always need a semi-colon for a SQL injection. MSSQL happily accepts run-on statements.

mikey | April 6, 2009 12:06 pm

I need a "Used to be a CISSP" button. I was the first one out of the exam room in 45 minutes. The test itself was an exercise in parsing English, not knowledge. Real knowledge about the 10 domains doesn't mean you're going to pass. Then, a year later, (ISC)2 billed me for an $80 per year "maintenance" fee that was never disclosed when I went for the cert. After 3 years, my cert expired and if I want to re-cert, I'll have to take the test again and pay (ISC)2 the overdue fees amounting to $240 (3 yrsX$80) now.

So, they want me to buy my re-certification for $240+the new exam fee. THAT'S what it really takes to be a CISSP. It's just a money-making scam for (ISC)2.

Brad Andrews | April 7, 2009 11:59 am

workin4daman, I doubt you didn't learn anything from studying for those certs. You may not be the expert the letters imply, but you had to have learned something along the way. :)

We would be much better off if more people knew the basics of the CISSP and such things. Knowing the principles, even at a shallow level, can definitely help when selling the concepts. Security is hard enough to get across, cutting down those who show some understanding is not all that bright IMHO.


Brennan | April 30, 2009 10:42 am

I work with many CISSPs. Many of them have no concept of technical security.

Benjamin | July 24, 2009 9:50 pm

You might think some people have their entire professional identity wrapped up in this certificate. So much butthurt from proud CISSPs. So many ways not to care.

Dave | July 25, 2009 11:00 am

CISSP is not a technical cert. It has some technical content, but overall just measures that someone has at least some basic understanding of what security is.

Security is such a varied field that a single cert truly can't indicate someone's abilities, even if a cert truly could.

I have the CISSP and CEH certs. While I think I did pick up a bit in knowledge studying for them, I don't think they make me a security expert by any means.

Prive | July 29, 2009 11:25 pm

The CISSP is to security as the MBA is to business. It does not mean the holder is an expert on every aspect of the field but rather that they have learned the basic concepts across the broad scope of it and shouldn't have too many big blindspots which might otherwise trip them up and cost their employers dearly. The holders and knockers who suggest CISPPs should be hardcore tech experts are just off-base.

Just as a CEO with an MBA has an appreciation of the main considerations relating to payroll but couldn't be expected to be 'put at the keyboard' and pump out the monthly salaries, a CISSP is expected to help ensure a prudent and balanced security posture rather than demonstrating [email protected]||z at the command line.

No matter how good your woodcutters are, it still helps to have someone who can take in the whole forest.

FWIW, for those with broad IT experience, I rate the study aspect of the CISSP as between one and two modules of a 10-12 module MBA. In both cases, I did not aim to just pass, I aimed to master the subject matter because it was about the learning, and for me the CISSP is part of the road, not a destination. [MBA-distinction, BSc, CISSP, ITILf etc].

RR | October 13, 2009 10:12 pm

Anyone who says a CS college degree is useless is most likely useless himself. Anyone who dedicates 4 years of study to any subject matter has accomplished a great deal. Those that bash individuals with college degrees are pathetic, no matter what field it is in. Have you ever heard of dedication by committing yourself to attaining a very difficult degree such as CS? The whole idea of a college education is a stepping stone to your career. You know maybe 10% of what you need to know and figure out the rest on the job. Anyone who thinks a college grad should know 100% of their field straight out of college is a total ass. Don't knock it until you try it.

James H. | June 21, 2010 10:17 am

I passed the CISSP exam a couple years ago. I studied a couple of books and a few of the free on-line exams and passed the first time. Like many of the posters and coworkers I had talked to, I found the questions to be poorly worded and ambiguous. Based on their knowledge and the quality of their work, I had very little respect for the people who proudly added "CISSP" to the end of their name and a great deal of respect for those who would casually say, "Yeah, I passed the test too." At the time, I thought CISSP looked like a scam and nothing has changed my mind about that. I took the test mostly because I had set a personal goal to do so and because the company I worked for encouraged it and paid for it.

That said, studying for the exam did help me. I gained some general knowledge in areas of IT security that I hadn't been exposed to before. So earning the CISSP certification was not a complete waste of time. I got a pretty certificate too. ["I wonder where that is, in that pile or in the drawer? Oh, I remember it's under there. No, well maybe I'll run across it some day."] Now that I have passed the test, I have not found the certification valuable or respected by those whom I respect. I have not renewed my membership.

My college education has been a much better investment, not because of what I learned but because I gained the skills to learn well. If you have the chance to go to college, I would certainly recommend it.

If you have the chance to take the CISSP exam I would recommend it as long as: your company will pay for it, it's not too far to drive to the nearest test location, you read a prep test book or two (buy a cheap, used one from Amazon, ebay, or Craig's List or better yet, borrow the book), and take some of the free on-line tests. Don't spend more than $50 preparing for the test.

Bill | September 16, 2010 12:15 pm

Ever notice how people without something like to gripe about it?

Frederick | July 21, 2012 4:21 am

The CISSP is very much so a scam. Just like GCIA, and many others. In order to take the test you have to pay $500 dollars. GCIA used to be $250 dollars, until people started to complain. So SANS sent out an email stating that in order to motivate people to pass the test they upped the price to $500 dollars, then to $1000. CISSP and GCIA, Security +, all these certs ask questions that are so overly tricky and not aligned with the material in order to make it harder for people to pass. They do this on purpose to maintain the value of their false cert obviously. I have watched people take CISSP three times over losing that amount of money each time, and not many companies pay for it, but require it. Currently so many companies are putting pressure on employees to get certs. I have literally seen qualified individuals lose their jobs, all because of these stupid certs. I hope who'm ever created these scamming certs and those who are to ego tripped to swallow their pride remember the people who lost their jobs going for these stupid things. Nothing, but blood money. Oh yeah and if you think your special for having a CISSP then think again. It has long been suspected that the CISSP fails people on purpose even if they passed. They literally allow so many people to pass per year, or session. The speculation is that the less people they allow to pass it, the more valuable their lousy cert stays. You may have actually failed it, but they still needed people to pass it, so they allowed you to pass. That's right one big scam. For all those walking around with a CISSP, don't act so proud about it your only kidding yourself. No I have not taken the test, and believe me I don't plan on it either. I am not going to let my money go to waste in someone else's pocket. You want to waste your money to make a scam artist richer, go ahead, I won't follow you into that tar pit. All you overly proud foolish CISSP folks are doing is supporting those that are taking people's jobs away, and making it harder for others to gain jobs, or have entry level opportunities. You should be ashamed.

Frederick | July 21, 2012 4:33 am

Down with DOD 8570. Hey if you saw good folks who had plenty of qualifications lose their jobs because of this thing and stupid Certs like CISSP you would be saying the same thing.

CEng | July 31, 2012 5:04 pm

This presentation makes a great case, backed with data to boot!

Rick | September 17, 2012 1:35 am

I suppose all certifications are joke. If I am trying to achieved CCIE....that and joke right? ..What about MCSE? Surely you folks that are listening to this crap know where this person is coming from. My bottom line is that maybe the BAR exam is a joke as well, but surely nobody is going to represent me if he/she hasn't passed it. I'm a CISSP and I have quite a few other high level certifications. I back this up with a Master Degree in Information Assurance and have more reading code than most of this forum has been alive. I surely can tell you that people complaining are under achievers.

Ben | October 17, 2012 11:41 am

Comparing the CISSP to an undergraduate degree is ridiculous...unless...unless you "attended" the University of Phoenix or Cappella etc, or any one of the other "for profit" houses of ill repute. In that case, your comparison is not only apt but insightful and telling: you think education is bought and paid for and not something earned and learned. I wouldn't hire a CISSP anymore than I would hire someone with one of those rancid online degrees that isn't worth the parchment its laser-printed on. Good luck with your work experience; I am sure you are one helluva a copy-and-paster.

cisspursuer | March 25, 2013 3:01 pm

I dont see the harm in getting a CISSP really, I sense jealousy on here.

William Oglesby | September 1, 2013 8:24 am

I have been asked to come up with profiles to staff a SOC, while researching what certification would be appropriate for a SOC. I came across this post.

I am looking for junior SOC analysts and senior SOC analysts.

My question is, what does the CISSP certification mean when trying to staff a SOC?

Personally I look for three things, vendor training, experience and certifications in order to filter and gauge individuals to interview.

An individual may have two out of three or just one and still make it to an interview. I hope for some replies to my query

Realredneck | September 13, 2013 11:29 am

Ok good reading on a Friday morning. I have been in IT for longer than most of these kids were alive. I have worked in public sector and in Defense. I have taken and passed the CCIE and many other certs. when I came to the DOD I must say that they were behind the private sector and many of the GOVT civilians were lacking in drive and skills. Thats ok cause they have that golden pension. After being at the DOD I met people that had CISSP's and some were good, real good and others got it because the IA level 3 said they had to have it. Going through a network Accred and all the NSA Stigs you will learn and know more after its complete than you will ever learn in a class for a cert IMHO. The govt hire this contractor one day from Boze AH and he said he came from NSA. Ok maybe and he did have a TS/SCI with poly, anyway they sent him I think to Ft. Gordon to get his CISSP which he did and then gets a job with us. Well this kid was a pure punk in his attitude for never doing much. He said that he was making 140k which did not shock me at all. He was constantly bringing down switches cause he did not know what he was doing at all. I told this kid just watch and listen and dont bring shit down cause these commands are super spiked to outages.
Now kid number 2 is a pc kid with drive. All these yongies want to get at the firewalls, switches and routers but dont know anything which is fine. well number 2 is cool so I say man follow me to a town hall and MULTICAST. well I am so bored with doing these things I decided any new blood I would teach the Multicast concept and the workings of Vbrick. The kid 2 did real well and everyday came to work excited. I know many people that have no certs or expired certs that are very very good. I do think the CISSP has worth and in the DOD world that 8570 is killing some older peoples careers or lack of them. In a security+ class I was sent to in Atlanta there were 40 people in the class from all branches of the Military. Some had no business being there and will never pass. I sat next to a guy from Toby Hannah and he was a sys admin there that seemed like he knew his stuff. well a week later we take the test and 1/2 the class fails and so did the sys admin. I passed and went on from there but there were some pointed questions that you would have had to be doing the job to answer. Not that they were super hard but the confusing wording making them harder.

Realredneck | September 13, 2013 11:46 am

William maybe this will help.

As for security staffing I would look at resumes and for expierence and of course the certs. If they were in the Military they may not have the cert but are trained to death. Don't overlook past expierence in place of a cert.

I worked with very good people some of the best I thought in a important area of the Govt. One guy was a pure wiz at IDirect sat/IP modems and the traffic was carried by satcom. This guy was/is a General Dynamics guy who is retired army. I never and I mean never saw an issue with any IP sat modem or situation on any bird that he could not work and resolve. I never heard this guy ever bring up that he had a certification of any kind??? IDirect called him many time to ask about other customer issues within the DOD. My point is this, Maybe the cert gets you in the door but once you meet the canidate and ask him or her questions you will know. I dont mean they have to know everything but if they have done X, Y and Z and can explain how and or why they did it well you know they can more than likely handle issues any issues as they come up.
There are so many subjects out there today that there is no way everyone is gone to be an expert at them all. And in the security field everyday nation states like China, North Korea and such are pumping out hackers in incubators with a sole objective of bringing down our networks. Find good people with solid backgrounds and keep the trained and engaged and I think you will be fine.
standing by.

Frank | September 25, 2013 5:55 am

I think the commentators and especially the writer is missing the point and really don't know what the CISSP is all about. It is not a technical exam, but a high-level exam focusing on theory and application and applying it in real life situations rather than memorizing tons of tech info. It is more of a management-level exam and than a "sit down and configure the router" exam (like one genius pointed out). Also, as a standards and certification body, they can't make it to everyone's real-world experiences because things can be handled differently depending on the situation....they pick a few international standards and go off of that which makes sense...otherwise there would be hundreds of right answers. I took the exam and never saw any grammatical or spelling errors so I don't believe that one at all.

Plus, as a human species shouldn't we want to learn and evolve. I started off in regular school, went to get a Bachelor's, and then progressed to get a I an expert because I attended these programs. NO! However, I learned the basics and applied it to my job (and sometimes my job dictated something different than my college program). When I apply for a job, they want to see that degree to know I put in the work and have a basic understanding of that field. The CISSP and all certifications are no different! You put in the time and you earned a pretty piece of paper. Furthermore, you have to complete CPEs to remain current so that shows the employer that you continually are improving yourself which means you will continually improve the organization.

No cert is BS, especially the CISSP. Anyone that has it should be proud to have earned it since it is not an easy cert to get by any means.....probably one of the hardest. Just because $150,000 jobs aren't falling into your laps because you expect it to after getting a cert doesn't mean the cert is means you have your expectations set way to high on what the cert offers you.

On a side note, I have noticed people that fail the CISSP tend to be the most critical about it.....just saying....

Buzzwords | February 11, 2014 12:48 pm

Sorry, I have friends with a CISSP and their technical knowledge and managerial technique is null. I don't ever call on CISSP people for anything technical, they won't understand anything I'm needing. IA is mostly a technical field by far, CISSP is a non-technical certification. Would you ever call a CISSP person in the event of an investigation to get their technical insight? Probably not, but they'll tell you the differences in policy...and that's about the extent of their usefulness.

PS: CJ, seems like you're butt hurt after reading this. Guess it isn't your fault that your "Holier than tho" cert has become so mainstream that Wal-Mart will probably start offering their own version of it.

Buzzwords | February 11, 2014 12:50 pm

So sorry CJ, I meant "holier than thou art". We all know how one spelling mistake is the difference between knowing practical experience and CISSP experience. Wait...

Tom | March 28, 2016 1:14 pm

It is much worse than you have described. I took and passed the CISSP examine 2001 when I was already working as an IT Security consultant. I did not need to do any study or revision and I am sure I scored close to 100%.

I did not renew it for a very good reason. The level of knowledge that it tests is at such an elementary and trivial level that it in no way qualifies anyone to work as a an "Informations Systems Security Professional". In my opinion the main reason for its existence is to make money for ISC2.

Unfortunately HR departments have swallowed the idea that it means something and are discriminating against anyone that dos not have the qualification that wants to work in IT security. I'll bet some of those fools would turn Bruce Schneider away!

Lil Tipkins | September 21, 2016 1:56 pm

Agree with previous comment. I was forced by my employer to take a week long training class to prepare for the test. As the company would only pay for the exam if we passed it - I did not take it. After the training it seemed very obvious to me that this cert had no real merit and was a complete money making scam for ISC2. Wake up HR people!!

Tom | July 6, 2017 7:25 am

You are way too kind. The CISSP is completely useless as a testament to a person's ability to work as an IT Security Professional. The level of knowledge it attests to is trivial, and that is not when it is totally irrelevant.

I obtained the CISSP in 2001, with no study at all, and allowed it to lapse 3 years later when ISC2 wanted an extortionate fee to let me tell them what Security work I had been doing, what courses and conferences attended, and what books read and articles written. But were they going to then check up that I had actually done what I said? No way. They just take the money. In that case a potential employer might as well trust what I tell them. CISSP adds no value whatsoever.

So far as I can see the CISSP is nothing more than a money making scam for ISC2.

Anyone that holds one, but has no other experience or knowledge of security, is deluded if they think they are an IT Security Professional.

Any IT manager or HR recruiter that thinks the CISSP means a candidate can function as a Security expert is clueless and ought to be in a different job.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.