Comments on: Not a CISSP

By: To CISSP or Not to CISSP – Part 2 | Trehb101.com - Got Geek?

To CISSP or Not to CISSP – Part 2 | Trehb101.com - Got Geek? — Thu, 30 Dec 2010 18:39:59 +0000

[...] There is another point that I want to make. This is again coming from the Veracode blog: [...]

By: To CISSP or Not to CISSP – Part 1 | Trehb101.com - Got Geek?

To CISSP or Not to CISSP – Part 1 | Trehb101.com - Got Geek? — Thu, 30 Dec 2010 18:08:40 +0000

[...] cert is that “CISSP only demonstrates mere understanding of domains rather than competence.” This blog entry from Veracode entitled “Not a CISSP” drives home the point: “…like many security certifications, it’s an ineffective measure [...]

By: Bill

Bill — Thu, 16 Sep 2010 16:15:12 +0000

Ever notice how people without something like to gripe about it?

By: James H.

James H. — Mon, 21 Jun 2010 14:17:22 +0000

I passed the CISSP exam a couple years ago. I studied a couple of books and a few of the free on-line exams and passed the first time. Like many of the posters and coworkers I had talked to, I found the questions to be poorly worded and ambiguous. Based on their knowledge and the quality of their work, I had very little respect for the people who proudly added “CISSP” to the end of their name and a great deal of respect for those who would casually say, “Yeah, I passed the test too.” At the time, I thought CISSP looked like a scam and nothing has changed my mind about that. I took the test mostly because I had set a personal goal to do so and because the company I worked for encouraged it and paid for it.

That said, studying for the exam did help me. I gained some general knowledge in areas of IT security that I hadn’t been exposed to before. So earning the CISSP certification was not a complete waste of time. I got a pretty certificate too. ["I wonder where that is, in that pile or in the drawer? Oh, I remember it's under there. No, well maybe I'll run across it some day."] Now that I have passed the test, I have not found the certification valuable or respected by those whom I respect. I have not renewed my membership.

My college education has been a much better investment, not because of what I learned but because I gained the skills to learn well. If you have the chance to go to college, I would certainly recommend it.

If you have the chance to take the CISSP exam I would recommend it as long as: your company will pay for it, it’s not too far to drive to the nearest test location, you read a prep test book or two (buy a cheap, used one from Amazon, ebay, or Craig’s List or better yet, borrow the book), and take some of the free on-line tests. Don’t spend more than $50 preparing for the test.

By: RR

RR — Wed, 14 Oct 2009 03:12:29 +0000

Anyone who says a CS college degree is useless is most likely useless himself. Anyone who dedicates 4 years of study to any subject matter has accomplished a great deal. Those that bash individuals with college degrees are pathetic, no matter what field it is in. Have you ever heard of dedication by committing yourself to attaining a very difficult degree such as CS? The whole idea of a college education is a stepping stone to your career. You know maybe 10% of what you need to know and figure out the rest on the job. Anyone who thinks a college grad should know 100% of their field straight out of college is a total ass. Don’t knock it until you try it.

By: Prive

Prive — Thu, 30 Jul 2009 04:25:02 +0000

The CISSP is to security as the MBA is to business. It does not mean the holder is an expert on every aspect of the field but rather that they have learned the basic concepts across the broad scope of it and shouldn’t have too many big blindspots which might otherwise trip them up and cost their employers dearly. The holders and knockers who suggest CISPPs should be hardcore tech experts are just off-base.

Just as a CEO with an MBA has an appreciation of the main considerations relating to payroll but couldn’t be expected to be ‘put at the keyboard’ and pump out the monthly salaries, a CISSP is expected to help ensure a prudent and balanced security posture rather than demonstrating m@dSk1||z at the command line.

No matter how good your woodcutters are, it still helps to have someone who can take in the whole forest.

FWIW, for those with broad IT experience, I rate the study aspect of the CISSP as between one and two modules of a 10-12 module MBA. In both cases, I did not aim to just pass, I aimed to master the subject matter because it was about the learning, and for me the CISSP is part of the road, not a destination. [MBA-distinction, BSc, CISSP, ITILf etc].

By: Dave

Dave — Sat, 25 Jul 2009 16:00:07 +0000

CISSP is not a technical cert. It has some technical content, but overall just measures that someone has at least some basic understanding of what security is.

Security is such a varied field that a single cert truly can’t indicate someone’s abilities, even if a cert truly could.

I have the CISSP and CEH certs. While I think I did pick up a bit in knowledge studying for them, I don’t think they make me a security expert by any means.

By: Benjamin

Benjamin — Sat, 25 Jul 2009 02:50:09 +0000

You might think some people have their entire professional identity wrapped up in this certificate. So much butthurt from proud CISSPs. So many ways not to care.

By: Brennan

Brennan — Thu, 30 Apr 2009 15:42:13 +0000

I work with many CISSPs. Many of them have no concept of technical security.

By: Brad Andrews

Brad Andrews — Tue, 07 Apr 2009 16:59:30 +0000

workin4daman, I doubt you didn’t learn anything from studying for those certs. You may not be the expert the letters imply, but you had to have learned something along the way. :)

We would be much better off if more people knew the basics of the CISSP and such things. Knowing the principles, even at a shallow level, can definitely help when selling the concepts. Security is hard enough to get across, cutting down those who show some understanding is not all that bright IMHO.

Brad