The CISSP has become one of the hottest certifications to have (especially in the DC area) because of the growing budget for information security. But the CISSP exam itself has some major flaws, leading me to wonder if this is a valuable certification for individuals, companies, or society at large. (Disclaimer: I am a CISSP.)
I’ve been interested in infosec for several years now, and nearly every day I read at least a few infosec articles written by or about the people who I believe are doing the real security work today: Bruce Schneier, Dan Guido, Dino Dai Zovi, Charlie Miller, Moxie Marlinspike, etc. My day job has brought me tangentially in touch with this industry because my company specializes in security compliance (which is a useful, but overemphasized, approach to managing security on a large scale).
So I was quite disheartened to find that I was almost completely unprepared for the CISSP, because the CISSP contains very little real-world security knowledge. For example, in my day job as well as in my personal reading, I have never once encountered a situation where I needed to know the difference between a class A fire and a class B fire. But there were at least 3 questions on my exam on this topic.
There are over a dozen questions on global compliance standards – not just current standards like COBIT, but also the history of standards such as COSO. The U.S. federal government is already experiencing a compliance crisis, so I have to question the efficacy of memorizing the color of the cover on the compliance manual.
The CISSP does cover a few worthwhile topics, such as the OSI 7 layer model and the TCP/IP 4 layer model. This is knowledge that a CISSP can actually use in day-to-day security. But these few high-points are still overly academic and fail to cover the real-world applicability of these issues. My review book (Shon Harris) is 1,237 pages long, yet it dedicates a scant 1.5 pages to SSL/TLS, which is the most widely used security technology in existence today. The book does put in a decent 7 pages on public key infrastructure (PKI) but fails to make the connection between PKI and SSL, the latter being the most significant usage of PKI in existence today. The combined 8.5 pages on PKI/SSL doesn’t mention anything of the [ongoing](http://arstechnica.com/security/news/2011/03 /how-the-comodo-certificate-fraud-calls-ca-trust-into-question.ars) SSL trust crisis or developing alternatives to the current system.
That the CISSP is divorced from reality is evidenced best by the exam itself. The exam is is conducted with pencil and paper, and grading for results takes–in their words–“4-6 weeks”. (My results came in closer to 3 weeks.) In 2012, the world’s preeminent IT security certification should not be paper-based. That is insane! (As a point of reference, my girlfriend recently took a nursing board exam that was entirely computer-based and was graded instantly after the exam was completed. She left with a copy of her passing score in hand.)
All of this brings me back to my original question: does the CISSP provide value for individuals, companies, or society?
Individuals: You may learn quite a bit by taking this exam, but it won’t teach you much practical knowledge. If practical knowledge is your goal, then this certification is not for you.
What about the career benefits, then? For individuals taking the exam, the CISSP may be beneficial, but the cost and overhead of the exam are considerable. The exam itself costs $550. Annual maintenance requires $85. CISSP training courses range between $3000 and $5000. The CISSP requires perhaps 100 hours of study as well as 40 hours of CPEs each year to maintain it. At $45 hour (a reasonable salary with benefits for an IT professional living in an urban market), that’s $4,500 opportunity cost spent on studying and another $1,800 per year on maintenance.
In order to break even on this certification over the next 5 years, a CISSP will need to earn an additional $2,800-$3,800 per year. If you have no prior qualifications for infosec work, this may be a feasible salary increase. But if you already have other credentials (experience or a degree), then the CISSP is difficult to cost-justify.
Companies: I don’t understand why companies are so keen on hiring CISSPs. I have worked with some CISSPs who were smart and savvy, and some CISSPs that could barely operate a computer. From my vantage point, the CISSP has absolutely no correlation with solid computer skills and knowledge. If companies are paying top dollar for CISSPs or – even worse – disqualifying solid candidates that are not CISSPs, then the CISSP is actually costing those companies lots of money.
Society: It may sound cheesy to ask if the CISSP benefits society, but I believe it’s fair game because the CISSP code of ethics explicitly requires us to:
Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession.
That’s deep… But does the CISSP live up to the standard that it sets out for its members?
Ultimately, I believe that it does not. The CISSP is a distraction. Candidates who obtain this certification may be misled into thinking that they possess useful knowledge as a result. Unfortunately, these same candidates will become the information security officers (ISO or ISSO) across the private sector and in government, and their warped understanding of information security will shade their opinions and agendas. (Perhaps this is one reason why the federal government is so concerned with compliance and so averse to penetration testing?)