From: Jeffrey Posluns <jeff@posluns.com>
Date sent: Sat, 05 Mar 2005 02:32:20 -0500
Excellent analysis and exigesis, Jeff.
That is a very good question, and like most good ones the answer will
depend on who you talk to.
The answer is, indeed, subjective. I recall the furor in the forum when the
number
of CISSPs climbed over 15,000 and everyone thought the cert would be "diluted"
because of the numbers. (Now there are about 36K.) On the other hand, the
Gartner Group figured, at the 15K point, that there was a need for about
250,000
CISSPs in the US alone.
When the certification first came out, it was very well respected and
thought of.
I tend to agree with Gartner. There are two aspects to the numbers game. One
is
rarity, but that only has value if there is a demand. The other factor is
familiarity. I suspect that very few CISSPs understand how big the security
field is,
overall, and how many people *don't* hold CISSPs. Recently I did some work for
a company that made security products, and in a company of about 200 people,
nobody had a CISSP. The thing is, you need to have a large base population
before the general public starts to know that you are there. I've seen this
first
hand, teaching the courses in Nigeria. When I went in 2003 there were two (2)
CISSPs in the most populace country in Africa. I was a bit surprised, in that
first
class, that there were few people from banks. The host company, seemingly
solely on the basis of having hosted the CISSP course, and having three CISSPs
on
staff, now has a significant security consultancy in Nigeria, and the second
class,
last year, was full of people from banks.
Therefore, yes, the cert was respected when if first came out--by those who
knew
about it. But it still has a ways to go in public perception.
Over the years however, boot camps have become prevalent
that offer money back guarantees on passing the test. These camps don't
teach you what you need to know, they teach you how to pass a test.
Too right.
If you look at the official CISSP review seminar curriculum, you'll see
how much knowledge is actually necessary if you want to pass the test
on that basis. The review seminars are just that, reviews, and will
help you identify areas in which your knowledge is weak and should be
improved.
I was shocked the first time I taught at a boot camp. I had been pointing out
resources that the candidates would need to brush up on further areas, and they
finally said that they wouldn't have time to study: they wrote on Sunday.
(Nobody
had told me that.)
Boot camps are a blight on what would otherwise be a good
certification landscape, and are the most probable cause of any
credibility that the CISSP has lost.
I agree that boot camps are more of a problem than a solution. I agree that
they
have managed to pump some into the cert who otherwise wouldn't (and probably
shouldn't) have passed. I'm not sure that they are going to be a serious
problem. I
suspect that, with their high prices, the number of people who fail at boot
camps
is going to start to become known.
In summary, the answer to your question is unfortunately subjective.
Many employers will look for the CISSP certification and consider it at
the same level as SANS certifications (don't get me started on that
topic),
:-)
and others will make absolutely certain that you have a
particular skill set without batting an eyelash at the letters after
your name. I would suggest that you look at the official requirements
for any certifications, and decide where and how they fit into the path
that you want your career to take. Choose a certification because you
feel it is right for you.
Good advice in any case. And, I agree that most opinions about the value of a
cert
are going to be subjective.
One point to make is that the CISSP is still highly regarded in the security
community overall. It is not seen as a panacea or guarantee, by any means, but
I
get the impression that it is the one cert that the majority of people in the
community agree has general value, rather than being specific to a product or
job
function. Also, as the numbers of CISSPs grow, it is starting to be recognized
by
the high tech industry as a whole, and even by the general public.
My position is going to be seen as not only subjective, but also biased, since
I
teach the CBK. However, I would like to point out that my background is in
education. One of the reasons that I got into teaching the CBK is because of
the
quality of the CISSP exam. There are many certs, and many exams, and most of
them can be passed by anyone going through intensive training. The CISSP is
quite a bit better. Not perfect; and there will always be professional
test-takers
who manage to get through it; but significantly better than most of the other
designations. (It's hard to explain this to anyone who hasn't studied testing
and
measurement: most people think the "4 right answer" questions on the exam are
bad questions. They're not. Those are the *good* questions :-)
====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu
There are two ways to slide easily through life: to believe
everything or to doubt everything; both ways save us from
thinking. - Alfred Korzybski
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
