Good day Rob, Jeffrey, and all
This thread about the value of the certification does come up every three
months or so. As it was already mentioned, there is not white or black
answer. As mentioned by Bob, it greatly depends on who you talk to and also
on the understanding of what the certification stands for. I think the
following extract from Hal Tipton, co-founder and CISSP training director
for ISC2 does give it a great context, see the quote below:
"The CBK was created to include those topics that information security
professionals should have knowledge of to be able to participate effectively
in a discussion with their peers about information security issues. The CBK
contain over 300 separate topics and is updated regularly to ensure that it
remains current with the latest development in the field"
As you can see it was never meant to make you a god in any of the 10 domains
but mainly to ensure you had a foundation in each of the domains and then it
is up to you to expand the weak areas.
Today we can bash about boot camps but let's not forget that it is the boot
camps companies that have put the CISSP certification on the map in the
first place. It is their advertising that has given the cert the visibility
required to get it out of the little niche market that it was. Before the
ISC2 Institute (The training arm of ISC2) existed was there full page
advertising or publicity about the cert being done in leading security
magazine or online? The answer is a simple: NO
If you look at the official CISSP review seminar curriculum, you'll see
how much knowledge is actually necessary if you want to pass the test
on that basis. The review seminars are just that, reviews, and will
help you identify areas in which your knowledge is weak and should be
improved.
Great point, the seminar should not be it and all as far as preparation is
concerned. It should be a review; students should have been exposed to the
domains prior to coming into class. For people where this is not the case,
it would be very advisable for them to take some time to further study and
improve their weak areas after the class and then attempt the exam. At 500$
a pop, you do not want to miss it, or do it over and over again through a
brute force attack.
Boot camps are a blight on what would otherwise be a good
certification landscape, and are the most probable cause of any
credibility that the CISSP has lost.
I agree that boot camps are more of a problem than a solution. I agree
that they >have managed to pump some into the cert who otherwise wouldn't
(and >probably shouldn't) have passed. I'm not sure that they are going to
be a serious >problem. I suspect that, with their high prices, the number
of people who fail at boot camps is going to start to become known.
Let face the truth, if you can take a one week course, regardless if you
call it a seminar, a boot camp, a training camp, or whatever. The problem
does not lie with those companies but more with the content of the CBK. The
CBK is NOT an infinite set of knowledge, it is very restricted in its
coverage of what is expected and can be mastered by someone who has already
been working in the field for many years in a fairly short period of time.
There is no depth in any of the topics; it is very much oriented around
concepts. Understanding the concepts and how they are related is the key.
All of the training companies I have taught CISSP classes for (and there are
a few), they do not have access to the ISC2 questions; they can only line up
their material with the published CBK and cover those topics well. As far
as success rate, it is no big secret. The leading schools out there have a
passing rate higher than 90% for all of the classes that they taught. I
have seen classes with 100% passing rate.
In summary, the answer to your question is unfortunately subjective.
Many employers will look for the CISSP certification and consider it at
the same level as SANS certifications (don't get me started on that
topic),
Recruiters definitively have to wake up. They only gauge the buzz level
associated with certification but not what they really stand for.
The job landscape is changing as well as it was clearly indicated in the
last Partner and Foote Survey. People now days expect more than just a
technical person, they expect a person that can understand the complexity of
today's architecture and someone who has some business acumen. Being
strictly a technical person is not cutting it anymore. Stacking black boxes
does not provide you with security.
As Rob has mentioned the current exam does provide challenge mainly due to
the fact that it is based on Education versus being based on Training. When
you deliver training it is based on specific tasks and you show how to
complete these tasks step by steps. It does not work this way with computer
security. You have to give the foundation require to further expand your
skills and being able to ask yourself the proper questions when a problem is
presented.
This education value of the CBK will be more prevalent when the exam will
start to include some Scenario based questions where one will have to
evaluate, assess, and come up with the most appropriate answer. The days of
the technical side driving the business is over. It has to be the business
drivers that take precedence, and it has to be the business that dictates
what protection is required.
Good week end to all
Clement
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
