Can we get a little balance back here?
CISSP is not a purely paper qualification that anyone with the
money to take the exam can get. It requires, apart from
sufficient knowledge to pass the exam, proven experience in
security. What it doesn't require or prove is specialized
technical knowledge and experience in any particular security
area.
It's a reasonable requirement for some kinds of managerial
role in itself. It may not be sufficient for a technical
or hybrid manager. It isn't, in itself, always a
sufficient requirement for a technical role, though it
may, in combination with other certification or experience
appropriate to the role, provide necessary reassurance that
the candidate isn't too focused on a narrow area. It doesn't,
in itself, prove the holder's fitness to administer IDS,
or a firewall, or PKI, or pen-testing, or even AV, and
any company that hires people for such roles purely on
the strength of the acronym CISSP is risking (at least)
disappointment (but I'm not sure that companies are
generally so naive).
What it certainly doesn't do is prove that the holder
is a fraud or incompetent. It's been described as a
broad but shallow, but holding it is not proof that the
holder is -or- isn't expert in one or more specialist areas.
It indicates a proven level of knowledge which is sufficient
for some roles and not for others, and I'm not sure it's
productive to attempt to define too closely which roles
its sufficient for. That depends on other factors such
as experience, other qualifications, and willingness to
train (or be trained) further.
Could we please get back to web security now?
--
David Harley
This e-mail is confidential and privileged. If you are not the intended
recipient please accept our apologies; please do not disclose, copy or
distribute information in this e-mail or take any action in reliance on its
contents: to do so is strictly prohibited and may be unlawful. Please inform us
that this message has gone astray before deleting it. Thank you for your
co-operation.
