What the CISSP? 20 years as a Certified Information Systems Security Professional

CISSP stands for Certified Information Systems Security Professional, a qualification that I obtained on this day in 1996. Back then, very few people had heard of CISSP or the organization that created it, the International Information Systems Security Certification Consortium. This non-profit professional body is known as (ISC)2 which is pronounced “I-S-C-squared” (because the name contains two each of those three letters, which is cute but a pain for typographers and search engines). These days CISSP is an acronym you’ll hear a lot if you spend time dealing with cybersecurity, and (ISC)2 is a name you’ll encounter at many events, such as the (ISC)2 Security Congress. In a moment I will talk about what it means to be a CISSP, but first, a few words of caution.

One place that you frequently see the letters C-I-S-S-P is in job descriptions for cybersecurity positions. For example, a quick search of openings on the employment website indeed.com finds 1,998 new job listings that include “CISSP” (far more than some related certifications (e.g. CCNA: 1,604; CISA: 1,105; and CEH: 352). Now you might think that, as someone who has derived many benefits from being a CISSP for 20 years, I would welcome this strong showing. And in some ways I do, but I also see a serious problem: too many employers inappropriately put “CISSP required” in job requirements.

Why is this a problem? Because it creates understandable resentment from people who are qualified to do the work that the advertised position entails, but don’t happen to be CISSP-certified. I will try to shed some light on this problem as a way of giving back on the twentieth anniversary of meeting the requirements to become a CISSP.

Those requirements included passing a six hour exam several weeks before the certification came through, an exam that I had to fly to Seattle to take. Or maybe it was Portland. Anyway, I know I flew there the day before the exam and the weather was cool and damp as I went from the airport to a hotel near the test center, toting a bag of books that I pored over late into the night. One of those books was The Stephen Cobb Complete Book of PC & LAN Security, which was far from complete despite being 556 pages long (believe me, the title was the publisher’s idea). The next morning, in a line of about two dozen people waiting to go into the test room, the guy next to me said “I recognize you, you wrote that security book.” Any ego boost from being recognized was quickly deflated by the stress-inducing realization that at least one member of the public might be able to figure out if I flunked the exam. Thankfully, I did not.

But what does passing the CISSP exam prove? Having participated in question writing sessions for the test, it was my understanding that passing the exam should: “confirm that you know what it takes to manage an organization’s information system security”. In other words, it means you know how to get an organization to meet the information system security challenge, now and moving forward. This is different from being skilled and experienced in each and every technical role which that undertaking requires. And therein lies considerable confusion and, for some people, frustration.

Suppose you’ve learned how to perform penetration testing, maybe as a sysadmin or helping out a friend who has a job in IT. You’ve become immersed in Kali, you know how to handle a Pineapple, and you’ve coded some clever tools of your own in Python. Now you’d like to get a job where you can put this knowledge to good use on a full-time basis. You check out indeed.com for your area and wow, there’s a company just down the road from where you live that is looking for a pen tester. Sweet! But then you get to the bottom of the listing and there it sits, under Mandatory Requirements: CISSP.

Now, speaking as a CISSP, I’m happy to inform you that you don’t need to be a CISSP to be good at pen-testing. And I’m happy to tell that to any prospective employer who thinks you do. Furthermore, getting your CISSP may not add much to your pen-testing abilities. And if you take the exam and flunk because of questions about appropriate fire retardant for data centers or correct heights for perimeter fencing, you’re not going to be a happy camper. On top of that, there is the CISSP experience requirement to consider: a minimum of five years of cumulative paid full-time work experience in two or more of the eight domains of the CISSP CBK (see (ISC)2 Common Body of Knowledge):

  • Security and Risk Management
  • Asset Security
  • Security Engineering
  • Communications and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

Note that a waiver to reduce the experience requirement to four years is possible, based on certain education parameters or other professional certifications (see this page on the (ISC)2 website).

It should also be noted that you have to commit to a code of ethics to be a CISSP and you must keep learning after you get your certification, or your qualification will expire. These are sensible requirements for the proper role of the CISSP. Here’s what (ISC)2 says that the CISSP means: “you have the deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.” The point is, the CISSP does not attest to mastery of a specific technical cybersecurity skill set. And companies shouldn’t take it to mean that.

In fact, when a company says that you must be a CISSP to perform a job which mainly consists of specialized technical security operations, then you might want to question their understanding of how information security works. (However, I totally get that questioning the judgement of a prospective employer is a non-trivial undertaking.) On the bright side, I do see more employers using language like “willing to attain CISSP” which strikes me as a very healthy approach.

Frankly, after studying information security for more than 25 years, 20 of them as a CISSP, I think the healthiest approach to hiring people to work in cybersecurity is to set aside checklists, including laundry lists of certs and degrees. Organizations should evaluate candidates based on A. what they have shown they can do, and B. what the person in charge of security, the person for whom they are going to work, thinks they have the potential to accomplish.

I realize that this approach is hard to implement at scale, but I also think that as a nation, heck, as a planet, we have to do much better at hiring for cybersecurity roles. Numerous studies indicate that tens of thousands of cybersecurity openings go unfilled every year (and that’s just in the US, globally they’re talking hundreds of thousands). But I still meet very bright and motivated people who aspire to work in the industry and can’t get hired. We need to close this gap and solve these hiring problems if we are going to stand a chance at securing our digital future. And whatever else it means to be a CISSP, it means sharing a commitment to achieving that goal.

Author Stephen Cobb, ESET

  • Kevin K Fred

    The issue lies in the “weeding” process task that is put on the shoulders of HR. It has been my experience (to include writing position descriptions for a variety of infosec jobs) that the hiring manager puts forth a series of requirements for a position and HR gets deluged with applicants. I will set aside the question of exercising due diligence in weeding out the right group of candidates to put forward to the hiring manager), but due to manning, HR must “push back” with some method to help narrow the choices, and the easiest way is to put in a mandatory requirement, that may or may not be truly relevant (four year degree in XYZ, certification in QWE, etc.). Frankly, it is easiest to look at other postings from other companies and see that they too have taken the easy way out and plopped in what is still a “gold standard, the CISSP. Is it fair? No, it is not. I know lots of fully qualified candidates for positions that they cannot get past HR to present themselves to the hiring manager because they lack the “required” series of letters after their name. Solution? Perhaps a standardized skills / knowledge matrix?

  • jimmy toriola

    I believed that the best for the HR to do is look for candidate with the experience.

    Jimmy Toriola

    • You have to have experience as well as theoretical knowledge to be CISSP certified. Whether it’s the right experience is another matter: certifications are a healthy indicator in the right context, but not the only indicator. But HR teams are not usually best qualified to judge between a certified and experienced professional, and an experienced but uncertified professional. Why is why security post interviews aren’t usually conducted by just HR people. Or shouldn’t be… In real life, experienced people without the ‘right’ certifications may be filtered out by HR before the people best able to make those judgements are involved, and that’s a risk that companies should be wary of.

  • There is no question that employers put way to heavy of an emphasis on certifications and as you mentioned even require them when they are not needed for the position. From an employer’s stand point they want to hire qualified people but on the other side of the spectrum you have people that are good at studying and taking tests but have very little to no real world practical experience. I would take the later anytime before the former if I were a hiring manager.

Follow us

Copyright © 2018 ESET, All Rights Reserved.
ciscoexam-online-sale-200-125-exam    | udemy-newccnax-sale-200-125-exam    | whats-new-with-ccna-sale-200-125-exam    | ccna-practice-quiz-sale-200-125-exam    | What-is-the-difference-sale-200-125-exam-cert    | boson-practice-sale-200-125-exam-practice    | measureup-Cisco-Certified-Network-Associate-sale-200-125-exam    | globed-cisco-new-ccna-sale-200-125-exam-standard    | exam-labs-sale-200-125-exam-cert    | streaming-ccna-sale-200-125-exam-technologies    | caring-charts-blood-pressure-sale-200-125-exam    | pluralsight-courses-networking-cisco-sale-200-125-exam    | pearsonitcertification-articles-sale-200-125-exam    | safaribooksonline-library-sale-200-125-exam-routing    | learncisco-ccna.php-sale-200-125-exam-tast    | protechgurus-fees-syllabus-sale-200-125-exam    | certificationkits-cisco-ccna-sale-200-125-exam-standard-kit    | zeqr-lazaro-diaz-course-sale-200-125-exam    | 9tut-faqs-tips-sale-200-125-exam    | scribd-document-CCNA-sale-200-125-exam    | itunes-ccnax-sale-200-125-exam    | linkedin-cisco-sale-200-125-exam-questions-details    | teachertube-ccna-sale-200-125-exam-practice    | killexams-detail-sale-200-125-exam    | examsboost-test-sale-200-125-exam    | ccnav6-online-full-collections-sale-200-125-exam    | spiceworks-topic-sale-200-125-exam    | behance-gallery-sale-200-125-exam    | vceguide-share-experience-sale-200-125-exam    | techexams-forums-ccna-sale-200-125-exam    | free4arab-sale-200-125-exam    | openlearning-courses-sale-200-125-exam    | mindhub-Cisco-Certified-Network-sale-200-125-exam    | vceplus-ccna-exam-sale-200-125-exam    | examsforall-cisco-sale-200-125-exam    | how2pass-ccna-practice-tests-sale-200-125-exam    | simulationexams-details-ccna-sale-200-125-exam    | teksystems-sale-200-125-exam-routing-switching    | cram-flashcards-sale-200-125-exam    | pass4cert-cisco-new-ccna-sale-200-125-exam    | snatpedia-ccnaa-sale-200-125-exam    | cert4sure-free-download-sale-200-125-exam    | logicindia-ccnarouting-switching-sale-200-125-exam    | justcerts-practice-questions-sale-200-125-exam    | isc2-cissp-sale-CISSP-exam    | infosecinstitute-cissp-boot-camp-sale-CISSP-exam    | tomsitpro-security-certifications-sale-CISSP-125-exam    | infoworld-cissp-certification-sale-CISSP-exam    | welivesecurity.com-cissp-certified-sale-CISSP-exam    | searchsecurity-definition-sale-CISSP-exam    | simplilearn-cyber-security-training-sale-CISSP-exam    | arstechnica-security-sale-CISSP-exam    | cybrary-course-cissp-sale-CISSP-exam    | skillset-cissp-sale-CISSP-exam    | transcender-certprep-sale-CISSP-exam    | pearsonvue-sale-CISSP-exam-cert    | gocertify-isc2-issp-sale-CISSP-exam    | trainingcamp-training-bootcamp-sale-CISSP-exam    | cbtnuggets-security-sale-CISSP-exam    | cglobalknowledge.com-us-en-sale-CISSP-exam    | itgovernance-cissp-sale-CISSP-exam    | boson-certification-sale-CISSP-exam    | firebrandnordic-training-sale-CISSP-exam    | firebrandnordic-sale-CISSP-exam-123    | cybervista-sale-CISSP-exam-cert    | becker-sale-CISSP-exam-pdf    | youracclaim-certified-information-sale-CISSP-exam    | techexams-forums-sale-CISSP-exam    | munitechacademy-courses-sale-CISSP-exam    | hot-topics-cyber-security-courses-sale-CISSP-exam    | pearsonitcertification-sale-CISSP-exam    | sybextestbanks-wiley-sale-CISSP-exam    | lifewire-preparing-sale-CISSP-exam    | villanovau.com-resources-iss-sale-CISSP-exam    | intenseschool-boot-sale-CISSP-exam    | phoenixts-training-sale-CISSP-exam    | infosecisland-blogview-sale-CISSP-exam    | centralohioissa-member-sale-CISSP-exam    | learningtree-courses-certified-information-sale-CISSP-exam    | udallas.edu-executive-education-sale-CISSP-exam    | umbctraining-Courses-catalog-sale-CISSP-exam    | skyhighnetworks-cloud-security-sale-CISSP-exam    | helpnetsecurity-cert-sale-CISSP-exam    | secureninja-certification-bootcamp-sale-CISSP-exam    | mercurysolutions-information-sale-CISSP-exam    | exam-labs-info-sale-100-105-exam-pdf    | cbtnuggets-training-ccna-icnd1-sale-100-105-exam    | gocertify-ccent-practice-quiz-sale-100-105-exam    | ciscopress.com-ccna-icnd1-sale-100-105-exam    | boson-practice-sale-100-105-exam    | examcollectionuk-vce-download-sale-100-105-exam    | pearsonitcertification-articles-sale-100-105-exam    | transcender-practice-sale-100-105-exam-test    | techexams-forums-ccna-ccent-sale-100-105-exam    | shop-oreilly-sale-100-105-exam    | safaribooksonline-library-view-sale-100-105-exam    | subnetting-download-ccent-sale-100-105-exam    | 2cram-icnd1-online-quiz-sale-100-105-exam    | networklessons-routing-sale-100-105-exam    | centriq-123-ccna-certification-sale-100-105-exam    | ituonline-interconnecting-sale-100-105-exam    | transcender-introducing-the-new-sale-100-105-exam    | measureup-Networking-Devices-Part-sale-100-105-exam    | vceguide-icnd1-experience-sale-100-105-exam    | dumpscollection-dumps-sale-100-105-exam    | computerminds-business-sale-100-105-exam    | globed-ccent-or-icnd1-sale-100-105-exam    | ucertify-load-course-sale-100-105-exam    | academy-gns3-sale-100-105-exam    | visiontrainingsystems-product-sale-100-105-exam    | pearsonhighered-program-Wilkins-CCENT-sale-100-105-exam    | vceplus-ccent-sale-100-105-exam    | mindhub-Interconnecting-sale-100-105-exam    | sale-70-410-exam    | we-sale-70-410-exam    |
http://mleb.net/    | http://mleb.net/    |