As I was scanning the presentations delivered last week at Defcon/SkyTalks, one really jumped out at me. Presenter Timmay delivered a provocative session entitled "Why You Should Not Get a CISSP" -- a topic I recall as being hotly debated five years ago. As Timmay puts it, "For two decades, the flagship offering of the (ISC)2 [International Information Systems Security Certification Consortium] has been the CISSP, widely regarded as the only must-have certification for information security practitioners. But has it stood the test of time?... We explore the 10 domains of the CBK [the "common body of knowledge" upon which the certification exam is based], how the test has changed, and whether or not bothering with this certification can even help your career."
His slide presentation (PDF) packs a whallop.
If you're not familiar with the CISSP, here's a primer: In order to gain CISSP certification, you need to have five years of infosec experience (or four years and a degree) and endorsement from another CISSP, plus you have to score at least 70 percent on a 250-question multiple-choice test. Then, if you agree to adhere to the (ISC)2 code of ethics and claim to have a clean criminal history, you're in. CISSP certification has to be renewed every three years, with continuing education requirements: taking classes, attending conferences and seminars, teaching, volunteering, writing.
Last year, as Eric Parizo discusses in a SearchSecurity article, the (ISC)2 came under fire for trying to "dramatically swell its CISSP ranks ... the organization's top priority -- funneling as many qualified information security professionals to employers as it can -- is at odds with some CISSPs who fear their hard-earned certification is being watered down by a bevy of inexperienced applicants." He goes on to explain the organization's quandary: "Despite more than 76,000 active CISSPs worldwide and 3,200 who took the test last December, [companies] can't find enough qualified infosec pros to work for them."
(ISC)2 Executive Director W. Hord Tipton put it this way, "I need to find 2 million people in three years to come close to meeting the expected need."
The dollars-and-cents value of a CISSP certification is hotly debated. The Simply Hired website, for example, shows that the average U.S. salary for all of their job listings that contain the term "cissp" is $80,000. PayScale.com shows salaries for CISSPers from $60,000 to $160,000 -- quite a spread. Of course, salary surveys and comparisons are subject to all sorts of problems.
At least in some cases, CISSP holders aren't a happy lot. Last September, Laura Raderman talked about her angst on the Security Musings blog: "I pay (ISC)2 only because I have to to keep my CISSP.... I'm not a member because I believe in their mission or their goals. I think they're overpriced and useless to me other than maintaining my credential."