Is CISSP certification worth the effort?

A presentation at the Black Hat conference says the Certified Information Systems Security Professional imprimatur isn't nearly as valuable as it used to be

1 2 Page 2
Page 2 of 2

Timmay's presentation, as might be anticipated from the title, tears CISSP a new orifice. There's been little change to the structure of the "common body of knowledge" in the past 15 years, while the nature of attacks changes at Internet speed. He claims that the CBK is too broad to accommodate in-depth questions. "This means that it can't get hard enough to keep idiots from cramming and passing ... any idiot can pass."

Is a CISSP required in order to get a good infosec job? Another hot issue. Timmay put together a series of searches of major hiring websites --,,, -- and came to the conclusion that the large majority of infosec jobs currently advertised don't even mention CISSP or, if they do, don't require a CISSP.

And when it comes to the CISSP code of ethics, Timmay takes no prisoners, showcasing a litany of transgressions and transgressors that spans many slides.

Where does that leave infosec certification? While CISSP is considered by many to be the premiere certification in the field, it's by no means the only one, and there's no rule that says you can hold only one. Here are a few alternatives:

  • CEH (Certified Ethical Hacker): Widely viewed as being easier to earn than a CISSP, but with a different slant. The CEH takes a more hands-on and less theoretical approach, with a broad exposure to infosec tools.
  • CISA (Certified Information Systems Auditor): Takes an auditing approach to the infosec industry. You need to have five years of experience in info systems audit, control, or in infosec.
  • OSCP (Offensive Security Certified Professional): Emphasizes hands-on penetration testing. No multiple choice; you're put in a lab and get points for hacking the boxes.

There are dozens of additional certifications and certifying organizations, of varying quality. Many universities these days have infosec study options that may prove more valuable to employers than any of the independent testing groups.

One thing's for sure: The demand for capable infosec professionals has never been higher -- and it isn't going to taper off any time soon.

This story, "Is CISSP certification worth the effort?," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.


Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2