There’s been quite a lot of conversation on Twitter by the InfoSec community about the CISSP. Most of the hubbub has been generated by the Skytalk given by Timmay and a little help from Jericho at attrition.org. I was one of the fortunate folks to have a (nearly) front-row seat for this talk and I’ll be the first to say that I agree 100% with what was said. The title of the talk was “Why You Should Not Get A CISSP” – not “All CISSPs Are Dipshits” or “If You Have A CISSP: Kill Yourself” or “You Shouldn’t Be Hired In The InfoSec Community If You Have A CISSP”. There are plenty of folks out there who have a CISSP and are great assets to the community and are far better InfoSec folks than yours-truly. The main point of the talk was how the claims of the (ISC)2 regarding the CISSP don’t hold true. Timmay did a great job debunking their claims and having solid evidence to back them up. Jericho’s bit in the talk was over the ethical portion and why the CISSP isn’t all that and a bag of Frito’s. I’ve linked to the Skytalk slides earlier in this post; if you’d like more information on the ethics part, I’ll point you to attrition’s rant. I will state that several of my points in this blog are directly from the Skytalk and/or the attrition site. I don’t want Jericho to be plastering my name on his site any time in the near future. :)
I, myself, don’t have a CISSP. I don’t ever plan on getting it unless it’s absolutely required (e.g. DoD work, etc.). I’ve read the material in several iterations over the past years and it honestly hasn’t changed much since the first time I looked it over back in 2005. I’ve applied (and got) jobs in the past that said a CISSP was required; however, I usually had to do a bit of trickery to my resume to get to the first interview. Several years ago, I added “Actively working towards the CISSP” in the certifications section of my resume. This would usually get me past the first hurdle and get my foot in the door. Once they talked to me for 10-20 minutes, they’d see that just because I don’t have letters after my name I was still a credible InfoSec candidate. A few years back, I decided to change the wording a bit: “Does not hold the CISSP certification”. Funny enough, this worked just as well if not better! I would get questioned about it, but nobody has required me to obtain the certification. I will say that I do hold a B.S. in Computer Technology from Purdue with a bit of my Masters in InfoSec as well – though my 8 months of Masters work doesn’t appear on my resume. It’s also worth noting that my work and residence is in Indiana: the brain drain of the USA. Usually once people get their education in Indiana, they leave. Plain and simple. The job market is better elsewhere and unless you’re fortunate enough to find a good-paying job around here, it’s usually easier to find work in other states. I will say this: I probably know about 40 or so people with certs from the (ISC)2 in Indiana (I may know more, but they haven’t mentioned that they have one) – out of those 40, I would probably only trust the opinion of roughly 7 of them. The majority of them like to regurgitate buzzwords from the latest sales pitch they were thrown by $securityvendor. They’re also the ones that brag about their security prowess and form little cliques in larger InfoSec gatherings. I don’t have time for that type of dumbfuckery.
Back to the CISSP. It’s now being compared to the MCSE in the 1990′s – you do a brain dump for 7 days, take the test, get more than 70% and BOOM! CISSP acquired! You don’t need to have a real working knowledge of security to pass this certification. Employers were chomping at the bit to get folks with MCSEs back in the 90′s and companies looking for InfoSec folks (at least from the job search stats shown in the talk) “desire” it…some “require”. I throw the CISSP in the same ring as the C|EH. Both provide some historical data, but they’re broad. Just because somebody has a C|EH doesn’t mean that I want to immediately utilize this person for penetration testing services. I’d rather have the one who has the years of service under their belt and can talk coherently about the topic. Again, not to say there aren’t C|EHes out there who can’t; but there is definitely a collective of them who wouldn’t know what to do with a shell with privileged access if it was given to them.
Then there’s the code of ethics. Technically, by attending Defcon (a convention the (ISC)2 has said they do not condone) you’re violating their CoE and your CISSP should be revoked. However, this will lead to another issue: if somebody wants to report you to the (ISC)2, it must be done via a certified letter and reviewed by a committee. From what was told in the talk, you more or less have to go on a shooting spree for them to revoke your certification.
However…there may be hope! The (ISC)2 appointed Wim to the board back in Jan 2012 and indi more recently. It’s going to take a lot more than two guys to turn this around, but it’s a start. Does the (ISC)2 have a permanent black eye from it’s past years? Is there a chance it can redeem itself as a worthwhile cert in the minds of some folks in the community?
I’ll say this again in closing: I don’t think you’re a douchebag if you have a CISSP, a C|EH, or any other certification. I’ll think you’re a douchebag if you act like an elitist prick who can’t back up their talk and actions in the InfoSec community.