Friday, December 6, 2013

The CISSP Badge of Security Competency

It can be a security conference anywhere around the world and, after a few beers with the attendees, you can guarantee the topic of CISSP will come up. Very rarely will it be positive. You see, CISSP has become the cockroach of the security community and it just wont die. They say that cockroaches could survive a nuclear winter... I'm pretty sure CISSP is just as resilient.

Personally, I think CISSP gets an unfair hearing. I don't see CISSP as a security competency certification (regardless of those folks who sell it or perceive it as such), rather I interpret it like a badge on a Girl Scout's sash that signifies completion of a rote task... like learning how to deliver CPR. It's a certification that reflects an understanding of the raw concepts and vocabulary, not a measure of competency. Just like the Girl Scout with the CPR badge has the potential to be a competent medic in the future, for now it's a "well done, you understand the concepts" kind of deal.

If that's the case, then why, as a security professional, would practitioners not be lining up to have their own CISSP accreditation? In a large way, it's a bit like requiring that aforementioned (and accomplished) professional medic to sit the Girl Scout CPR exam and to proudly show off her new badge afterwards. To many folks, both scenario's are likely to be interpreted as an insult. I think this is one of the reasons why the professional security practitioners community is so against CISSP (and other security accreditation's) - and causes the resultant backlash. The fact that many businesses are now asking for CISSP qualification as part of their recruitment vetting processes just adds salt to the wounds.

I see the CISSP certification as a great program for IT professionals (web developers, system administrators, backup operators, etc.) in order to gain the minimum level of understanding of what security means for them to do their jobs.

Drawing once again from the CPR badge analogy, I think that everyone who works in an office should do a first aid course and be competent in CPR. It just makes sense to have that basic understanding available in a time of need. However, the purpose of gaining those skills is to keep the patient alive until a professional can arrive and take over. This is exactly how I see CISSP operating in modern IT departments.

I think that if CISSP were positioned more appropriately as an "IT health" badge of minimum competency, then much of the backlash from the security community would die down.

-- Gunter Ollmann

1 comment:

  1. Taking the CISSP test is not the worst of it. It's the ongoing requirements to maintain your CISSP in good standing.