Security Curve Weblog

On Remingtons, Magnums, and CISSP

In case you haven't heard, a bunch of folks in our industry are pretty fired up. They've gotten it in their head that the worst thing that could possibly happen to the noble institution that is CISSP is for college students to get certified. The contention is that CISSP is supposed to just be for security practitioners, and college students can't have the type of real-world experience required in order to legitimately obtain the cert. ISC^2 retorts that they are not giving away *real* CISSP's - but instead a sort of "CISSP-lite" that would be in place until the students got the experience required to move to the full-blown CISSP once they've cut their teeth.

All the brouhaha leads me to once again question the current certification process. Clearly there are issues, and all you have to do to see them is consider the "value" of the CISSP to the practitioner vs. the "value" of the CISSP to ISC^2. There's a fundamental disconnect between what motivates people to get CISSP's and what motivates ISC^2 to give it out. Look, the practitioner derives value from holding a CISSP due to its "exclusivity"; in other words, the fewer people that have the certitification, the more valuable it is to the credential holder - that's why this issue with the college students is causing such a ruckus - it decreases the exclusivity of the cert. On the other hand, ISC^2 (as a for-profit entity) derives "value" from the CISSP due to popularity. That is, the more popular the cert is, the more people that they can get certified; the more people get certified, the more money they make - that's why the college students thing seems like such a good idea to ISC^2. These two sets of goals, while balanced for the short-term, are at odds over the long-term.

Of course, the true malcontent would say that the value of the CISSP is neither about popularity nor exclusitivity, but is instead about utility. In which case, CISSP is already being eclipsed by yet another security certification - the most majestic of certs - the PI license. Umm... Yeah. See, since information security is (as a whole) an unlicensed discipline, practioners without CISSPs are just as free to practice as those with - CISSP may (or may not) increase your salary, but it doesn't do bupkiss for your ability to do the work. However, a PI license is starting to be mandatory for some areas of infosec. Laughable though it may seem, some states such as Georgia are requireing infosec practitioners to have a PI license in order to provide expert testimony in a court of law. More specifically, when the case involves "acquiring evidence" (e.g. forensics and incident response), only the evidence of a licensed PI is acceptable. So Remington Steele, Magnum PI, or any other cheesy eighties dick has a better chance of getting a slot as an expert witness in a Georgia courtroom than a trained CISSP, CISM, CPA, CPR, CLAP, or any other combination of letters - unless that CISSP is really a CISSPPI (CISSP with a PI.)

So the question to ask if you want to get certified probably isn't "how much experience do you have in security" but "do you look better in a tux or a hawaiian shirt?"