Search This Blog

Wednesday 10 July 2013

CISSP: Don't hate the cert, hate the way it's abused

It's almost 10 months to the day that I passed the (ISC)2 CISSP exam.  What have I gained? Well if I'm honest not very much.

I updated my Linkedin profile, my website and even told a few friends.  I sat back and waited for the job offers to come flooding in, and I waited, and I waited.  And nothing happened.

This is not right! Why am I not lording it up in an InfoSec role being paid an extortionate salary, angels playing harps and beautiful people feeding me peeled grapes?  I tell you why, because a CISSP is not a free ticket to paradise, its a qualification from an exam you (hopefully) pass.  It shows an ability to understand the content and apply it, in lets be honest, a bloody difficult exam.  But when/if you pass you don't become an InfoSec rock star over night! It's your experience and knowledge are that make you good, or bad.

I can see why some the CISSP gets a hard time.  I ran a few job searches for CISSP and the spread of roles that 'require' CISSP is nuts.  Network Engineers, Security Analysts - which when you read the details were just dealing with AV deployments, patching, Pen Testers etc.  These are not roles that the cert brings anything.

I remember my instructor saying on day 1.
"This is a business cert, not a technical one"
HR, recruitment, and I think a great deal of the industry miss that and so abuse the cert by making it an obligatory requirement for technical roles.  This is where I think the issue lies.

So don't blame the cert, I think theres a place for it.  Blame the way industry uses it.