Putting the CISSP and other certifications into perspective

Principal Security Consultant at Amazon Web Services

Certifications exist for a specific reason. Like many other things in life they are proxies that help non-specialised people assess someone who has specialty knowledgeskills, or abilities. In the case of the CISSP it is a knowledge-based exam and a knowledge-based certification. It proves you know things. Anyone saying otherwise doesn’t understand how certifications work. For clarity, I’m on ISC²’s European Advisory Council and I have authored items for the CISSP exam. My comments don’t represent ISC² or anyone else. These are just my personal opinions.

Knowlege Skills and Abilities

Knowledge-based certifications like this are meant to assess knowledge that you acquired by whatever means. Contrast a professional cert with a university degree: When you go to a university, you are expected to enter with your head empty, the university fills it with knowledge, then measures the fullness with some exams. Universities test you on what they taught you and nothing else. CISSP and other professional certifications test you, having no idea how you acquired your knowledge. Did you work 10 years in the industry and then sit for the exam? Did you cram at a weekend bootcamp and learn just enough to pass? There is no formal curriculum you must follow before you take the exam. There’s some basic endorsements and industry experience prerequisites, but that’s it. We try hard to write exam items that will be very difficult to guess at if you’ve never done real work in the field¹.

Other certifications are tests of skills because they require you to execute a task under controlled laboratory conditions and achieve a certain outcome. They can then say with confidence that they have observed you demonstrate this skill. The CISSP lacks any observed task, so it cannot be called a skill-based assessment. (“Abilities” don’t usually get tested in infosec. They tend to be based on a person’s physical capabilities: like typing speed with accuracy).

There are a bunch of common arguments about the CISSP:

What if the hiring firm misuses the CISSP?

Maybe they think it’s some magic certification. Maybe they think it means X, Y, or Z. Well, there isn’t much any of us can do about that. ISC² does as much as they can to educate non-specialists about what the certification does and doesn’t mean.

Consider this: If you posess the knowledge to directly assess an information security professional’s capabilities, then the CISSP is not meant to be telling you something you don’t know or can’t figure out. If the CISSP got that resume past HR and onto your desk so you can really evaluate the candidate, then it did its job. The purpose of the CISSP is for people who cannot assess directly (HR, management, etc.). And it’s not some magical cert that should be a tick box. “Oh, you have a valid CISSP? You’re hired.” If the company isn’t considering people who don’t have the CISSP? Well, we’ll get to that.

I don’t care about certifications when I hire. I know what I want and I know how to recognise it.

Good for you. Don’t throw shade on those of us who need a bit of help. Moreover, remember that the “I will recognise talent when I see it” methodology doesn’t scale beyond your own corpus callosum. When you start hiring dozens of people in multiple countries and languages, you’ll probably recognise the value of a credential like the CISSP as a baseline prerequisite. If your team is so small you can do all the screening and hiring personally, then yeah, maybe the CISSP isn’t helping you much. But don’t knock the candidate for having it. As you’ll see below, it’s in their long-term career interest to have it—even if it didn’t help them get a job working for you.

I’m as smart or smarter than some CISSPs. I’m just as qualified as they are. I just don’t have the certification.

Well, if you’re just as qualified, take the exam and prove it. Then you’ll be qualified the same literally not virtually. The difference between someone who has demonstrated knowledge under controlled conditions and someone who has not demonstrated knowledge under controld conditions is exactly that: They demonstrated their knowledge under exam conditions and you didn’t. If you’re just as good, then just go do the exam and quit moaning about it.

It’s expensive. Why should I pay for that dumb certification?

You pay for it because it has value. There is an awful lot of angst about the fact that people who have CISSPs get considered for opportunities that people without CISSPs do not get considered for. That value has been created by an organisation spending 24 years administering a standardised test according to rigorous standards and earning the industry’s trust. If you really are qualified, then you will proabably earn more money having a CISSP than not having it. The return on investment is well documented, especially if you look across an entire career. In the survey of 15 Top-Paying IT Certifications for 2018, the CISSP is in the top 5 and has been in the top 5 for many years. The data suggest that CISSPs earn a fair bit more than their equivalent uncertified colleagues.

This is not a cynical “pay to play” argument. Non-security people came to the Infosec industry and said “we can’t figure out who is qualfied and who isn’t. Give us a certification.” This was the industry’s response. It is staffed, maintained, and kept up to date year after year by industry experts. Having those industry experts spend time and effort maintaining the certification costs money. You are helping to pay for the value that is built this way.

The Annual Maintenance Fee that gives people so much heartburn is around $100 per year. All the data suggests that, on average, your salary is increased by far more than $100 per year by having this certification. The fact that people without certifications are on sites like Peerlyst complaining that they’re not being considered for good positions seems to confirm this value.

Well those hiring companies are dumb, they shouldn’t use the CISSP like this.

Are you sure? The CISSP was launched in 1994. Chances are good that it has been part of the industry longer than you have. If it was such a bad way to select candidates, wouldn’t firms have abandoned it by now? They have had ample time to gather experience on whether it’s a useful proxy for knowledge. ISC2 knows that if it isn’t maintained and kept relevant, it will be abandoned. So they spend a lot of time and money year after year to keep it up to date (which is where some of your maintenance fee goes).

If a company wants to hire industry elites, putting “CISSP required” will drive them away.

You might be right and that might be OK. Consider a “commercial driving license.” In most countries, a CDL is required if you want to drive a delivery van, taxi, or do just about any kind of driving as your profession. If you’re scouting for Formula One race car drivers or rally drivers or chauffeurs for heads of state, you don’t look for CDLs. It is not a mark of the skills you need. The CISSP is a competence and knowledge measure, not the mark of some uber-elite black-ops hax0r. On the flip side, if you arean uber-elite black-ops hax0r and you want to convince management that you also speak their language, a CISSP helps. They can’t evaluate your l33t pwnage, but your professional credentials show them that you can relate to their world.

Frankly, the CISSP is table stakes for working in some enterprise environments. Let’s face it: the corporate culture of some organisations means that you need to work within certain rule systems and mechanisms in order to get things done. If the constraints of this system chafe you, this is probably a good indicator that it’s not a cultural fit for you. This prospective employer is telling you something: They think the right candidate for them is happy to demonstrate competence through a standardised test. If you’re not happy to do that, you might not be the right candidate for the job. Your choices are basically to change your outlook or work for someone else.

Fine. Whatever. I’m still not getting a CISSP.

That’s totally OK. And I respect you and your choice. InfoSec is a huge and diverse field. I subscribe to the “big tent” school of thinking. We really do need all kinds in the field. There are going to be firms that think like you do, and they’ll be glad to have you working for them. IT has people happy to work on Windows, work on Mac, work on Linux. IT has people happy to work in the cloud and happy to work on-premises. We need all these different kinds of people. There are InfoSec people who work well in an environment of certifications and demonstrated knowledge and people who don’t work that way.

Know yourself. If the certification isn’t for you, that’s fine. Look elsewhere for jobs that fit you. But in the same way that I’m not throwing shade on you for eschewing the certification, don’t throw shade on those of us who get it. Whether we are certified or not, we all still earn our keep each day.


Previous articleAHIMA’s Commitment to Healthcare—Information Governance
Next articleA Review: The Art of Invisibility

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.