Security Basics mailing list archives
RE: CISSP Question
From: "David Harley" <david.a.harley () gmail com>
Date: Wed, 9 May 2007 10:04:30 +0100
So if you already have 4 years of experience in management, or design, or consulting, what is the value of the CISSP? You are already doing the job that most people are getting the certification are aiming for.
That depends on the individual. Check https://www.isc2.org/cgi-bin/content.cgi?category=1187 again. Eligibility doesn't require you to be practising or with experience in all ten domains: it requires that you give some indication that you have the experience and qualities that should help you make the best use of the baseline security knowledge that the exam tests you on, which -is- across all the domains. So: * You might at some time want to try for a job that requires you to demonstrate knowledge of domains that don't really apply in your current job. CISSP might not (probably shouldn't) qualify you for a top job in domains in which you don't have practical experience, but does demonstrate that you have potential at or above entry level. But it's about potential, not "the awesome power of certification" to quote (probably inaccurately) a Dilbert cartoon. It isn't your CISSP, or GIAC, or your PhD, or even your ten years at the coalface that make you the right person in the right place: it's a whole aggregation of skills and qualities. * You might feel that better acquaintanceship with the whole Common Body of Knowledge might enable you to do your job even better. FWIW, that's why I did a CBK review: I hadn't done any generalized training for a while and felt that a refresher would sharpen my skills and fill in the gaps that inevitably open when you work in a very specialized area. Going for the exam & cert was more or less an afterthought, though I'm glad I did it, and would resent any suggestion that it somehow -lessens- my credibility. It wasn't -that- easy! * You might feel that people who can demonstrate practical skill and experience -and- theoretical knowledge sometimes have more to offer than people who have only one or the other - I certainly do. NB I said "sometimes"! * You might want to validate your practical knowledge and experience by proving that you can meet the eligibility criteria. There are many reasons for that: - your employers might appreciate you better (having certified professionals on the staff has a number of potential benefits to the organization above and beyond the job the cert holder occupies: PR/credibility, access to professional networks and so on). - they might even pay you better. - you might be required to demonstrate continuing professional development in your work or your professional affiliations - (ISC)2 require this, by the way. - you display commitment to professional standards. And so on.
Now of course this is a majority case, as there are people who get the cert for other reasons.
I'm not sure you've proved it's a majority case.
Experience in doing the projects, actually getting involved in the industry on your own, is the better way to spend your money then getting a certification.
Really? I wouldn't personally be inclined to pay anyone to employ me. :) I think this is still our bone of contention. You seem to suggest that the issue is experience versus a certification. I don't think it is. You don't have to have one or the other - actually, one is rarely an adequate substitute for the other. Having both is better than having only one. But it's not absolute proof of competence (or incompetence). It's (stop me if you've heard this before) an indicator. Jobwise, it's still down to the interviewer to ask the right questions (I don't think we're in disagreement there) and get the right independent verification to establish that the interviewee is up to the job. But how to conduct an interview properly is a whole different topic... -- David Harley CISSP Security Author/Editor/Consultant/Researcher Small Blue-Green World AVIEN Guide to Malware: http://www.smallblue-greenworld.co.uk/pages/avienguide.html Security Bibliography: http://www.smallblue-greenworld.co.uk/pages/bibliography.html
Current thread:
- RE: CISSP Question, (continued)
- RE: CISSP Question Simmons, James (May 15)
- Re: CISSP Question Florian Rommel (May 15)
- RE: CISSP Question David Harley (May 16)
- RE: CISSP Question Ken Kousky (May 16)
- RE: CISSP Question David Harley (May 16)
- RE: CISSP Question Ken Kousky (May 16)
- RE: CISSP Question David Harley (May 16)
- Clarifications to the CISSP experiance requirement Craig Wright (May 16)
- RE: CISSP Question Simmons, James (May 16)
- RE: CISSP Question Simmons, James (May 09)
- RE: CISSP Question Simmons, James (May 09)
- RE: CISSP Question Simmons, James (May 09)
- RE: FW: CISSP Question Simmons, James (May 09)
- RE: FW: CISSP Question winsoc (May 10)
- RE: FW: CISSP Question Shawn (May 10)
- RE: FW: CISSP Question David Harley (May 10)