RE: CISSP Question

["David Harley" <david.a.harley () gmail com>]

> A point is that it can be cheap to run these certifications. 
> It is currently being done, with better results, and with a 
> smaller pool of customers.

I'm not sure what you mean by this. That there are cheaper certs that you
rate more highly? There are more expensive certs that I rate less highly. :)

> Which is why I do have an inherent 
> distrust of certification companies. 

I think we'd noticed. :)

> It is the difference between a $400 cert and a $50 cert. If 
> everyone can actually have the chance to obtain the 
> certification without any adverse financial hardships, then 
> you will have a cert that will be closer to actually 
> representing a baseline. 

The baseline that I'm talking about is the level of a cert-holder's
knowledge of the field being tested, not the ratio of potential to actual
cert holders. The cert costs what it costs. (ISC)2 is a not-for-profit
organization: it charges, I presume, what it thinks will cover its costs. I
wouldn't have said it was particularly expensive for the cert, or to
maintain it. The cost of a bootcamp is a different issue. You don't have to
do that through (ISC)2, or at all. 

> Right now there are too many people out there that can easily 
> pass these tests, but do not take them for one reason or 
> another. (Usually price is a big motivation.)

There you go again. You're assuming that (a) the test is easy (2) that the
cert is a matter of passing the test. I'm sorry if there are people who
-could- earn the cert but don't because they literally can't afford it, but
I doubt if there are many of them. Not doing the cert because you have other
uses for the money, or because you think your employer should bear some or
all of the cost, is another issue entirely.

> -To supply training for the certs? This is very counter 
> productive to a certification. Are you going to teach the 
> people, what they need to know, to pass a test to prove that 
> they do indeed have experience and training in this skill (As 
> is the case in SANS certs and boot camps)? 

The SANS approach is quite a lot different. Not invalid, just different.

The CISSP test is not a test of experience, or even of skill, IMHO. It's a
test of knowledge of the CBK, which means that it's fairly abstract. I don't
think it's meant to prove conclusively that you have in-depth knowledge all
across ten domains: only that you can demonstrate reasonable understanding
through a long and fairly exhaustive test. I reiterate: passing the test
does not qualify you as a CISSP, any more than 4 years experience in the
field does. It's the combination of an objective test and proven experience,
plus a commitment to an ethical standard, that makes up the certification.

I'm not saying it's impossible to do an intensive course and get through the
test with no prior knowledge, but that wouldn't make you eligible for the
cert. wo I 

> I can understand 
> offering a review class or something of the sort, just to go 
> over broadly what is covered and who the test is laid out. 
> That is test prep work and that is more understandable then 
> an actual class covering what they are already suppose to 
> know. 

Actually, that's pretty much how I'd regard the CBK review. And, in fact,
the review and the test aren't particularly tightly coupled. You don't have
to go through (ISC)2 to do the review: in fact, you don't have to do the
review at all.

https://www.isc2.org/cgi-bin/content.cgi?page=806

In particular: 

"Q: What is a CBK Review Seminar? Will it help me with the examination? Why
should I take the CBK Review Seminar? Is it required? 
A:  The CBK Review Seminars are voluntary and provide an intensive review of
the knowledge, skills and abilities necessary for competent practice of the
relevant professional role (CISSP®, SSCP®, CAPCM, etc.). While these
intensive reviews cannot substitute for years of experience, they have
proven to be effective methods for re-familiarizing and updating candidates
in the major domains of competence necessary for successful practice. The
seminars are not designed to "teach" information security or certification
and accreditation, as attendees are assumed to already be practicing
professionals. Rather, the intent is to provide a solid base of information
for supplementing and refreshing the candidate's knowledge. The CBK serves
as the basis for the curriculum, while the test specifications serve as the
basis for the examination. For more information, go to CBK Review Seminar;
and for more information about the examination specifications, go to the
free Study Guides/Candidate Information Bulletins."

I think we've seen too much extrapolation from singular cases to
generalities in this thread, but I'll tell you this anyway. At around the
same time I did the CISSP exam, I also did an ITIL cert and 7799 lead
auditor certification. For ITIL and 7799 I did an intensive course with an
exam at the end. For CISSP, I did the test about a year after I did the
review. Which means, by your criteria, that CISSP was the only -valid- cert
I hold from that period. (In fact, most of the other And, actually, you're
right. Without real-life experience behind them, those other certs prove
only theoretical knowledge, not practical skill, and in many contexts that
simply isn't enough. The bone of contention here is that you're still
assuming the same applies to CISSP, whereas CISSP indicates a measure of
experience and theoretical knowledge. I wouldn't claim that it's perfect,
but it's a lot less imperfect than some of the IT certs I've sat through.

> -And finally man hours for administrating the tests. I can 
> understand this cost, but then after taking the test, what is 
> the purpose of the annual maintance fee?

https://www.isc2.org/cgi-bin/content.cgi?category=84:

"Q: Does (ISC)² collect fees from certified individuals? 
A:  Individuals credentialed by (ISC)² pay annual maintenance fees (AMF) to
maintain their certifications. The fees are used to recover the costs for
administering the continuing education and recertification processes and to
maintain individual records. AMFs are not used to support (ISC)² general
operations. 
  
Q: Where does (ISC)² get the revenue to develop its programs?  
A: (ISC)² is wholly funded through the collection of examination, seminar,
and annual maintenance fees. (ISC)² does not receive grants or other
financial support from any government or outside agency."

> Now SANS is all messed up. I can understand the use of 
> certifications, and I think they are more credible them most 
> since they started as a repository for various Security 
> related information. But then they also run these boot camps 
> that teach you what they are trying to prove that you have a 
> skill set in. That is just backwards. No other company I have 
> found, blatantly offers a crash course in their 
> certifications. That just reeks of a money making scam.

I think that's a little harsh. There are certainly arguments for separating
the teaching, testing, and certification functions. But in fact, there is a
degree of separation between SANS, GIAC and the SANS Technology Institute. 

http://www.sans.edu/

-- 
David Harley CISSP, Small Blue-Green World
Security Author/Editor/Consultant/Researcher
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html