Security Basics mailing list archives
RE: CISSP Question
From: "David Harley" <david.a.harley () gmail com>
Date: Fri, 11 May 2007 10:49:51 +0100
A point is that it can be cheap to run these certifications. It is currently being done, with better results, and with a smaller pool of customers.
I'm not sure what you mean by this. That there are cheaper certs that you rate more highly? There are more expensive certs that I rate less highly. :)
Which is why I do have an inherent distrust of certification companies.
I think we'd noticed. :)
It is the difference between a $400 cert and a $50 cert. If everyone can actually have the chance to obtain the certification without any adverse financial hardships, then you will have a cert that will be closer to actually representing a baseline.
The baseline that I'm talking about is the level of a cert-holder's knowledge of the field being tested, not the ratio of potential to actual cert holders. The cert costs what it costs. (ISC)2 is a not-for-profit organization: it charges, I presume, what it thinks will cover its costs. I wouldn't have said it was particularly expensive for the cert, or to maintain it. The cost of a bootcamp is a different issue. You don't have to do that through (ISC)2, or at all.
Right now there are too many people out there that can easily pass these tests, but do not take them for one reason or another. (Usually price is a big motivation.)
There you go again. You're assuming that (a) the test is easy (2) that the cert is a matter of passing the test. I'm sorry if there are people who -could- earn the cert but don't because they literally can't afford it, but I doubt if there are many of them. Not doing the cert because you have other uses for the money, or because you think your employer should bear some or all of the cost, is another issue entirely.
-To supply training for the certs? This is very counter productive to a certification. Are you going to teach the people, what they need to know, to pass a test to prove that they do indeed have experience and training in this skill (As is the case in SANS certs and boot camps)?
The SANS approach is quite a lot different. Not invalid, just different. The CISSP test is not a test of experience, or even of skill, IMHO. It's a test of knowledge of the CBK, which means that it's fairly abstract. I don't think it's meant to prove conclusively that you have in-depth knowledge all across ten domains: only that you can demonstrate reasonable understanding through a long and fairly exhaustive test. I reiterate: passing the test does not qualify you as a CISSP, any more than 4 years experience in the field does. It's the combination of an objective test and proven experience, plus a commitment to an ethical standard, that makes up the certification. I'm not saying it's impossible to do an intensive course and get through the test with no prior knowledge, but that wouldn't make you eligible for the cert. wo I
I can understand offering a review class or something of the sort, just to go over broadly what is covered and who the test is laid out. That is test prep work and that is more understandable then an actual class covering what they are already suppose to know.
Actually, that's pretty much how I'd regard the CBK review. And, in fact, the review and the test aren't particularly tightly coupled. You don't have to go through (ISC)2 to do the review: in fact, you don't have to do the review at all. https://www.isc2.org/cgi-bin/content.cgi?page=806 In particular: "Q: What is a CBK Review Seminar? Will it help me with the examination? Why should I take the CBK Review Seminar? Is it required? A: The CBK Review Seminars are voluntary and provide an intensive review of the knowledge, skills and abilities necessary for competent practice of the relevant professional role (CISSP®, SSCP®, CAPCM, etc.). While these intensive reviews cannot substitute for years of experience, they have proven to be effective methods for re-familiarizing and updating candidates in the major domains of competence necessary for successful practice. The seminars are not designed to "teach" information security or certification and accreditation, as attendees are assumed to already be practicing professionals. Rather, the intent is to provide a solid base of information for supplementing and refreshing the candidate's knowledge. The CBK serves as the basis for the curriculum, while the test specifications serve as the basis for the examination. For more information, go to CBK Review Seminar; and for more information about the examination specifications, go to the free Study Guides/Candidate Information Bulletins." I think we've seen too much extrapolation from singular cases to generalities in this thread, but I'll tell you this anyway. At around the same time I did the CISSP exam, I also did an ITIL cert and 7799 lead auditor certification. For ITIL and 7799 I did an intensive course with an exam at the end. For CISSP, I did the test about a year after I did the review. Which means, by your criteria, that CISSP was the only -valid- cert I hold from that period. (In fact, most of the other And, actually, you're right. Without real-life experience behind them, those other certs prove only theoretical knowledge, not practical skill, and in many contexts that simply isn't enough. The bone of contention here is that you're still assuming the same applies to CISSP, whereas CISSP indicates a measure of experience and theoretical knowledge. I wouldn't claim that it's perfect, but it's a lot less imperfect than some of the IT certs I've sat through.
-And finally man hours for administrating the tests. I can understand this cost, but then after taking the test, what is the purpose of the annual maintance fee?
https://www.isc2.org/cgi-bin/content.cgi?category=84: "Q: Does (ISC)² collect fees from certified individuals? A: Individuals credentialed by (ISC)² pay annual maintenance fees (AMF) to maintain their certifications. The fees are used to recover the costs for administering the continuing education and recertification processes and to maintain individual records. AMFs are not used to support (ISC)² general operations. Q: Where does (ISC)² get the revenue to develop its programs? A: (ISC)² is wholly funded through the collection of examination, seminar, and annual maintenance fees. (ISC)² does not receive grants or other financial support from any government or outside agency."
Now SANS is all messed up. I can understand the use of certifications, and I think they are more credible them most since they started as a repository for various Security related information. But then they also run these boot camps that teach you what they are trying to prove that you have a skill set in. That is just backwards. No other company I have found, blatantly offers a crash course in their certifications. That just reeks of a money making scam.
I think that's a little harsh. There are certainly arguments for separating the teaching, testing, and certification functions. But in fact, there is a degree of separation between SANS, GIAC and the SANS Technology Institute. http://www.sans.edu/ -- David Harley CISSP, Small Blue-Green World Security Author/Editor/Consultant/Researcher AVIEN Guide to Malware: http://www.smallblue-greenworld.co.uk/pages/avienguide.html Security Bibliography: http://www.smallblue-greenworld.co.uk/pages/bibliography.html
Current thread:
- RE: CISSP Question, (continued)
- RE: CISSP Question April Carson (May 10)
- RE: CISSP Question David Harley (May 10)
- RE: CISSP Question David Gillett (May 10)
- RE: CISSP Question David Harley (May 10)
- RE: CISSP Question Eric Zatko (May 10)
- RE: CISSP Question Ruiz, Michael S. (Security) (May 10)
- RE: CISSP Question David Gillett (May 10)
- RE: CISSP Question Craig Wright (May 10)
- RE: CISSP Question April Carson (May 10)
- RE: CISSP Question Simmons, James (May 10)
- RE: CISSP Question David Harley (May 11)
- RE: CISSP Question Simmons, James (May 14)
- RE: CISSP Question David Harley (May 14)
- RE: CISSP Question Craig Wright (May 14)
- RE: CISSP Question Simmons, James (May 15)
- RE: CISSP Question David Harley (May 15)
- RE: CISSP Question Simmons, James (May 15)
- Re: CISSP Question Florian Rommel (May 15)
- RE: CISSP Question David Harley (May 16)
- RE: CISSP Question Ken Kousky (May 16)
- RE: CISSP Question David Harley (May 16)