Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: CISSP Question

From: "David Harley" <david.a.harley () gmail com>
Date: Thu, 3 May 2007 09:54:06 +0100
They focus on questions that are likely asked on the test.  I 
have even know some of these boot camp companies to focus on 
areas that are statically higher to be on the test. This is 
suppose to be a cert to validate your experience and skill, 
yes? A cram session that is teaching you new stuff is of no 
benefit to ISC2 credibility or the employer who will 
eventually hirer the individual, and is not indicative of 
experience gained in the field.


The CISSP exam is not a direct test of experience or skill, IMHO, though
experience and skill won't do the aspiring CISSP any harm. It's a test of
security knowledge at a fairly abstract level, rather than of hands-on
expertise. It's broad, not deep. Yes, you can cram it. That's the nature of
exams, though this one is pretty carefully constructed to weed out rote
learners with no real understanding. Passing the exam is not sufficient to
earn the accreditation, though. You have to prove the experience by other
means, remember? 

Is it possible to abuse the system? Of course, though I doubt if it happens
as often as you seem to think.

Is it possible to be a CISSP and incompetent? Sure. 20 years of experience
doesn't prove competence either. And having the qualification says nothing
about your expertise in a given specialism (but there are other certs that
test that). Personally, if I was hiring someone for very specific skills,
I'd still like to know they had an overview and an understanding of general
principles, and CISSP is one of the better measures of that: it's not -that-
easy! But it's a baseline indicator, nothing else. It doesn't mean you're
fully qualified to audit, analyse malware, pen-test, administer a given
toolset, and so on, any more than a degree in English proves that you're a
first-class teacher, novelist, journalist or whatever. It might get you some
interviews: it probably shouldn't get you a job, not all on its own, anyway.
If employers don't understand this, well, that's the nature of HR....

Do I measure my worth in the security field by my certifications? Of course
not. But some of my clients find this one reassuring. And I'm getting tired
of feeling I have to apologise for it...

-- 
David Harley CISSP
Security Author/Editor/Consultant/Researcher
Small Blue-Green World
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html
Previous By Date Next
Previous By Thread Next

Current thread: