Tuesday, February 28, 2006

I'm finally caving in...

...and sitting the CISSP exam. I mentioned this to a few people today and got one of two reactions:

  1. They immediately lost all respect for me, or
  2. Ok, I lied. There was only one reaction.

I admit this was based on a rather limited sample, but wow. People really seem to hate the CISSP, all it stands for, it's dog and the horse it rode in on.

I've read some of Richard Bejtlich's thoughts on the matter (which made quite the splash when they were originally published). I agree with him that the ISC(2) code of ethics is pretty much all the CISSP has going for it, but I don't think that explains the vituperousness of the reactions I see whenever CISSP is mentioned. Nor do I necessarily think it's jealousy, because most of the people I get this from could easily pass the exam (if they were willing to pony up the $500 fee).

It seems to me as though I've detected a bit of a pattern, though: the more comfortable a person is working with technical matters, the less likely they are to respect the CISSP. Is it just our geeky tendency to look down upon those things which can be done by any suit and tie lackey? Is the perception that
CISSP == management == PHB? I don't think it's really that simple, but maybe us geeks just need someone to love to hate and Bill Gates wasn't available today.

If anyone has any theories they'd like to share, or if you hate people who hold CISSPs and would be kind enough to let me know why, please leave a comment.


Dr Anton Chuvakin said...

Here is what I've heard somewhere and I like this perspective: CISSP is a cert for "followers", not "leaders."

If you are into cramming and memorizing, go get it!

If you are into thinking, doing and leading, go make fun of it!

The only exception (when I would consider it myself) is if you *need* it for a new job.

Dr Anton Chuvakin said...

Let's also start a contest on funniest CISSP jokes. Here is one http://seclists.org/lists/incidents/2002/Jun/0148.html

David Bianco said...

I'm not sure I can agree with the "leaders vs. followers" idea. I know plenty of CISSPs who are certainly leaders. Maybe I just don't want to think of myself as a "follower." ;-)

As for CISSP jokes, here's one I just adapted from my stash of stupid jokes I tell kids:

"A CISSP walks into a bar. You'd think he would have seen it."

Ron said...


I have this cert, along with a bunch of UNIX certs. Do they prove anything other than "I can sit down and take exams?" Probably not. And they are mocked by many folks, generally the "techies". But I'm OK with that, I'll mock it as well.

But, I'm a professional. The definition of a professional is "does work for money." These certs have opened a enough opportunities to make them worthwhile for me. And to be honest, reviewing the ten domains was a refresher for me in a few areas of security that I don't spend that much time on.


Richard Bejtlich said...

Hi David,

One of my biggest problems with the CISSP is that many people assume the CISSP is a technical certification, when it's absolutely not.

If the CISSP were seen as a managerial certification, I would have less problem with it.

joat said...


I'd have to agree with Richard. It is more of a managerial cert than a technical cert, though it doesn't fit well in either arena. The questions are promoted as tests of your problem-solving ability but deals with corporate processes rather than technical functions.

I see the issue stemming from the fact that most of the questions are based on print media and doesn't rely on accuracy. The content only has to have multiple sources.

To add to Ron's comment, it does open opportunity's. However, in some areas it is becoming a requirement for specific positions (to pass the HR part of the interview).

The ones that are doing the most disservice to the cert are actually the cert owners themselves. The cert gets passed off as a technical cert. A good example is specific security-related podcasts where the speaker includes his cert as part of his introduction. Unfortunately for some, the claim to expertise is often belied by the discussion that follows.

- joat