I’ve begun studying to take the CISSP certification.
It’s a certification that is often scorned by information security practitioners. So why would I be trying to achieve it?
Because its held up as a gold standard for information security by people who don’t know very much about information security.
I actually don’t have anything against the certification itself. I think it’s a decent qualification for management in a security department. The problem is that the certification is being applied too broadly. The CISSP covers a wide range of security areas (realms as they like to call them), from cryptography to physical security to firewalls. In each realm, there is a strong emphasis on risk management and weighing the costs of implementing security controls on usability and efficiency.
All of this makes sense for management-level positions, but it isn’t very applicable for systems administrators, penetration testers, and others in a more hands-on capacity.
Unfortunately, too often the CISSP is held up as a requirement for these positions where it is not applicable, or even at odds with the role. An administrator should be advocating for the security of the systems above all else. It’s at the management layer above that the administrator’s position should be reconciled with the needs of the users.
So, I am pursuing this certification to give myself flexibility in my career path. I may want to shift into management in the future, or I may find myself applying for a position which should not require a CISSP, but does.
Additionally, there has been a movement within the security community to elect ISC2 board members with the goal of improving the CISSP. To vote on board members you must be a CISSP holder in good standing, so if I can achieve certification, I’ll be able to cast a vote for these reformers.