Errata: CISSP Certification


CISSP - A Certified Waste of Time
In which your intrepid columnist hands over $450 to sit for the CISSP exam,
only to conclude that it measures little of value.
By Jon Lasser
Mar 13 2002 8:07AM PT

This past Saturday, I felt like I was seventeen again. And, at least in this
case, that's not a good thing.

For more than three hours, I filled in little bubbles with a number two
pencil and gnawed nervously at my fingernails. I was taking the CISSP
certification exam, from the (ISC)^2 . (That's pronounced "ISC Squared," if
you're curious, and it stands for International Information Systems Security
Certification Consortium. CISSP stands for Certified Information Systems
Security Professional)

While I would guess that I passed the exam (I'll find out in a few weeks),
overall I was not impressed. If you want a test that proves that the taker
has absorbed a large body of largely meaningless and mostly irrelevant data,
this does the trick.

The test consists of 250 multiple-choice questions (twenty-five of which are
being tested for future exams, and are not scored) taken from ten "security
domains," that collective form what the organization calls the "Common Body
of Knowledge" (CBK) -- a very broad, but very shallow, overview of computer
security that the (ISC)^2 Web site claims "is a compilation and distillation
of all security information collected of relevance to Information Security."

That's quite a tall order. But even if all security information could be
distilled into a body of facts, it would be of use to almost nobody.

And that's the problem with the CISSP test. The facts on the exam are the
wrong sorts of facts: things that should be looked up in books when
necessary, because they're not relevant on a day-to-day basis. If I need to
know how many rounds are used by the DES cipher, I can look it up.
'A truly meaningful certification would be more specific, concentrating on a
single job function or area.'
Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux
and Unix for power users. Jon has been involved with Linux and Unix since
1993 and is project coordinator for Bastille Linux, a security hardening
package for various Linux distributions. He is a computer security
consultant in Baltimore, MD.
Passing the test does not demonstrate in-depth technical knowledge in any of
the security domains: a CISSP is not necessarily qualified for one job or
another. The abstract "security expertise" upon which the CBK is premised
would not suit an intrusion analyst, a VPN designer or a security-conscious
system administrator. I certainly wouldn't hire a professional to audit my
systems on the basis of the certification.

Now would I look for the certification in hiring a manager of security
professionals. To be sure, a broad base of security knowledge is needed by
managers who deal with information security issues, but they least of all
people should be concerned with the sort of detail present on the test: not
even the most anal-retentive manager needs to know the number of rounds in
the DES cipher.

I should point out that the "number of rounds of DES" was a question I had
on a practice test, and is not one of the questions from the exam, which I'm
prohibited from revealing. This is one of the big laughs about the test for
me: they're practicing juvenile cloak-and-dagger security through obscurity.
They make you sign a sheet of paper saying that you won't discuss the
questions on the test -- not only when you're taking the test, but
afterwards as well.

You don't even find out what your score was, only whether or not you passed,
they won't admit to scoring on a curve, nor will they share the "passing
score" if there is one -- as though these measures will protect the test.

Ponying Up the Dough
In my experience, this sort of test rewards people who are good test-takers,
and who can absorb a large body of free-floating facts and pseudo-facts. The
CISSP exam is too broad to demonstrate suitability for any particular job.

A truly meaningful certification would be more specific, concentrating on a
single job function or area, and would have some way to measure the broad
problem-solving ability which seems to be the single most important
qualification for security people.

One advantage promised to test-takers by the (ISC)^2 is that it is a "career
differentiator," but at the test I took, I would guess that there were 100
candidates for the test. The test is given at a number of locations every
month --- nearly twenty-five tests are scheduled for April alone. If
thousands of people a year get the certification, soon it ceases to
differentiate.

In the meantime, of course, the (ISC)^2 and the sites that administer the
test get $450, plus the proceeds from whatever courses people take from them
to prepare, plus sales of books, review materials, and the rest of it.

Why would a company specifically want to hire a CISSP? The Web site claims,
among other reasons, that the CISSP exam "Provides a solutions-orientation,
not specialization, particularly with the broader understanding of the IS
CBK." Does that clear things up?

Perhaps corporations looking to hire CISSPs are aware that they are unable
to evaluate computer security professionals, and are looking to offload some
of that burden. But "solutions orientation" is not enough: companies need to
evaluate the specialized skills relevant to the open position. The CISSP
fails them in that regard, while helping few professionals in any other
visible respect.

People whose careers are tied directly to certifications in general or this
certification in particular should take the test: if your job requires the
cert, or if it will get you a raise, you should absolutely go for it. If
not, I would think long and hard before signing up and handing over your
money.