Is CISSP certification worth the effort?

As I was scanning the presentations delivered last week at Defcon/SkyTalks, one really jumped out at me. Presenter Timmay delivered a provocative session entitled “Why You Should Not Get a CISSP” — a topic I recall as being hotly debated five years ago. As Timmay puts it, “For two decades, the flagship offering of the (ISC)2 [International Information Systems Security Certification Consortium] has been the CISSP, widely regarded as the only must-have certification for information security practitioners. But has it stood the test of time?… We explore the 10 domains of the CBK [the “common body of knowledge” upon which the certification exam is based], how the test has changed, and whether or not bothering with this certification can even help your career.”

His slide presentation (PDF) packs a whallop.

If you’re not familiar with the CISSP, here’s a primer: In order to gain CISSP certification, you need to have five years of infosec experience (or four years and a degree) and endorsement from another CISSP, plus you have to score at least 70 percent on a 250-question multiple-choice test. Then, if you agree to adhere to the (ISC)2 code of ethics and claim to have a clean criminal history, you’re in. CISSP certification has to be renewed every three years, with continuing education requirements: taking classes, attending conferences and seminars, teaching, volunteering, writing.

Last year, as Eric Parizo discusses in a SearchSecurity article, the (ISC)2 came under fire for trying to “dramatically swell its CISSP ranks … the organization’s top priority — funneling as many qualified information security professionals to employers as it can — is at odds with some CISSPs who fear their hard-earned certification is being watered down by a bevy of inexperienced applicants.” He goes on to explain the organization’s quandary: “Despite more than 76,000 active CISSPs worldwide and 3,200 who took the test last December, [companies] can’t find enough qualified infosec pros to work for them.”

(ISC)2 Executive Director W. Hord Tipton put it this way, “I need to find 2 million people in three years to come close to meeting the expected need.”

The dollars-and-cents value of a CISSP certification is hotly debated. The Simply Hired website, for example, shows that the average U.S. salary for all of their job listings that contain the term “cissp” is $80,000. PayScale.com shows salaries for CISSPers from $60,000 to $160,000 — quite a spread. Of course, salary surveys and comparisons are subject to all sorts of problems.

At least in some cases, CISSP holders aren’t a happy lot. Last September, Laura Raderman talked about her angst on the Security Musings blog: “I pay (ISC)2 only because I have to to keep my CISSP…. I’m not a member because I believe in their mission or their goals. I think they’re overpriced and useless to me other than maintaining my credential.”

Timmay’s presentation, as might be anticipated from the title, tears CISSP a new orifice. There’s been little change to the structure of the “common body of knowledge” in the past 15 years, while the nature of attacks changes at Internet speed. He claims that the CBK is too broad to accommodate in-depth questions. “This means that it can’t get hard enough to keep idiots from cramming and passing … any idiot can pass.”

Is a CISSP required in order to get a good infosec job? Another hot issue. Timmay put together a series of searches of major hiring websites — monster.com, dice.com, indeed.com, simplyhired.com — and came to the conclusion that the large majority of infosec jobs currently advertised don’t even mention CISSP or, if they do, don’t require a CISSP.

And when it comes to the CISSP code of ethics, Timmay takes no prisoners, showcasing a litany of transgressions and transgressors that spans many slides.

Where does that leave infosec certification? While CISSP is considered by many to be the premiere certification in the field, it’s by no means the only one, and there’s no rule that says you can hold only one. Here are a few alternatives:

• CEH (Certified Ethical Hacker): Widely viewed as being easier to earn than a CISSP, but with a different slant. The CEH takes a more hands-on and less theoretical approach, with a broad exposure to infosec tools.
• CISA (Certified Information Systems Auditor): Takes an auditing approach to the infosec industry. You need to have five years of experience in info systems audit, control, or in infosec.
• OSCP (Offensive Security Certified Professional): Emphasizes hands-on penetration testing. No multiple choice; you’re put in a lab and get points for hacking the boxes.

There are dozens of additional certifications and certifying organizations, of varying quality. Many universities these days have infosec study options that may prove more valuable to employers than any of the independent testing groups.

One thing’s for sure: The demand for capable infosec professionals has never been higher — and it isn’t going to taper off any time soon.

This story, “Is CISSP certification worth the effort?,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.