printable format  e-mail to a friend comment on article More Q & A Video Killed the Data Stream Distance Training with IS-IS Theory, Reality and Total T-1 Bandwidth 'Area 257' De-Classified Follow That Packet! Back-to-Back Connections and ADSL Split-Scope DHCP Servers VRRP Implementation Q & A Archive

I work in a company doing security work, and I’ve been thinking about getting my CISSP certification, but some of my coworkers tell me that it’s a worthless certification. They’re working on vendor-based certifications like Cisco, Checkpoint and NetScreen (Juniper).

What’s your opinion on this? Am I wasting my time with the CISSP?

-- Andy

Answer:

Andy,

Well, let me start out by saying that’s a very loaded question! But one that a lot of people ask! I would say that first and foremost you need to look at the different certifications and compare them to what you’re doing specifically at work (and more importantly, what you want to be doing at work!).

-- advertisement (story continued below) --

The CISSP is most certainly not a “worthless” certification, but it may not be the best choice for everyone. As seen on ISC2’s Web site, there are experience qualifications as well as an exam necessary to earn the CISSP certification. You also mentioned that you do security work, but that by itself is a large area. It’s sort of like saying “I work on computers.” Which part?

The CISSP covers ten “domains” of security knowledge. This involves everything from the business “thought process” to physical security to the theory related to implementing any specific technology. It’s not a highly technical certification, but it’s not meant to be one.

Cisco, Checkpoint, Juniper and others all have certifications closely tied to their specific implementations and equipment programming concepts. Which is better? Whichever one pays you the best or has you doing what you want to do!

If your main focus is security design and policy implementation, then the CISSP is good. If your main focus is deploying a Cisco PIX firewall under requirements given by someone else’s design, then it’s not the best choice for you.

CISSP has been called a “management” certification, which is true in a sense but not necessarily a bad thing. It’s one thing to deploy a firewall given certain criteria; it’s another thing to be able to create those rules and design network security with business drivers and users’ and management’s buy-in at the same time.

On a side, but related, note not meant to lean you one way or the other, but in typical business settings, you’ll notice that management tends to get paid more than most people who implement things! There are reasons for this. Most of it has to do with that whole trees/forest argument.

As I personally have many technical certifications and the CISSP under my belt, let me give you my perspective on things, based on personal experience. When I originally took and passed the CISSP, I did it simply to satisfy an argument that I was having with someone. That’s really not the best reason to go get a certification, but it works!

In any case, I’ve often experienced the business side of things alongside the technical side, so the CISSP wasn’t such a big deal. Still, I was surprised by the breadth of information covered on the exam, and it forced me to think about some things that I hadn’t thought of. It was most definitely not a technical exam in the sense that most vendors’ exams are.

So, now, how do I utilize my CISSP certification? As a marketing tool. In my consulting, I mostly rely on my experience and my technical certifications to sell my expertise. But in many security-related engagements, the thing that has really “sold” my abilities was the addition of the CISSP. From a managerial perspective, anyone can configure a firewall or VPN setup. Not everyone can assess the impact of a solution on the existing business or users, or come up with other things to think about like assessing physical security and discussing firewall rule designs.

Getting back to your original question and my original answer, it depends on what you are doing now and what you want to be doing. Depending on your organization’s structure (Is your specific role independent or team-oriented?), you may find the CISSP certification to be invaluable in setting yourself apart from other technical folks. It may also increase your standing with clients you have in that it can help give you a better appreciation for what they are doing business-wise and allow them to see that you can better present that knowledge.

Like any certification, though, it depends on what you do with it after obtaining it that represents the actual value! Remember that you have to demonstrate three years of actual security-related experience along with passing the 6-hour exam to obtain the CISSP. So unlike many vendor certifications, not “just anyone” can go out and get this!

Ask yourself what you would like to be doing and assess your own job and organization situation to see if it will do you any good. In general, it’s a very good thing to have on your path to being a “trusted advisor” to your clients rather than just a consultant who can put a firewall together.

Hope that helps!

-- Scott

back to question

Scott Morris, quadruple CCIE, JNCIE and all-around uber-geek, can often be seen traveling around the world consulting and delivering CCIE training. He recently accepted a new Senior CCIE Instructor position with Internetwork Expert! For more information on him check out http://www.uber-geek.net or for CCIE training check out http://www.internetworkexpert.com. You can contact Scott via editor@tcpmag.com. You can contact Scott about "The Value of the CISSP" at editor@tcpmag.com.