CISSP Certification

As a CISSP and involved in training others to gain the CISSP certification, I was interested in the article blogged by Dave Shackleford "Your CISSP is Worthless - So Now What?" http://www.infosecisland.com/blogview/22257-Your-CISSP-is-Worthless-So-Now-What.html

The article made some points that I would agree with about the CISSP certification and the following comments after the article are worth reading as they show there is a broad range of views over the CISSP and certification in general.

For a full discussion on the CISSP, the full ecosystem of InfoSec certifications need to be considered from the foundation to the highest level, if any profession is to be considered professional it needs some level of certification above which holders are considered to be attained sufficient status to be considered professional. There also needs to be a path in place to help those wishing to work in the profession to gain the necessary knowledge and experience. Additionally there is also a need for a body to be in place to ensure that certifications is of sufficient stringent standard.

An example of a well regulated body is the medical profession where the level required to practise is in most countries is backed by legal regulation. Even with this profession there can be problems in moving from on regulatory authority area to another. It is very unlikely that InfoSec field like other "engineering" areas would reach this status, however other fields such as accountancy can be a model for the profession with the introduction of chartered status and a body to award this status.

For many InfoSec there are areas of the CISSP that appear to be unnecessary, however I have that some area that I thought should not be in the CISSP have been useful to me. I have had to work with Estates and Facilities departments on providing a secure environment and knowledge from the physical (environment) security domain has been useful, it would of possible been knowledge I could of picked on the job, but I would of struggled to ask the right questions early on when dealing with estates and facilities and as we all know it is easier to design security in during the requirements capture than afterwards.

I have always considered the (ISC)2 and the ISACA certifications to be good general management and auditor certifications, the SANS, even through I don't have any yet and I wish I could find a way of getting someone to pay for a couple of them, are very good technical certifications that are on par with CISSP, CISM and CISA although they demonstrate a high level of knowledge of a specific area compared to the less technical and more general domains of knowledge of the (ISC)2 and the ISACA certifications. I have meet those with SANS and CISSP who I can't believe they ever passed the certifications but there are those who can pass a certification but can not translate that into skills that can be used in the workplace.

Any fix to InfoSec certifications needs to be taken across all the certifications and needs to be done in a way that HR and other areas understand the level of achievement that a holder has achieved.

I will be posting more of my views on this in the coming few weeks.