Update 05/03/12
The CISSP is still going strong and remains a de facto starting point for most hiring managers in information security. The level of difficulty of the exam is likely slowing the rate of dilution.
Update 1/05/11
The Employment Value of Multiple Certifications, by BankInfoSecurity.com.
Check out this no B.S. employer perspective on hiring certified job candidates: “Interested in CISSP, SSCP, CISA, and PMP certification holders. (N.B., this is largely a courtesy to our clients; we do not expect that certification will make you an expert and neither should you.)”
Original Post, 10/23/09:
Life Cycle
Let’s consider the life cycle of a professional certification (at least in the IT field):
1- The sponsoring organization wants to market the certification and promote it so more and more people obtain it. This means an initial grandfathering process whereby the organization sponsoring the cert. can get (presumably) experienced and prominent practitioners to get the certification and give it some credibility.
2- The difficulty of the exams and requirements are slowly improved. This allows more for swift early adoption and then a quality check on the way to achieving critical mass, slowing the momentum so the certificate doesn’t peak too early. If a certification achieves instant and widespread fame, it will be considered cheap and watered down.
3- As the inevitable dilution of the certification’s value occurs, due to the number of barely qualified individuals holding it, organizations begin creating specializations or advanced classes of their general certification, to create a “new” certification that can start over with the certification life cycle.
4- As yesterday’s preeminent and prestigious certification becomes today’s standard, the uniqueness of those gaining the credential becomes lessened. Applying familiar bell curves to the population of skilled workers (10/80/10 or 20/60/20) the best and the average are all able to pass the test. If in fact, even some of the lesser skilled professionals can pass the test, the certifying organizations may have a cash cow but will be short lived because the certification will do little for hiring managers in discerning IT talent. Therefore, a test-based certification loses its ability over time to differentiate skills in the workforce, as more and more of the lesser skilled attain the certification.
5- Eventually, the certification becomes so unhelpful as an indicator of specialized skills, that the industry, which once benefited by its sifting effect of the pool of job applicants, no longer rely on it and stop asking for it altogether.
It would seem to me that the CISSP is somewhere in between #3 and #4 in the above life cycle.
Rote Memorization vs. Practical Skills
Like most certifications, the CISSP includes required sponsorship and minimum work experience. Presumably this is to help prevent just anyone from walking in off the street and passing the exam, further diluting the value of the credential. This practice doesn’t seem to be able to prevent the eventual dilution of the certification by mass distribution among those with minimal skills, although it probably slows the process.
The certifications that require practical performance are harder to pass, and therefore retain their prestige in the marketplace. One of the best examples of this is probably Cisco’s CCIE certification, which requires the test taker to actually troubleshoot and repair a broken or mis-configured network. The test is notorious. Cisco claims the lifetime pass rate of the CCIE is 26%, much lower than the California bar exam.
Another notoriously difficult certification to achieve is the GIAC Security Expert (GSE), offered by SANS. There are only 30 of them in the world, as of Sept. 30, 2010. The best thing about the GSE is that it is so difficult and expensive to obtain, (two years and ~ $15,000) the risk of it becoming a watered down laughing-stock in the IT Security industry is virtually nil. The down side is that it is still so obscure, and probably will remain so because of cost barriers, it isn’t going to score many points in the hiring process until late- round interviews, when you meet with the security gurus.
The most challenging aspect of these practical skills-based certifications is the actual performance of what you learn. You are literally dropped off in a real IT environment for a couple days and you can’t come out until all is well. Good Luck!
Money Talks, Posers Walk
There is a double-edged sword to how hard to make your certification, and I suspect it boils down to money. Here is the Hobson’s Choice to make if you are a certification authority introducing a new certification:
- Skills: The certification needs to be hard and thorough enough to demonstrate competency.
- Price/Cost: The certification must be priced to generate enough revenue to pay for the overhead required to create it, test for it and offer member services, while yielding a profit. However, it can’t be priced so high that cost becomes a bar to many people.
- Credibility: The certification must be earned by enough people that it gains a foothold in the marketplace and becomes a de facto measuring stick of the profession, or at least holds enough weight in industry that it becomes sought after by hiring managers.
This then becomes the dilemma: You can have any two of the three qualities above, but not all three. If you shoot for all three, your certification will be a one hit wonder that will become a fossilized certificate found between the strata of the IT archaeological record. Just like my Novell Netware 5 CNE.
(I purposely ignored the distinction between vendor neutral and vendor product-based certifications. It doesn’t seem relevant to the overriding issue of certification dilution. I understand that a CNE is worthless today b/c the Netware platform did not survive the Microsoft/Novell war, and because of release obsolescence.)
Here is an author who isn’t quite so “down” on the CISSP.
Here is a typical complaint regarding the CISSP. Interestingly, the author advocates professional licensing of information security professionals. He does not consider the fact that he would then have to triple his salary requirements in order to get malpractice insurance. The threat of litigation against professional misconduct is the single greatest force driving the exorbitant prices charged by licensed professionals (lawyers and doctors) who work under threat of tort litigation. (I’m not intending to get into a debate over tort reform here.)
The argument to professionally license security experts is analogous to the old argument running back into the 90′s to license software developers, at least those that write code in life support and critical systems, (airline traffic control, space exploration, medical devices, etc.) I remember vigorous debates on this topic in Dr. Dobbs Journal.
In summary, if you are seeking employment in, or a job transfer within the information security field, the CISSP is still a de facto requirement in many job descriptions. You’ll need the certificate to get past the HR threshold criteria. But don’t expect any security managers to think you are any better than their worst security employee, who probably also holds a CISSP.
