The CISSP is still going strong and remains a de facto starting point for most hiring managers in information security.   The level of difficulty of the exam is likely slowing the rate of dilution.

Update 1/05/11

The Employment Value of Multiple Certifications, by BankInfoSecurity.com.

Check out this no B.S. employer perspective on hiring certified job candidates: “Interested in CISSP, SSCP, CISA, and PMP certification holders. (N.B., this is largely a courtesy to our clients; we do not expect that certification will make you an expert and neither should you.)”

Original Post, 10/23/09:

Life Cycle

Let’s consider the life cycle of a professional certification (at least in the IT field):

1- The sponsoring organization wants to market the certification and promote it so more and more people obtain it. This means an initial grandfathering process whereby the organization sponsoring the cert. can get (presumably) experienced and prominent practitioners to get the certification and give it some credibility.

2- The difficulty of the exams and requirements are slowly improved. This allows more for swift early adoption and then a quality check on the way to achieving critical mass, slowing the momentum so the certificate doesn’t peak too early. If a certification achieves instant and widespread fame, it will be considered cheap and watered down.

3- As the inevitable dilution of the certification’s value occurs, due to the number of barely qualified individuals holding it, organizations begin creating specializations or advanced classes of their general certification, to create a “new” certification that can start over with the certification life cycle.

4- As yesterday’s preeminent and prestigious certification becomes today’s standard, the uniqueness of those gaining the credential becomes lessened.  Applying familiar bell curves to the population of skilled workers (10/80/10 or 20/60/20) the best and the average are all able to pass the test.  If in fact, even some of the lesser skilled professionals can pass the test, the certifying organizations may have a cash cow but will be short lived because the certification will do little for hiring managers in discerning IT talent.  Therefore, a test-based certification loses its ability over time to differentiate skills in the workforce, as more and more of the lesser skilled attain the certification.

5- Eventually, the certification becomes so unhelpful as an indicator of specialized skills, that the industry, which once benefited by its sifting effect of the pool of job applicants, no longer rely on it and stop asking for it altogether.

It would seem to me that the CISSP is somewhere in between #3 and #4 in the above life cycle.

Rote Memorization vs. Practical Skills

Like most certifications, the CISSP includes required sponsorship and minimum work experience. Presumably this is to help prevent just anyone from walking in off the street and passing the exam, further diluting the value of the credential.  This practice doesn’t seem to be able to prevent the eventual dilution of the certification by mass distribution among those with minimal skills, although it probably slows the process.

The certifications that require practical performance are harder to pass, and therefore retain their prestige in the marketplace. One of the best examples of this is probably Cisco’s  CCIE certification, which requires the test taker to actually troubleshoot and repair a broken or mis-configured network. The test is notorious.  Cisco claims the lifetime pass rate of the CCIE is 26%, much lower than the California bar exam.

Another notoriously difficult certification to achieve is the GIAC Security Expert (GSE), offered by SANS. There are only 30 of them in the world, as of Sept. 30, 2010.  The best thing about the GSE is that it is so difficult and expensive to obtain, (two years and ~ $15,000) the risk of it becoming a watered down laughing-stock in the IT Security industry is virtually nil.  The down side is that it is still so obscure, and probably will remain so because of cost barriers, it isn’t going to score many points in the hiring process until late- round interviews, when you meet with the security gurus.

The most challenging aspect of these practical skills-based certifications is the actual performance of what you learn. You are literally dropped off in a real IT environment for a couple days and you can’t come out until all is well. Good Luck!

Money Talks, Posers Walk

There is a double-edged sword to how hard to make your certification, and I suspect it boils down to money.  Here is the Hobson’s Choice to make if you are a certification authority introducing a new certification:

1. Skills: The certification needs to be hard and thorough enough to demonstrate competency.
2. Price/Cost: The certification must be priced to generate enough revenue to pay for the overhead required to create it, test for it and offer member services, while yielding a profit. However, it can’t be priced so high that cost becomes a bar to many people.
3. Credibility: The certification must be earned by enough people that it gains a foothold in the marketplace and becomes a de facto measuring stick of the profession, or at least holds enough weight in industry that it becomes sought after by hiring managers.

This then becomes the dilemma: You can have any two of the three qualities above, but not all three. If you shoot for all three, your certification will be a one hit wonder that will become a fossilized certificate found between the strata of the IT archaeological record.  Just like my Novell Netware 5 CNE.

(I purposely ignored the distinction between vendor neutral and vendor product-based certifications. It doesn’t seem relevant to the overriding issue of certification dilution. I understand that a CNE is worthless today b/c the Netware platform did not survive the Microsoft/Novell war, and because of release obsolescence.)

Here is an author who isn’t quite so “down” on the CISSP.

Here is a typical complaint regarding the CISSP.   Interestingly, the author advocates professional licensing of information security professionals. He does not consider the fact that he would then have to triple his salary requirements in order to get malpractice insurance.  The threat of litigation against professional misconduct is the single greatest force driving the exorbitant prices charged by licensed professionals (lawyers and doctors) who work under threat of tort litigation. (I’m not intending to get into a debate over tort reform here.)

The argument to professionally license security experts is analogous to the old argument running back into the 90′s to license software developers, at least those that write code in life support and critical systems, (airline traffic control, space exploration, medical devices, etc.)  I remember vigorous debates on this topic in Dr. Dobbs Journal.

In summary, if you are seeking employment in, or a job transfer within the information security field, the CISSP is still a de facto requirement in many job descriptions.  You’ll need the certificate to get past the HR threshold criteria. But don’t expect any security managers to think you are any better than their worst security employee, who probably also holds a CISSP.

Notes taken during presentations made at the 2011 Advanced E-Discovery Institute, held at the Ritz Carlton hotel, Washington D.C., November 17-18 2011.

http://www.vizworld.com/2010/09/gpuassisted-malware/

Discovered: http://www.theregister.co.uk/2009/03/24/persistent_bios_rootkits/

Case Law Update

International E-Discovery

RULE 502: Inadvertent Waiver

Proportionality: Is It Real or a Paper Tiger?  Kevin F. Brady, Conor R. Crowley, Joseph P. Guglielmo, Hon. Andrew J. Peck, Hon. Joseph R. Slights, III.

Sedona Conference published in October, 2010, the Principles of Proportionality.

The Business of E-Discovery

Major themes and lessons learned in the session: 1- The “problems” of disappointing IT solutions for E-discovery is no different than the general pitfalls of IT providing solutions for general business problems. Good old-fashioned IT project management, requirements gathering, and integration of business process (in this case, legal processes) expertise in the delivery of technology.   2- Legal now has a place at the table in the GRC and information governance. Chief Compliance Officers are now able to have budgets dedicated to managing the information risks of their organizations.

Not Just EU Privacy: A Global View on International E-Discovery

Early Evidence Assessment & Strategies for Search, Retrieval & Review (Early Case Assessment)

2010: A Sanctions Odyssey

Craig Ball, Database Discovery.

Cloud Computing; Dan Regard, Tanya Forsheit, Hon. Francis Allegra, Theresa Beaumont

I have no qualms about this approach whatsoever. The challenge is getting the two sides to even have the conversation. Most likely, the conversation would originate during the a company’s vendor (third-party) assessment process. This is the most frequent interaction between in-house counsel and information security or other risk assessors. The contractual relationship is often hammered out simultaneously with the IT controls assessment.

Another opportune time to have the conversation is during a corporate risk committee or IT governance steering committee meeting. These meetings take on a variety of shapes, names and participants, but whatever the risk management authority looks like, it should incorporate discussions on emerging topics such as cloud computing.

A third opportunity to have such discussions would be to invite legal to participate in the development of a cloud computing security policy,  a part of a firm’s overall information security policy framework.