[unhinged_wanker]

This guy is flat-out wrong. He bags on the CISSP - thats a friggin management cert, not a technical cert. Like bitching the CEH doesn't go hard into Opex/Capex.

Meanwhile on planet earth "draw up an inter-agency security agreement compliant with all local jurisdictional laws and industry regs" is also infosec and command line kung-fu will do fuck all to help you get it done.

This guy just drinks "unicorn" piss - he didn't get "trained", he's just so darn smart and hardworking and special. I bet his business card says "lead ninja" or some other IT fuckboy bullshit.

[coverband]

Exactly... CISSP shows that you have an understanding of risk, numerous compliance requirements, and how much basic housekeeping activities like asset inventory management or having proper data classification/access controls help in maintaining security. The title of "Information Systems Security Professional" suggests that you're knowledgeable enough to speak intelligently in all of the ten domains, but your everyday job might be in a single relatively non-technical domain, like "Business Continuity and Disaster Recovery Planning".

I wouldn't expect anyone with a CISSP to be an expert in "tech ninja" stuff, but he should be able to assess whether overall security is better served by investing in the "ninja work" or, for example, additional phishing training for employees, at a given point in time. This is certainly not a deficiency in CISSP, and I don't think anyone with enough experience in the infosec industry would have such an expectation.

[tptacek]

I've been in the industry since 1995. I've worked for Fortune 500 companies. What's the experience I'm missing to appreciate the CISSP? Because from where I stand, it seems mostly like a scam to me.

[coverband]

Then by definition you don't have any expectations for "a CISSP to be an expert in 'tech ninja' stuff", as I was saying... ;-) I'll agree with you that, to an extent, all certifications are a scam, especially those with artificially high sit-down fees. My point is that, CISSP does not claim to be a gauge for whether you are a crypto expert, just that you should know the difference between basic types of encryption and when it makes sense to encrypt your company's data, so that an accountant in one of those Fortune 500 companies you mentioned doesn't make a costly mistake. In short, it's not about "how to trigger an RCE", but, if you're in an Ops role, about "how can I ensure my users are patched without delay, so that I can minimize the impact of an RCE". Does that make sense?

[tptacek]

Roles I've held:

* ISP network security engineering

* Network penetration tester

* Software developer for network security products

* Application security assessor

* (Most recently) Security team lead

I've had these roles for small companies and for very large ones.

What experience am I missing that would lead me to change my mind about the CISSP? I don't think attempting to pigeonhole me as a "crypto expert" is going to persuade me, because that's not the span of my professional experience.

[intern4tional]

That's an impressive resume of roles, but security is more than just those areas.

I think the grandparent is trying to say that the CISSP is largely for non-technical security roles. People that manage large security organizations are generally believed to be the ones that benefit from the CISSP as they are not interested in the details and more on a 1000 foot strategic view.

Without knowing more details about the your specific expertise, I would say you probably haven't been in a role that would benefit from the CISSP by just looking at your list. If you've been the CISO for a large company with 400+ people reporting to you doing IS work, having a CISSP should at least help you prioritize the work that needs to be done. Likewise for many companies that have non-technical management in security organizations, a CISSP helps provide some background for them.

[spydum]

Have you actually looked at the CISSP material recently?

It's a hodge-podge of everything under the sun. The only thing it's able to prove is that

a) you have endurance and spare time to sit for a 4-6 hour multiple choice test

b) you can commit to rote memory a bunch of meaningless material which you are unlikely to encounter in real security/risk management role

It truly is the worst of the bunch, but for reasons yet explained, it's the defacto "must have" by bigCorps - which is why it gets picked on by so many folks: everyone knows it's bad, yet most people end up picking it up.

[tptacek]

In 10+ years consulting for Fortune 100 companies, zero is the number I have seen with 400+ security staff. A 50 person security team is enormous even by the standards of financial services.

[bitexploder]

Yeah, but let's be realistic. There are very few technologists who are passionate about computing that would really enjoy compliance roles. Infosec is a huge banner and I am going to assume most hackers here are on the technical side. Also no cert can possibly prepare you for negotiating corporate IT security policy.

But even for us (a high end infosec consulting firm) knowing how to relay findings and risk concepts to executives can mean the difference in our work getting implemented, transforming an organization from average to above average in terms of how they approach information security.

Anyway, don't be such a cynic, we just run out of air when we get to the upper reaches of technology expertise so it makes is dumb :P