[coverband]

Exactly... CISSP shows that you have an understanding of risk, numerous compliance requirements, and how much basic housekeeping activities like asset inventory management or having proper data classification/access controls help in maintaining security. The title of "Information Systems Security Professional" suggests that you're knowledgeable enough to speak intelligently in all of the ten domains, but your everyday job might be in a single relatively non-technical domain, like "Business Continuity and Disaster Recovery Planning".

I wouldn't expect anyone with a CISSP to be an expert in "tech ninja" stuff, but he should be able to assess whether overall security is better served by investing in the "ninja work" or, for example, additional phishing training for employees, at a given point in time. This is certainly not a deficiency in CISSP, and I don't think anyone with enough experience in the infosec industry would have such an expectation.

[tptacek]

I've been in the industry since 1995. I've worked for Fortune 500 companies. What's the experience I'm missing to appreciate the CISSP? Because from where I stand, it seems mostly like a scam to me.

[coverband]

Then by definition you don't have any expectations for "a CISSP to be an expert in 'tech ninja' stuff", as I was saying... ;-) I'll agree with you that, to an extent, all certifications are a scam, especially those with artificially high sit-down fees. My point is that, CISSP does not claim to be a gauge for whether you are a crypto expert, just that you should know the difference between basic types of encryption and when it makes sense to encrypt your company's data, so that an accountant in one of those Fortune 500 companies you mentioned doesn't make a costly mistake. In short, it's not about "how to trigger an RCE", but, if you're in an Ops role, about "how can I ensure my users are patched without delay, so that I can minimize the impact of an RCE". Does that make sense?

[tptacek]

Roles I've held:

* ISP network security engineering

* Network penetration tester

* Software developer for network security products

* Application security assessor

* (Most recently) Security team lead

I've had these roles for small companies and for very large ones.

What experience am I missing that would lead me to change my mind about the CISSP? I don't think attempting to pigeonhole me as a "crypto expert" is going to persuade me, because that's not the span of my professional experience.

[intern4tional]

That's an impressive resume of roles, but security is more than just those areas.

I think the grandparent is trying to say that the CISSP is largely for non-technical security roles. People that manage large security organizations are generally believed to be the ones that benefit from the CISSP as they are not interested in the details and more on a 1000 foot strategic view.

Without knowing more details about the your specific expertise, I would say you probably haven't been in a role that would benefit from the CISSP by just looking at your list. If you've been the CISO for a large company with 400+ people reporting to you doing IS work, having a CISSP should at least help you prioritize the work that needs to be done. Likewise for many companies that have non-technical management in security organizations, a CISSP helps provide some background for them.

[spydum]

Have you actually looked at the CISSP material recently?

It's a hodge-podge of everything under the sun. The only thing it's able to prove is that

a) you have endurance and spare time to sit for a 4-6 hour multiple choice test

b) you can commit to rote memory a bunch of meaningless material which you are unlikely to encounter in real security/risk management role

It truly is the worst of the bunch, but for reasons yet explained, it's the defacto "must have" by bigCorps - which is why it gets picked on by so many folks: everyone knows it's bad, yet most people end up picking it up.

[intern4tional]

I haven't looked at it in years, but that hodge-podge of material was more than enough to provide an executive with the basics that they needed to know to manage an IS organization which IMO is the goal of the certificate. As others have mentioned, it is a management cert, not one for normal use.

There are plenty of worse certificates out there - I would argue that the CEH is probably the worst one at the moment (although they are making some changes to improve)

[tptacek]

In 10+ years consulting for Fortune 100 companies, zero is the number I have seen with 400+ security staff. A 50 person security team is enormous even by the standards of financial services.

[intern4tional]

Well then your exposure is limited. Boeing's corporate information security organization has around that number, as do several of the other major defense contractors.