Hacker News new | ask | show | jobs
by tptacek 3359 days ago
Roles I've held:

* ISP network security engineering

* Network penetration tester

* Software developer for network security products

* Application security assessor

* (Most recently) Security team lead

I've had these roles for small companies and for very large ones.

What experience am I missing that would lead me to change my mind about the CISSP? I don't think attempting to pigeonhole me as a "crypto expert" is going to persuade me, because that's not the span of my professional experience.
1 comments
intern4tional 3359 days ago
That's an impressive resume of roles, but security is more than just those areas.

I think the grandparent is trying to say that the CISSP is largely for non-technical security roles. People that manage large security organizations are generally believed to be the ones that benefit from the CISSP as they are not interested in the details and more on a 1000 foot strategic view.

Without knowing more details about the your specific expertise, I would say you probably haven't been in a role that would benefit from the CISSP by just looking at your list. If you've been the CISO for a large company with 400+ people reporting to you doing IS work, having a CISSP should at least help you prioritize the work that needs to be done. Likewise for many companies that have non-technical management in security organizations, a CISSP helps provide some background for them.

link
spydum 3359 days ago
Have you actually looked at the CISSP material recently?

It's a hodge-podge of everything under the sun. The only thing it's able to prove is that

a) you have endurance and spare time to sit for a 4-6 hour multiple choice test

b) you can commit to rote memory a bunch of meaningless material which you are unlikely to encounter in real security/risk management role

It truly is the worst of the bunch, but for reasons yet explained, it's the defacto "must have" by bigCorps - which is why it gets picked on by so many folks: everyone knows it's bad, yet most people end up picking it up.

link
intern4tional 3354 days ago
I haven't looked at it in years, but that hodge-podge of material was more than enough to provide an executive with the basics that they needed to know to manage an IS organization which IMO is the goal of the certificate. As others have mentioned, it is a management cert, not one for normal use.

There are plenty of worse certificates out there - I would argue that the CEH is probably the worst one at the moment (although they are making some changes to improve)

link
tptacek 3359 days ago
In 10+ years consulting for Fortune 100 companies, zero is the number I have seen with 400+ security staff. A 50 person security team is enormous even by the standards of financial services.
link
intern4tional 3354 days ago
Well then your exposure is limited. Boeing's corporate information security organization has around that number, as do several of the other major defense contractors.
link