Great article!

There's nothing I hate more than people using snide remarks to shoot down your achievements. My opinion on this is:

"You don't like the time I spent putting into my personal development...well good for you but I didn't do it for your approval, nor did I ask for your permission to better myself."

"GRRRR.......Hulk get mad....Hulk SMASH!"

I likely won't renew because the process is total bollocks. It's driven not by self improvement, but revenue to ISC2.

I spent 400+ hours over the last 8 months doing original research, developing attacks against and best practices for a major security technology.

I distilled my results to a one hour presentation, a white paper and a tool.

Completely ignoring the research behind it, it took me well over ten hours to put together a quality one hour presentation. How many credits do I get for the presentation? Four. Less than for subscribing to some crap magazine that is 90% product reviews and throwing it out without reading it. Equal to wasting half a day on webcasts of completely useless vendor advertising.

The white paper is worth 10, but took on the order of 30 hours to write, edit and get reviewed.

The tool? It's worth zero CPEs.

After 20 years doing application development, database administration and network analysis I heard about ISC2 and decided to attend a three week local school district CISSP review and get certified. I wanted some formal token of the knowledge I had accumulated. On March 10 I will test and hopefully I will be able to wear the intials attesting to the work I have performed. It matters to me.
As far as CPE, there are many ways to develop professionally. I would think it's not so much a matter of measuring how much you develop professionally rather that you have a broad effort to keep up. But that is a matter for later for me.

I don't denigrate the cert, but man, the CPE process just burns me up. Wait and see, Robert, once you get yours.

If CPEs are really about keeping current and learning new technologies, what possible reason can there be for limiting credit for reading technical books to ONE per year? I probably read at least 10 a year; not to say that I should be able to fulfill the whole thing with just reading, but ONE book a year?

Oh, and magazines: you can count one per year, and have three to choose from. IEEE Security & Privacy, the only good security focused magazine around? Nope. Communications of the ACM? Nope. Queue? Nope. Only the ones that give kickbacks to (ISC)2.

Why no credit for publishing tools or vulnerabilities? Working such things out one's self is the best way to learn.

No credit for running a security blog, either!

The requirements are carefully constructed such that there is the appearance of reasonableness in obtaining CPEs not directly tied to an (ISC)2 revenue stream, and yet when you add it up, it is almost impossible to obtain enough of them.

How close are you to your renewal, Andrew, and how many do you have? Are you on track to actually make it?

I'd be happy to even pay higher renewal dues, but I absolutely won't WASTE MY VALUABLE TIME on barely disguised adverti-casts and third rate conferences full of CPE-hungry CISSPs offering warmed-over summaries of others' work, just to provide a revenue stream for the certification racket.

It all depends what you mean by "value"?

The CISSP has become, for better or for worse, a de facto requirement for most information security focused positions. If it wasn't for that single point - I wouldn't have the CISSP certification. This is for a simple reason: it only tests your ability to memorize definitions and pass a test. It doesn't test or validate experience. This allows everyone and their dog to get a CISSP. I run into more and more holders of this cert (especially project managers) that aren't security professionals or -do not- get information security in any meaningful way. This dilutes the certification and naturally leads to a disdain from people that have been in the field a while.

But this isn't anything new - paper netware systems engineers and msce's have been a problem since the beginning. You weed them out through a thorough interview process.

So back to the value question - if it helps you to get a new position or helps you grow via the CPE process - then it has value. If you went in and passed the test - congratulations you've added another tool to remain competitive in the market.

Great comments all. Thanks for the input.

Lets face it, under the ISC2 guidelines, obtaining CPEs is not easy. They are even harder to get without forking out lots of bucks. The argument that the CPE guidelines traffic money to ISC2 is something many people have been arguing about for while. Its obvious to some degree that ISC2 is in it for the money. Those CBT courses offered by ISC2 cost way too much money. I also absolutely agree that one book and one magazine a year is ridiculous.

I'm glad to see that we haven't reached into the age old (perhaps boring) argument of certification versus experience. Tim - you are correct, to get hired as a security professional these days, you need a CISSP. My rule is if I hire you without a CISSP, then you darn well better get one within 6 months. Not so much to prove you know the material (or in some cases can memorize), but that you are committed to your own self worth. When you ask about value, thats what I mean. Do you personally still feel proud that you fulfilled the requirements, passed the test and have maintained the CPEs necessary to keep the CISSP designation?

As for my own CPEs, I'm mostly on track. My 3 year anniversary is March 2008 and I have 23 more credits to obtain. I'm thinking I can make it.

Andrew,

Good article!

My problem is with the (ISC)2 organization itself. I have no problems fullfilling the CPE's, but when I ask (ISC)2 a question, I get
a) no response,
b) a response "Check the website." but it is not there, otherwise I didn't have to ask you,
c) a response "We do not understand your question".
That is the reason I am not renewing my cert when it expires. I do not have a lot of confidence in the organization upholding it.

Next to that, I think it is extremely silly for a security organization to use expired pgp keys.

just my 2c.

I am always interested in engaging the merchant community (Chamber of Commerce) about PCI. If you have any contacts that would like a free seminar please let me know.

I found the CISSP valuable in getting interviews that I might not have gotten otherwise. But like others, I hate the CPE process. If I don't have the opportunity or money to funnel into classes to make my CPE requirement, I spend a lot more of my personal time trying to get them without putting in ridiculous amounts of money. I would be as offended by comments that hint that perhaps I am not interested in improving myself as you are by comments that you feel belittle your achievement. I read security blogs, have RSS feeds from over a dozen security sources, read electronic newsletters and also multiple books to improve myself in my chosen field, very few of which will get me CPE credit, not because I don't improve myself and stay current, but because (ISC)2 doesn't profit from it. On top of that, I am teaching myself Linux and adding Linux and Unix security to my background and resume. What credit do I receive from (ISC)2 for my work and self-improvement? Fuhgettaboutit! One book, one magazine and just a few hours credit for assisting a study group at a technical college prepare for the exam.
I will be happy to congratulate you on your achievement, and the fact that I passed the test will remain on my resume since I also passed the exam, but I won't be pouring money or excessive amounts of time in retaining the cert since I consider it a ploy to support (ISC)2.

re: CPE credits

While I have similar concerns about isc2 - I have a hard time buying the "CPE credits are hard" argument. Being part of your local security associations and actually attending them is one good way to bump up the CPE credits (such as infraguard or ISSA). Attending 4 quarterly infraguard meetings (4 hours - at least in my district) gets your 48 CPE's over 3 years. Reading a book and subscribing to a magazine every year gets you 30 CPE's. That leaves 42 CPE's left over a 3 year period. Trade shows, seminars, teaching a class, and even just taking in a vendor presentation gets you there.

And none of the above puts any additional coin in ISC2 pockets (outside the early dues).

Clowns. (ISC)2 are clowns. Just submitted a whole buncha CPEs. I forgot that only one book a year is eligible. I submitted six. Even though the submissions are typed, and even though you have to wait two days (presumably to get them human approved) they have all just been accepted and posted to my account. Stupid clowns can't even verify application input against a trivial set of business rules.

Yet another reason not to renew.

Let me take it a step further:

If you don't automatically end up with WAY more CPEs than are needed, you probably shouldn't be in the field.

Dude, you get CPEs for reading books. For writing articles (even little stuff). You get CPEs for vendor presentations. You get CPEs for Webinars.

Seriously, if someone can't stack up enough of these over 3 years, it's because they have a complete lack of interest in the field.

I think maybe you don't need a CISSP if CPEs are winding you up that much. I obtained over 150 CPEs in my first year of CISSP without any extra financial outlay except ISC fees, which are minimal.
You don't have to sit the exam again, just stay current with the industry. I'm afraid that does mean reading books, attending shows, watching webcasts, etc. The more you read, the more you learn, the more points you get. That's the idea.
If you're developing tools and putting together documents, great, but maybe you are a little too technical for the CISSP, and much as the security guys need the engineers, the engineers probably don't need the security qualifications.
CISSP is more about security management, not engineering. If you can do both, hats off, and it sounds like you've more than proved yourself. Personally the CISSP has helped me move from engineering to board level in little over 2 years. Worth it's weight in gold.
If you choose to do one, respect to your chosen field. But 2 things wind me up, people without CISSPs who disrespect those of us with one, and people with CISSPs who talk down to those who don't.
Don't let this forum turn into an excuse for both please.

"I found school boring, but always noticed how the 30+ something's in class really enjoyed it. They were there to learn, to fill that personal drive. I, on the other hand, just wanted to get this part of life over with."

Amen. An astute and insightful observation. Doesn't every 30+ wish they could go back, as they are now, to do the kind of job they really could have done in their 20s?

As for your thoughts on the CISSP; honestly, I have been working in IT security niche now for a number of years, primarily in the IDAM, DRMS & AppDev space, and the only CISSPs I encounter are those worried about compliance check lists getting checkmarked and schedule audits getting recorded. Paper pushing jobs all-in-all. Zzz

Perhaps it's due to nature of the job requiring such a broad scope of knowledge; I dunno, but pushing paper is a bore to me.

Anyway, enjoyed your time on the soap box. GL

The CISSP is a defacto standard these days to get a Security job. Problem is that I have meet 4 people in my career that have had there CISSP. They where easily four of the most unqualified people to work in security positions. That is the problem with the cert, too many people are getting it that are pretty much idiots to the security field. It like the MCSE, and CNE. Getting the cert helps you get a new job but does not prove that you know anything.

I busted my tail studying for this exam cramming 2 1000+ page books into 2 weeks (taking time off work) prior to a 1 week "boot camp" class provided by work. I got the certification and though I don't think a "label" says anything about experience, I suppose I am proud of my accomplishment.

But as for the CPEs, I agree ISC2 needs to get off their ego trip and look at we "normal" people. I have a mortgage, family, bills, etc. I don't have $115 for ISSA dues, or InfraGard, etc, etc. Fortunately work will reimburse me for the CISSP dues. Are there free ways to earn CPEs...of course, reading is a BIG one.

I too learn from reading. I read white papers, I read articles, I read books. In fact reading is the best way to learn new things. So why limit it so much?

Why have so many possible credits from writing a book, article, training materials, etc. How is that learning new things? That's regurgitating what you already know, not learning new!!!

As for attending conferences or security association meetings, you'll find out a lot about what people are doing...but very little on new technologies. And what you do learn about new technologies will be in the form of sales pitches and junk mail.

I do think CPEs are a good idea and 120 may be fair, I don't know...I haven't earned any yet. Plus now with the new requirement of at least 20/year, it still seems do-able. I merely think ISC2 needs to consider whether they want CISSPs to learn new stuff, or expand the discipline. Currently, they seem focused on expanding the discipline. Good for the discipline...bad for CISSPs.

I renewed last year by completing 120 credits all by reading couple of books, magazines, mostly podcasts and mostly online presentations sites like searchsecurity.com etc. You can find a lot of sites. isc2 also has some site of it's own.

I didn't spend a penny.

CISSP is useful for self development and if you plan on shifting jobs, this is definitely a plus if not a requirement if you are in the security field.

CISSP..what a waste of time. Nothing to prove. Completely useless.

Most cissp's use it as a badge of honor. The test was trivial at least for me. But I don't respect it as much as this author. And it is unfortunate that the cissp has achieved this relative weight for being a job requirement.

I find that having it is most useful to simply shut up other cissp's. It simply ends the discussion. "Yes, we both have it now let's discuss the security situation..."

More unfortunate is the side effect of so much security the last 8 years is that people from other walks of life have piled in and CISSP immediately qualifies them to work in the security field without any technical appreciation. They become mostly preachers.

In particular, many companies that sell security products use F.U.D. to get it done. Likewise many internal security depts. use the same method to promote whatever they feel is the buzz of the day.

It's all become quite a show. And personally I don't respect the industry because its lost its direction. Yep, the author here is certainly proud of himself, but is he proud of the industry? I expect so, but meanwhile, he also has a product to sell.

Instead of the CISSP, it doesn't cut it. I would focus on this guy's list. If you are competent in these areas. You should have a place in the security field.

top 10 list

http://it.toolbox.com/blogs/managing-infosec/top-10-information-security-skills-10317

More unfortunate is the side effect of so much security the last 8 years is that people from other walks of life have piled in and CISSP immediately qualifies them to work in the security field without any technical appreciation. They become mostly preachers.-LX

This is why I love IT and dislike 'business' ppl involved in IT. First CISSP is just added talk, it has no hands on skills which is what IT is about. We can sit down and talk with ppl, as much as we what. Talk won't be able to do anything. Certs like RHCSS for security is of more value. Why not get a pencil noob CISSP guy of X amount of experience do it. Talk is cheap! Either you can or can't.

"Then before I could answer they would retort in a disgruntled tone "Oh you must have put your CISSP number in at registration. The CISSP doesn't matter anymore anyway". Shrugging shoulders; Well, OK, thanks for your kind words, I guess?"

I can see your point. The person's snarky remark was just plain wrong. But, I can feel the offender's irritation. In college, I had a 4.0 average. I didn't attend the graduation, where I would have to wear a sash for the phi beta crappa honor stuff. The mere thought made me want to vomit. I dislike anything to do with posing and "showing off" my knowledge. So I just skipped the graduation.
I probably would not have entered my CISSP number either.
It pains some people to advertise to the world. Speaking for myself, I have absolutely no need whatsoever to manage and maintain my outward image to match my intellect. What you will see as you view me is just some guy.
You are lucky that you feel like including your perceived achievements as part of your personality. Congratulations. How's that workin' for ya?

Anytime some type of credential is heavily monetized by the issuing agency it looks bad.

However, I do like the fact that this model is able to shift the focus of professionals as market demands shift; offering more credits for areas in demand etc. is a good way to manage risk on a much much larger scale.

Yes... Anyone can pass a test with enough study. The world of academia will have you believe they impart secret wisdom upon people. People tout credentials like they are something original that makes them better than others. Some will discredit those that achieve because they themselves are too lazy, others will because someone doting over certifications deserves it.

I plan to get my CISSP to keep things simple, and to maintain myself in association with others in the field.

You think the dues and CPE requirements are bad? Well if you're not alone then you should organize and get your concerns heard.

I don't have a problem with the CPE reqs and the ISC revenue model, they give other companies a reason to develop products and materials into a predictable revenue model that can get financial backing. Otherwise there is only the self authored whitepapers, forums self run websites or companies that wont invest a whole lot in the publication or production.

BTW almost every reputable PR person/firm pulls twitter / social feeds on what public opinion is... Being vocal and having some factual or substantial concern to write about will get more results than just saying "this sucks" or other "blah blah blah bashing"

That said, It's way to late for me to continue babbling! :D

Very good article. Are your views still the same on the CISSP? I see that the article was posted about 3 years ago.

Bummer on your peers the 'cissp doesn't matter anymore' comments...it's nice to have constructive dialogue following the passive aggressive comments.

have a great day.

Interesting comments, and here I can see people who do not understand what CISSP is all about.
CISSP is not meant to be a technical cert, but managerial. Prior to CISSP I had been working in a technical security area for over 15 years in areas like pen testing and configuring stuff, when I felt like moving into a more managerial and compliance role, I identified CISSP as the best option, and to tell the truth I have no regrets. I think its unique, and I like the way its designed. And i found it quite a challenge, since I was thinking like a techie (just like some here). And am proud now to show it off to whoever cares, this really a good cert. But as human beings, people will always try to look for short cuts, and thats why the lazy characters complain about the CPEs.
I am in my second year of CISSP and I find it quite easy to attain the CPEs without spending a penny, I have something like 90CPEs already with something like 1.5 years gone, generated from free web casts, reading, security webinars, attending conferences etc..

Now a true story, I met a guy recently at a security conference who I knew had failed CISSP twice (he is a former colleague), and was busy letting everyone know how CISSP is crap and CISSP know nothing about security, most believed him since is a well known penetration tester (has a CEH)!!

well, very nice opinions all...the question i have is this:

how much money will i get paid, if i get CISSP certified?