CISSP Certification Uncertainty

Would I want to belong to a club (ISC2's CISSP certification) that had me as a member? As it turns out, I do.

I didn't take the seminar, nor did I bother studying. With nearly two decades of experience in information assurance and security, I figured that if I couldn't pass the test cold, then (ISC)2 really was a scam.

I joined another 40 or so people on the day of the test. We were all handed a little notebook with several hundred multiple-choice questions. Some of the questions were "experimental," we were told; that is, they didn't count. If we thought that a question was poorly worded or ambiguous, we should try to answer it as best we could, then write a critique of the question on a piece of scratch paper. It all seemed quite straightforward and professionalat least, it did until I opened the exam book.

In all my years as a student and computer professional, I have never seen an exam as poorly written as the CISSP certification test. Many questions could not be answered accurately because their basic premise was flawed. Some had multiple answers that were correct; others had no correct answers. The exam was filled with acronyms that weren't spelled outor, worse, were spelled out incorrectly. I passed the test, but the exam's creators made me swear that I would never reveal the questions on the exam, so I can't give you specific examples of the levels of silliness to which the exam sunk, but take my word for it: The CISSP exam of several years ago was an abomination.

Once you pass, you need to maintain your good standing through (ISC)2's Continuing Professional Education (CPE) requirementearning at least 120 credits every three years. Such mandates are common throughout the world of professional certificationdoctors and lawyers typically continue to attend accredited classes. But the CPE requirements for the CISSP are far laxer: Provided you pay your annual membership dues and work in the industry, it's hard to imagine how you could not retain your certification. That's because CPE credits are awarded for attending security conferences, attending vendor presentations or even viewing a security-oriented webcast. In fact, I'll receive 10 CPE credits just for writing this article.

CISSP may be nothing more than a club, but it's a club that I've joined, and I hope it's one that's keeping out the riffraff. When somebody suggests that I hire a "reformed hacker" to do a penetration test of our network, I don't need to launch into an explanation of why such testing won't actually increase network security. All I have to say is, "We don't hire consultants without a CISSP."