CISSP Certification Uncertainty

Would I want to belong to a club (ISC2's CISSP certification) that had me as a member? As it turns out, I do.

With policies like that in mind, some consultancies have become CISSP factories. They hire relatively green consultants, throw books at them, send them to a high-priced prep course and get them through the CISSP exam. I haven't yet decided if I think that practice is a bad thing. On one hand, those individuals certainly don't have the breadth of knowledge and depth of experience that the CISSP certification once implied. On the other, at least they come out of it knowing something about computer security. To address that complaint, (ISC)2 now requires that CISSP applicants have four years of "professional experience in at least one of the 10 information security domains" represented in the Common Body of Knowledge. That sounds great. Until you visit the website and learn that professional experience includes "creative writing," "research and development," "management of projects," and "work requiring the exercise of judgment, management decision making and discretion." Call me crass, but I interpret those requirements this way: A person who works as a security guard for four years in college has the necessary work experience to qualify for the CISSP certification.

My biggest complaint about the CISSP certification, however, is that many more people on my staff need front-line experience with security than just my CISSPs. Aspects of the Common Body of Knowledge should be ready at the call of network administrators, programmers and even sales professionals. Insisting on security professionals with the CISSP certification can give upper management the unfortunate impression that we've hired a few slick foxes who are capable of watching our henhouse.

For example, many of the security problems discovered in Microsoft's programs weren't part of the security-critical software. Instead, the problems come from dumb programming mistakesthings like buffer overflows and the failure of programs to properly validate their arguments. The same is true of security-poor websites with improperly designed cookies and the lack of code that detects password-guessing attacks. These aren't the sort of high-level security configuration issues that CISSPs eat and breathe. Instead, they're nuts-and-bolts programming tasks handled every day by shop-floor programmers. The tragedy of computer security is that small bugs can have huge ramifications.

A CISSP can design networks that require two-factor authentication, but a sales manager who forgets his laptop at an airport bar can still compromise corporate secrets. A CISSP can write a policy that mandates the use of home firewalls, but if an executive's daughter downloads software over Kazaa, that firewall probably won't protect the internal network when the virtual private network is fired up. The problem is rarely the network's design. It's the network's users.