CISSP Certification Uncertainty

The more I checked into it, the fishier everything seemed. To get a CISSP certification, all you had to do was pay (ISC)2 a few hundred dollars and take a test. Maybe all by itself that doesn't sound so bad. But the same piece of paper advertising the test also offered special "CISSP training seminars"costing upward of $2,000that were designed to help prospective test-takers pass the course. Was (ISC)2 offering the seminars as a community service to those trying to pass the exam, or was it offering the exam as a way to sell expensive security seminars? I couldn't tell.

Now there's no denying that the computer security profession needed to do something in the way of certifying its practitioners. Ever since security started making big headlines in the 1990s, a growing number of "security consultants" have tried to cash in on the craze. Some of these consultants were well-established practitioners who really knew their stuff. But others were teenagers whose main claim to fame was being arrested by the FBI for breaking into a computer system. Some of these kids charged hundreds of dollars an hour. And they got it. The whole trend of hiring so-called "reformed hackers" made legitimate practitioners green with envy, and disgust.

I may be wrong, but I believe that the creation and success of the CISSP certification is largely a reaction to the market success of these former computer criminals. (ISC)2's Common Body of Knowledge for information security assures that slick kids who are good at penetration tests and not much else wouldn't be able to pass. And the emphasis on the CISSP Code of Ethics, particularly the prohibition against "association with amateurs" and "appearing to associate with criminals or criminal behavior", assures that any reformed hackers who manage somehow to pass the CISSP test can be thrown out of the club if they haven't really changed their ways.

Still, I didn't know if the CISSP certification was legit or not until I plunked down my money, trekked to New York City and sat for three hours one Saturday morning to take the test.

I didn't take the seminar, nor did I bother studying. With nearly two decades of experience in information assurance and security, I figured that if I couldn't pass the test cold, then (ISC)2 really was a scam.

I joined another 40 or so people on the day of the test. We were all handed a little notebook with several hundred multiple-choice questions. Some of the questions were "experimental," we were told; that is, they didn't count. If we thought that a question was poorly worded or ambiguous, we should try to answer it as best we could, then write a critique of the question on a piece of scratch paper. It all seemed quite straightforward and professionalat least, it did until I opened the exam book.

In all my years as a student and computer professional, I have never seen an exam as poorly written as the CISSP certification test. Many questions could not be answered accurately because their basic premise was flawed. Some had multiple answers that were correct; others had no correct answers. The exam was filled with acronyms that weren't spelled outor, worse, were spelled out incorrectly. I passed the test, but the exam's creators made me swear that I would never reveal the questions on the exam, so I can't give you specific examples of the levels of silliness to which the exam sunk, but take my word for it: The CISSP exam of several years ago was an abomination.

Once you pass, you need to maintain your good standing through (ISC)2's Continuing Professional Education (CPE) requirementearning at least 120 credits every three years. Such mandates are common throughout the world of professional certificationdoctors and lawyers typically continue to attend accredited classes. But the CPE requirements for the CISSP are far laxer: Provided you pay your annual membership dues and work in the industry, it's hard to imagine how you could not retain your certification. That's because CPE credits are awarded for attending security conferences, attending vendor presentations or even viewing a security-oriented webcast. In fact, I'll receive 10 CPE credits just for writing this article.

CISSP may be nothing more than a club, but it's a club that I've joined, and I hope it's one that's keeping out the riffraff. When somebody suggests that I hire a "reformed hacker" to do a penetration test of our network, I don't need to launch into an explanation of why such testing won't actually increase network security. All I have to say is, "We don't hire consultants without a CISSP."

With policies like that in mind, some consultancies have become CISSP factories. They hire relatively green consultants, throw books at them, send them to a high-priced prep course and get them through the CISSP exam. I haven't yet decided if I think that practice is a bad thing. On one hand, those individuals certainly don't have the breadth of knowledge and depth of experience that the CISSP certification once implied. On the other, at least they come out of it knowing something about computer security. To address that complaint, (ISC)2 now requires that CISSP applicants have four years of "professional experience in at least one of the 10 information security domains" represented in the Common Body of Knowledge. That sounds great. Until you visit the website and learn that professional experience includes "creative writing," "research and development," "management of projects," and "work requiring the exercise of judgment, management decision making and discretion." Call me crass, but I interpret those requirements this way: A person who works as a security guard for four years in college has the necessary work experience to qualify for the CISSP certification.

My biggest complaint about the CISSP certification, however, is that many more people on my staff need front-line experience with security than just my CISSPs. Aspects of the Common Body of Knowledge should be ready at the call of network administrators, programmers and even sales professionals. Insisting on security professionals with the CISSP certification can give upper management the unfortunate impression that we've hired a few slick foxes who are capable of watching our henhouse.

For example, many of the security problems discovered in Microsoft's programs weren't part of the security-critical software. Instead, the problems come from dumb programming mistakesthings like buffer overflows and the failure of programs to properly validate their arguments. The same is true of security-poor websites with improperly designed cookies and the lack of code that detects password-guessing attacks. These aren't the sort of high-level security configuration issues that CISSPs eat and breathe. Instead, they're nuts-and-bolts programming tasks handled every day by shop-floor programmers. The tragedy of computer security is that small bugs can have huge ramifications.

A CISSP can design networks that require two-factor authentication, but a sales manager who forgets his laptop at an airport bar can still compromise corporate secrets. A CISSP can write a policy that mandates the use of home firewalls, but if an executive's daughter downloads software over Kazaa, that firewall probably won't protect the internal network when the virtual private network is fired up. The problem is rarely the network's design. It's the network's users.

As far as industry certifications go, the CISSP has a lot going for it. According to (ISC)2, there were 13,397 Certified Information Systems Security Professionals as of December 2002. Meanwhile, an article in Certification Magazine says that the CISSP certification is the best, most highly ranked industry certification of them all. Perhaps that explains why Amazon.com lists 15 books with the letters "CISSP" in their titles, including my personal favorite, CISSP for Dummies, by Lawrence Miller and Peter Gregory.

Certainly, (ISC)2 takes itself quite seriously, and the organization is working to resolve some of the aforementioned problems. And given the status of other industry certifications, it's easy to see why the CISSP is largely regarded as the "gold standard." Bottom line: Would I hire somebody who has a CISSP certification over somebody who doesn't? Absolutely. But, of course, it's best to look for more than just the CISSP certification: things such as degrees from established, accredited colleges and universities, real-life work experiences, references and referrals.

The biggest reason for my endorsement goes back to that CISSP Common Body of Knowledge: If a person has a CISSP, then I know that he has probably read at least one book on the topic of computer security. The job applicant probably knows something about physical security, something about policy formation, something about access control, something about encryption and so on. Sadly, that puts his résumé far ahead of most others that cross my desk. n