I recently came across a very interesting blog by Wendy Nather on her not renewing her CISSP certification.
Nather, who is a well-respected analyst at the 451 Group, has been IT security director at several firms in previous years and probably needed to keep her CISSP accreditation. However in her blog, Nather said that she had decided to let her CISSP certification lapse as since getting the accreditation, "having that certification has done nothing for me, except to make me have to look up my number every so often when registering for a conference".
She said: “I never actually planned to get it to begin with; I only signed up for the exam because there was a job I thought I might apply for, and the CISSP was required.
“By the time I decided to go in a different career direction, it was too late for me to get my exam fees back (and for that amount of money, I could have bought a laptop or some designer shoes). So I crammed for about a day and a half, went to the exam, came out two hours later, and was done. Relatively painless, except for the extortion I had to do of certain former colleagues to get the recommendation forms filled out.”
Back at the RSA Conference in February, I attended a panel session on the value of certifications, where comments were made on the need for these accreditations and whether people are hired for competency or because of certifications such as the CISSP.
In that session, Andrew Ellis, chief security officer at Akamai Technologies, said: “We look at certificates, if they have them they say 'with this, this person is qualified to practise with quality', but then if a practitioner has a certificate such as CPA, that is the most common reputational certificate.
“The challenge is as those who have them grows, so it becomes the bottom bar and it carries the reputation of the lowest person who owns that certification.”
Nather also said in her blog that she was not happy with paying every year to have letters after her name, and that CISSPs were so common, they would be of use for people starting out in security and it was a handy first sorting mechanism when you're looking to fill certain levels of positions. “But by the time you're directly recruiting people, you should know why you want them other than the fact that they're certified. And then the letters aren't important,” she said.
The blog naturally stirred quite a reaction, with Nather posting an update saying she really respects and admires what members of the (ISC)2 board are trying to do, and while the CISSP is not completely useless, it's just not something she personally wants to put time and money into maintaining.
Wim Remes, (ISC)2 board member, commented that he disagreed on CISSP being an entry level cert and admitted that the organisation needed to work on communication. He said: “In my opinion the cert, first and foremost, establishes a common vocabulary among professionals that allows us - even though from different backgrounds and with different focus areas - to talk the same language and understand each other.”
Among the many responses to Nather's blog was one I spotted from Gal Schpantzer, a contributing analyst at Securosis. He said in a Securosis blog that after years working in IT, “I no longer want to bother proving how much I know”. He admitted that while the CISSP has a powerful sway over the infosec industry's hiring practices, the HR process is what it is, and many HR shops bounce you in the first round if you don't have those five magic letters, so the CISSP has on-going value to anyone going through open application processes.
In my chosen career there isn't such an encompassing industry certification that you are required to have. Part of me thinks that is good that journalism is open to all, but at the same time, is that a double-edged sword? If there is a filter surely that makes life easier to sort the qualified from the chancers?
There are many who will disagree with Nather's decision and many who will feel she is correct. At that RSA session, I spoke with a major researcher from a vendor I spotted in the room, and he told me that while he saw the CISSP as important, as you only had to sit the exam once and were not re-examined continually, he questioned what value it holds for senior professionals in IT.