I would agree with your assessment, Scott. MOST, if not all, CISSP's that I
know have been "in the trenches" for years before attaining their CISSP.
I'd venture most CISSP's can still get in and install a firewall with the
best of them, the difference being, the CISSP's understand a lot more than
just the ruleset, and how to secure the underlying OS. They understand the
broad brush implications of each factor in any security decision...far more
important to the OVERALL success rate.

Attaining any certification can be viewed from two sides: 1) getting it to
prove merit to the 'world' or; 2) getting it to prove to yourself you are as
good as you think you are. If someone's reason for getting certified is #1,
it will help their job search. But studying and working for it for reason
#2, they will fulfill their own potential and their advancement is based on
what they are REALLY worth. I submit that (2) is the better reason and
motivator. There's a huge difference in learning something for life, and
memorizing something just long enough to pass a test.

Flame wars have been fought over the value of certifications. There are
"paper" (pick your cert...CNE, MCSE, whatever) out there. People who can
read a book, take a 'cram class' and pass the exam. I believe that if ISC2
had set up the CISSP process so that you could take each of the CBK's as an
individual exam, and when you passed all 10 you were a CISSP, a lot would
become that "paper" CISSP. It would totally diminish the value of the CISSP
certification. They were smarter than that...by having to take a six hour
exam covering all 10 CBK's in one sitting, you have to do more than just
memorize a few facts. The knowledge has to be acquired over years of work
background and study (Ah-Ha! the 3 year thing!). The chances of studying
and passing the CISSP just based on "book smarts" is diminished
considerably, and that's a good thing for the aspiring CISSP.

My $.02 (or $.011137 accounting for inflation)

JSK

----- Original Message -----
From: "Sanchez, Scott" <Scott.Sanchez@gs.com>
To: <cisspstudy@securityfocus.com>
Sent: Monday, July 09, 2001 9:20 AM
Subject: FW: 3-year rule

> I don't know if this made it the first time... strange. Sorry if it's a
> duplicate.
>
> -----Original Message-----
> From: Sanchez, Scott [mailto:Scott.Sanchez@gs.com]
> Sent: Monday, July 02, 2001 2:13 PM
> To: 'Dunn, Darian'; cisspstudy@securityfocus.com
> Subject: RE: 3-year rule
>
>
> Darian & Others,
>
> IMO, Technical certification means that you are certified in certain
> technologies and are able to use, maintain, implement, support, recommend
> said technologies.
>
> Professional certification means that you understand a broad range (read:
> CBK) of topics and are able to advise, consult, recommend and provide
> strategy on said topics.
>
> SSCP is for practitioners of security, those people that maintain,
> implement, support and recommend.
>
> CISSP is for professionals (not that an SSCP is not a professional, just
> used to differentiate)- those people that advise, consult, recommend and
> provide strategy (usually those people looking to be or move into InfoSec
> management). It's been said that the CISSP exam is "50 miles wide and 2
> inches deep". Thus you have proven that you are competent on a large
range
> of topics, but when it comes down to installing or maintaining it, you'd
> rather leave it to someone else (and probably should). (those people you
> leave the "doing" part to are the SSCP/GIAC folks!). This isn't to start
a
> religious war that CISSP's can or don't "do" the technical stuff, I know
> plenty of CISSP's that are in the trenches (so to speak) every day,
> installing firewalls, configuring devices and so on; but by taking the
CISSP
> they are most likely looking to advance their career and move into a
higher
> level position where one day they would most likely not be doing the
> hands-on daily work anymore.
>
> ISC2.org can help you with the "official" stance, but this is my view.
>
> My 2c only, nobody else's opinion but mine! :)
>
> -Scott (CISSP)
>
> -----Original Message-----
> From: Dunn, Darian [mailto:Darian_Dunn@stercomm.com]
> Sent: Monday, July 02, 2001 2:00 PM
> To: Sanchez, Scott; cisspstudy@securityfocus.com
> Subject: RE: 3-year rule
>
>
> OK, I missed something here. What is the difference between a Technical
> certification and a Professional certification?
>
> Do you mean that a CISSP is not like getting certified in ABC firewall?
Or
> is there more to it?
>
> Where do the SANS GIAC cert. stand? (professional of technical)?
>
> Thanks
>
> -----Original Message-----
> From: Sanchez, Scott [mailto:Scott.Sanchez@gs.com]
> Sent: Monday, July 02, 2001 10:07 AM
> To: 'Chip Carpenter'; afletch@farm-credit.com;
> cisspstudy@securityfocus.com
> Subject: RE: 3-year rule
>
>
> Keep in mind that the CISSP is not a technical certification, it's a
> professional certification. If your looking for a technical cert, look
> towards the SSCP or GIAC...
>
> -Scott
>
> -----Original Message-----
> From: Chip Carpenter [mailto:security@powermmv.com]
> Sent: Monday, July 02, 2001 10:01 AM
> To: afletch@farm-credit.com; cisspstudy@securityfocus.com
> Subject: Re: 3-year rule
>
>
> Also, tech moves at such a speed that a 3 year old certification if
unused,
> is worthless. If you have used it, then your resume should speak for
> itself.
> -chip
>
> At 08:05 AM 6/29/01 -0700, afletch@farm-credit.com wrote:
> >Re: The 3 year requirement: I think it's a good idea. The IT world has
> >become so certification conscious that many people are simply collecting
> >certifications like a stamp collector collects stamps. I don't know if
> >it's the intent of the 3-year rule to mitigate this tendency or not, but
if
> >it were adhered to (and it's not) it would go a long way towards ensuring
> >that the candidate was serious about Information Security. Just my $0.02
> >worth, and worth every cent of it!! ;-)
> >
> > On 6/29/2001 Tom Watson wrote:
> >
> > [SNIP]
> >
> > >On a separate issue what are people's views about the 3+ year rule for
> the
> > >CISSP? I don't have that experience but I am more than confident in my
> > >knowledge of the CBK and my ability to pass the CISSP. Surely an
employer
> > >looking at my CV/resume is capable of identifying the extent of my IS
> >based
> > >experience, and as such, why impose this restriction on those wishing
to
> > >attain certification of their IS knowledge?

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]