searchsecurity article on cissp growth vs security value

Posted on by michael

Via @Mckeay, I read this SearchSecurity article on the problem between CISSP value and security industry growth. Disclaimer: I’m a CISSP-holder.

“I need to find 2 million people in three years to come close to meeting the expected need,” [(ISC)2’s Executive Director] Tipton said in reference to the information security-related job growth his organization forecasts.

I read that and my first reaction was, “That’s not your problem.” *You* don’t need to *find* these job-fillers. *You* need to just keep certifying *qualified* people to hold your certification. There’s an extremely subtle difference there. A difference that isn’t so subtle once it permeates years of efforts and turns things into, well, this currently watered-down certification where I see very basic questions coming from CISSP-holders as well as just plain lack of knowledge and value from many. I hear, constantly, tales of people getting a CISSP just because they need to for maybe a sales role or something. And it’s simply possible to do that, with a book-based test.

Thankfully McKeay actually essentially echoed my sentiments:

“But the CISSP doesn’t really meet that need because it’s not training per se for any particular discipline,” McKeay added. “It’s simply a way of registering people who have learned enough to pass a test, not necessarily learned enough to do a particular job or even be successful.”

I really think this is a problem where greed is a key factor. Where capitalistic growth is the default goal of a business. If you’re not growing revenues and fattening pockets, then you’re failing. A non-profit (yeah right) like ISC2 should *not* actually be interested in growing numbers on any artificial platform or reason. It should be just fine and dandy with maintaining a status quo of incoming cert-holders. If it *needs* to grow revenues, perhaps look into sanctioned training in security topics (though that might put it in direct competition with places like SANS, which is sort of a good thing). But it’s also not like the CISSP needs to gain credibility. It’s *had* that for years, and it’s not quite understanding how that is going to erode itself (much like Microsoft certs).