Is the CISSP Becoming Watered Down?
The Certified Information Systems Security Professional (CISSP) has quickly become one of the most talked about certifications in the IT industry. Some may say it's approaching the popularity of Cisco's CCIE.
But like other popular certifications before it, the CISSP has begun to receive criticism from people who say it's "easy" or "not applicable to real life." Any popular certification is bound to go through this phase.
This happened most clearly for the MCSE certification. Masses of people began using cram guides and boot camps that defiantly helped them pass the test, but didn't make them any better at implementing Microsoft technologies. Because of this, the cert became watered down and stopped realizing its function of providing a "baseline" of Microsoft knowledge.
This watering down has happened to a lesser extent with the CCNA cert. Although to their credit, Cisco has updated this several times, and now includes a more hands on simulation in the CCNA. Nevertheless, the CCNA is very popular and like most other very popular certs, gets watered down.
The CISSP isn't suffering the same "watering down" symptoms that have affected these other certs for one very important reason. A CISSP cram book is 1,000 pages long. (I know that there are shorter cram guide type books, but trust me when I say that these can only be used in conjunction with other longer books.)
Most certification tests have a core set of topics, with each topic being covered by several different questions. (Think subnetting in the CCNA) Don't get me wrong, the CISSP does have a core set of topics called the 10 common bodies of knowledge (CBK). But each of these domains has several (even dozens) of separate concepts.
Let's say in the CCNA, that you firmly understand two concepts, subnetting, and the OSI model. You may not know anything about routers or switches, may not even know how to spell CCNA. But if you know how to subnet and the OSI model, then you will still do fairly well. You may not pass, but it would be close.
In the CISSP, by contrast, you have to learn about types of fire extinguishers, vulnerabilities of Java scripts, how to choose physical locations of buildings, how memory interacts with the CPU, several different types of encryption algorithms, how high fences should be, etc. Notice the similarities in these topics? Me neither. And that's exactly why the CISSP is not becoming watered down.
The fundamental concept behind the CISSP has never changed. If you study for, and pass this test, you will be an expert at nothing, but you will know a little about everything. Isn't that what we are looking for in managers?
So the next time you think of mocking a CISSP who doesn't know this or that specific technical nuance, think to yourself "What kind of fire extinguisher does it take to put out an electrical fire" Should an expert fire extinguisher repairman make fun of a CISSP for not knowing something very specific, like the ratio of chemicals inside the extinguisher?