Why CISSP's are ruining security - An interesting parallel to MCSE's ruining Information Technology

It is just one of those things, that eventually happens, but I want to take everyone back to 1999/2000. You have the Y2K bug, so people were focused on this as it affected applications in their enterprises. But after this paranoid (Black Sabbath reference, and not a misspelling of paranoia) subsided, I began to see advertisements, and hear about Microsoft Certified Training. I was working in a help-desk at the time and several of my co-workers actually had this MCSE in Windows NT. Windows 2000 ... was released and now all of them had to upgrade their certification and retake the test. Of interesting note was one co-worker who was just reading the MCPTest books day and night, and then finally passed the MCSE for Windows 2000. At some point, he went out on a help-desk call and did not know how to use ping or ipconfig on Windows. But he is an MCSE right?? He knows stuff right?? Over the next 5 years, there was a new arrogance that surrounded these Windows Certified jerk-offs, and they were portrayed as what "YOUR" IT department should be like. Only the cool people had MCSE's, and apparently you only knew something if you had one. This is how I viewed it when trying to get a better job from within the company. There were a large number of these computer training places where you could pick your nose, drop a dime (thats gangster talk for 1,000 dollars), and get a certification, but you would still be without a job, and know absolutely nothing. Then a wonderful thing happened, MCSE a$$ hats were not getting jobs. The glorious salary promised from these training depots kept dropping and dropping until they avoided saying a dollar amount all together. The spell had been broken, but there was a new enemy that would plague technology worse then Apple users.

Begun, the CISSP war, had. ISC was founded in 1989 and has been administering the CISSP test for some time. In 2003, I was looking at where I wanted to waste my money. I was looking at Red Hat Certification, or this CISSP. I was working in security, so the CISSP looked like a better plan. But something went wrong, and I decided to actually continue my education, to work towards a degree. And lucky for me, I was actually working, analyzing, hacking and gaining experience from security work, which was more valuable then studying for a stupid single exam. As time had passed, into 2006, I was starting to hear the same criticism of CISSP's that I remember hearing about MCSE's. It is a test, and anyone can study for a test, even a complicated security test.

What do you gain by being able to pass a test? Nothing. I never learned anything from studying for a test, or taking a test. I only learned by knowing how to use the knowledge, and where it lives, so I can use it while I work. Do you need to memorize everything? No, but you need to memorize all of the locations that hold the information you need. So where are we at now in 2009? I think we are at the high watermark for the CISSP certification. Nice professionals wearing suits with their CISSP are almost worthless to a security program. They are nothing more then a check-box on a government contract. It is becoming difficult to find security hacks, who actually try to break software/hardware and understand real world attacks and how real intruders (even your very own employees) are trying to compromise the confidentiality, integrity, and availability of your data. You have to be able to unlearn, what you have learned. It is not thinking outside of the box, it is taking a sledge hammer, bashing the skull in of the idiot who is standing outside the box, then smashing the box.

But I could be wrong, based on the premise that DoD and other agencies are looking for these wonderful CISSP's as a requirement for employment. The only possible way for this to end is for a real certification, a license, governed by the state, that makes the licensee or whatever accountable for mistakes, just like doctors and lawyers. Imagine if all these tool boxes had to actually explain why they screwed up and face possible legal action? This would make everyone a real professional, with ethics that had to be adhered to. This idea was brought up by my professor in a security law class. A state-licensed security certification, and you would not be allowed to hold a security job without it. You would be accountable for your actions. This would be the only test I would take.

Comments

I have also heard about the

I have also heard about the Y2K bug during the end of 1999. I heard that the whole computer system will crash down but nothing happened as expected. But after some time "I love You" virus hit the society of computer. In this era computer are still not safe from the virus. But due to such security courses we are able to produce manpower who is working on the fields to reduce the threat of virus.
Acer from Facebook Analytics

Agreed but...

I would say two things to that:

1.  I think that this might be useful for a manager to have.. it atleast gives them some foundation to begin to understand security...

2. Most real security people (worth their weight in atleast an ounce of fecal debris) can't take the test anyway -> specifically speaking about the code of ethics that one has to agree to prior to taking the exam... most either are, have affiliated with, or are currently associated with hacker groups or conducting exercises like fuzzing, code poc work etc etc etc....

My .02 anyway.

E

Agreed...

This is a direct parallel to an MCSE. I apply ethics when I am defending a network, but according to ISC, I can not get a CISSP because I have created exploit code.

Alienating the best people suited for a position because of a certification is not a good business practice. In other words, the certification does not guarantee aptitude in the position.


More than several of my

More than several of my colleages have CISSP credentials and they've run exploit code. I think the intent of maliciousness has to be applied before they can block such access. I see your point though. This is why I disdain certifications...I've seen more than one cert holder that came asking me questions about knowledge when I didn't hold a cert in that knowledge (especially the technical cert holders. Now that's pure BS.