Risk of ...

Risk of CISSP Renewal

Doug Meier -

She is a technically proficient person bound for a career in InfoSec. Her question is, "Should I study for a CISSP (Certified Information Systems Security Professional) certification?”

On the verge of anwsering with "Yes, of course," I pause...

...

I failed to renew my CISSP certification earlier this year. Why? Because I’m terrible at collecting and submitting my CPE (Continuing Professional Education) credits.

I am a security and compliance pro -- not an accountant. When the CISSP governing body, isc(2), informed me earlier this year that I needed to submit proof of 54 CPEs along with my renewal, I balked at completing this busy-work. Sure, CPEs were available for most of the security events, conferences, webinar, meetups, and other security and compliance related activities I engaged in. But isc(2), can't you collect and apply these credits for me?

So I reached out to my dear friends at isc(2). It went something like this...

To whom it may concern:

True, I haven't kept track of my CPEs. Yet I meet with dozens of security vendors every year, demo their products, and provide valuable feedback. I plan and manage the work of security, compliance, IT pros. I network with peers to discuss current threats, tactics, technology, risk mgmt, vendor mgmt, data security, privacy, incident response. I speak at industry events sponsored by IAPP, ISACA, CSA, IGI. I advise CEOs of large, international companies, as well as founders of 12-person startups, on security.

Because I do all this, I'm not inclined to collect and submit your CPE game tokens. And because you won’t differentiate security program leaders from security folks just starting out, you’re eliminating practitioners with the most valuable experience from your membership. Is this what you really want?

The response from isc(2) was predictable. The customer service rep, Amanda, encouraged me to re-consider, reminded me that CISSP is meaningful and leads to greater earnings potential, and warned me that, once de-certified, I'd no longer be permitted to wear my CISSP lapel pin (boo hoo), or "imply in any way that you are presently certified."

...

So how did I answer the question that begins this post?

"A CISSP cert indicates an understanding of a common body of information security knowledge. However, I’m going to hire you based on experience, attitude, communication skills, not based on a CISSP or other cert. If you are a do-er, not a be-er, then think about re-allocating the time you’d spend studying for CISSP. Use it on self-directed security research, organize a meetup, participate in users groups, think and act like a hacker. If you have the respect of industry practitioners who also walk the walk, the CISSP will be superfluous to what you accomplish in this field."