Why CISSPs *DO* Need to Be Decently Versed in Technology
By Daniel Miessler on September 3rd, 2007: Tagged as CISSP | Information Security | Infosec | Philosophy | Security
I have been taking a bit of flak regarding my post comparing the CISSP to the GSEC. It’s been interpreted as negative towards the CISSP, which I suppose is fair to some degree. I find the prevailing argument put forth by Martin McKeay in support of the certification to be weak at best (essentially that GSEC is technical and CISSP is management), and I wanted to briefly refine my thoughts on the matter.
An Ideal World
I think we can all accept that a perfect certification would guarantee that a holder of said credential would be excellent for any information security role. We can also agree that no such certification is practical nor even possible. So given that constraint we are forced to create certifications that are focused in particular areas. So the GSEC is focused on the technical implementation side, and the CISSP is focused on the management side. Fair enough.What I think is important to note, however, is that this doesn’t mean the GSEC doesn’t cover conceptual topics, nor that the CISSP doesn’t cover technical ones. In other words, even if a major certification is weighted in a certain area it doesn’t mean it’s not going to at least touch on the opposite end of the spectrum. So the question becomes one of simply deciding where the weight is — technical or conceptual.
My point is simple: it’s far more responsible for a low level certification not to cover upper-level concepts than it is for a higher level certification to not cover technical basics. I again point to the battle field. You don’t require infantrymen to know the basics of military strategy, but you do require generals to know the basics of soldiering.
A Knowledge Progression
Remember that this is why generals must move up the ranks. This is for the precise reason that strategic understanding is built upon the requisite practical knowledge gained in the lower ranks. Without this foundation a general may ask a soldier to drop a bomb on a target from 500 feet in the air, or ask a tank to sneak into an enemy building and conduct a room to room search. I’m exaggerating, but you get the point.
Upper echelon leaders must understand the capabilities of the entities they control before they can make sound strategic decisions. This applies equally to information security managers and military generals. The notion that in information security one can simply jump right into management without having at least a decent understanding of the moving parts (technology) is no less asinine then putting a private in charge of an army.
This is my argument against the CISSP’s history of being non-technical. More importantly it’s my argument against those who claim it’s permissible for it not to be technical because it’s a management certification. That makes it more important for an all-encompassing knowledge base to be tested, not less. And I think it’s clear that ISC2 knows this. That’s why they included all 10 domains.
They had the right idea — management certifications require holistic knowledge of the discipline, just as generals require a holistic understanding of warfare. This isn’t just the reason for the 10 domains, but also for the experience requirement — just like for the general. The analogy could not be more clear.
Conclusion
It’s simply absurd to claim that people in “management” roles don’t need to be versed in technology. Chefs learn about food. Architects learn about the structural integrity of their building materials. Physicists learn math. Why should information security experts not have to learn the building blocks of their discipline like everyone else?
And most importantly, technical managers need to speak technology at least to a level that prevents them from being seduced by salesmen and GUIs. Some may argue that this is the role of non-management engineers, but it’s a weak argument. They should supplement a manager’s technical knowledge, not represent the totality of it.
If the CISSP wishes to become a true test of leadership-level information security expertise it needs to be able to test for a higher level of technical knowledge. Not extreme — but higher.:
I agree.
(I would be hesitant in saying GSEC is a “good” technical certification, but I don’t think this is relevant to the discussion — and I may simply have a wrong perception of it.)
Comment by ghost16825 — 9/3/2007 @ 10:34 pm
Daniel, I am a CISSP and I’m in Management but at the same time I’m also in the trenches. I have held technical certs in the past but have let them lapse due to focusing on certs that I feel will advance my career in the direction that I want it to go. I couldn’t agree with you more that those in management need to have an understanding of the technical side of the job. If they don’t then they do about as much disservice to the company as if they have all technical and no management understanding.
I don’t think that Martin was saying or implying that management doesn’t need that. I know Martin and he is both technical and managerial. Just as is Michael Farnum. Those are the only two responses that I read to your initial article. I think Martin felt that you were trying to compare the two certs as “apples to apples” which can’t be done as I’m sure you know. Both hold value to those in either technical or managerial positions. It’s up to the person seeking them (and others) to chose what they feel will help their career path the most.
Comment by Andy ITGuy — 9/4/2007 @ 2:06 am
Alex,
The discussion started because I said it was lame for CISSPs not to know how to configure a Linksys router for Internet access. He disagrees. He thinks it’s perfectly ok for a CISSP not to know basic networking because all they are doing is making important decisions.
So he isn’t just saying that some certs focus in one area while others focus in different ones. Everyone knows that.
He’s actually seems to be saying that management doesn’t need to know technology because that’s what the other certs (and positions) are for. Hence my disagreement.
Comment by Daniel Miessler — 9/4/2007 @ 4:17 am
Daniel,
Your measuring stick (wireless configuration) is very narrow. Wireless is one of 400 topics that someone needs to keep up on as a CISSP. But, I’ll play along that your measure is accurate.
I have met my share of GSEC’s that cannot configure a wireless router. Maybe it is because they only read the 40 pages SANS, said they needed to know for the exam in 2004. Or maybe they came to class and got the GSEC in 1998, when very few of us were implementing wireless.
Conclusion:
It’s simply absurd to claim that people in “management” roles DO need to be versed in ALL technology. AND It’s simply absurd to claim that people in “technology” roles ARE versed in ALL technology.
Comment by Dean — 9/4/2007 @ 7:58 am
Luckily I didn’t say that.
Comment by Daniel Miessler — 9/4/2007 @ 8:33 am
“I have met my share of GSEC’s that cannot configure a wireless router. Maybe it is because they only read the 40 pages SANS, said they needed to know for the exam in 2004.”
To be fair, that’s a problem of nearly all certifications out there, regardless of their niche or difficulty.
Dean seems to be forgetting a key point in the IT world: knowledge is not static. Even if a topic wasn’t covered when a candidate initially earned a certification, it’s no excuse for not having researched it at some point afterward. One must not adapt the attitude of “I earned my cert, now I can kick back until it’s up for renewal.” Apathy toward continuing education belittles the cert and hurts the field as a whole.
Comment by Stretch — 9/4/2007 @ 9:23 pm
I think this is not really about CISSP vs GSEC but theory on management styles. All jobs I’ve worked at where my manager new exactly what my job was, was a pretty good job. I could talk about things I thought needed to be improved, and if my idea was dumb it would be down intelligently, or if it was good it could be implemented properly. I have found jobs where my managers had little to no understanding of what I did to be quite frustrating. This was largely the case when I worked at Convergys. If policies inhibited my attempts at being a top notch tech support phone jocky, it didn’t matter because it is what management pushed down and it’s what they decided, in all their wisdom, was best for the company. Most people with integrity and skill got frustrated and left before long, leaving mostly clueless tech reps. At my current job my immediate supervisor know worlds more about my job than I do. I know I can go to him for reliable advice. I can talk all the tech talk and be right on step with him and vice-verse. I think this is really the crucial part of your argument. If supervisors take the CISSP but still know shit about networking, then in all probability it has actually caused damage by creating manager who think they know what they are talking about when discussing things with their employees who really do know what they are talking about.
Comment by Maxo — 9/5/2007 @ 3:24 pm
I agree with Maxo and Daniel. Look, if your manager is making decisions, as the CISSP insists, and doesn’t know what he’s talking about, you’re screwed. If someone is in charge of something, he should know how to work it. If a ISSO doesn’t know enough about security technology and how things work, CISSP or not, the systems he (or she) is in charge of will suffer.
I have been in the industry for more than seven years now… the CISSP exam took me less than 1.5 hours, including double-checking my answers and work. It is a fairly simple exam… I learned nothing in the bootcamp (and made everyone save the teacher angry because I knew all of the answers and he and I kept going into in-depth discussions). They have to force you to have 5 years of experience because the exam is too easy (14 year olds were passing it without any experience), which says to me that the exam is worthless.
The CISSP is a weak exam because it is non-technical and covers many topics, but few things. No depth. What little depth it attempts to provide is generally wrong, though. For example, my exam had a question concerning buffer overflows and how to “prevent” them. The only somewhat correct answer is to check the range and offset, but even that’s not right. In all of the domains, excluding BC and DR, the CISSP has very little information, depth, or knowledge.
Also, just to add a twist, I took the CCNA 1/2/3/4 route through Cisco’s Networking Academy, which taught me a wealth of information that I retain today and has helped me through my college studies, work, and my research. CISSP has done nothing for me. In my case, I got the CCNA through a respectable means, rather than simply passing the exam, and I learned the most; I didn’t learn anything in the CISSP bootcamp and and no issues with ANY of the CISSP exam questions (save 2 that made no sense… the English was completely messed up).
My ultimate point is that certifications should mean nothing to you… it’s the knowledge. Anyone can pass an exam (I know CISSPs who couldn’t tell you the difference between a router, switch, lvl4 switch, lvl3 switch, hub, repeater, and bridge…. I know CCNAs who couldn’t either). I recommend that you take classes, go to University (and apply yourself), and participate in research. Certifications and ceritificates are pointless and don’t help you grow… when companies figure this out, we’ll see a dramatic shift in work quality and fewer losers in our fields (I do application PT, Web-based application PT, network PT, OS PT, and vulnerability assessments for a living).
Comment by DO — 1/21/2008 @ 9:14 pm