Does a CISSP a security expert make?

by Justin Clarke

I am sure this is a dead horse that is periodically brought out for a whipping, but, is there actually a business demand out there for security certifications, or is the demand (which certainly does exist) fuelled by the ISC2 and other organizations interested in furthering their own existance?

As a consultant, I am in the process of getting my CISSP, which will take my certification count to four..... none of which I ever seen any real benefit from.

So, I'm wondering whether anyone actually gets any use out of these... other than possibly in getting a job over someone with equivalent experience without one?


2004-06-27 05:19:00

I saw your question with interest, I recently gained my CISSP qualification, and have been seriously considering it's merits.

I found that the CISSP quaification is a very broad overview with little in it's content which wouldn't be known by anyone with a modicum of security experience.

Although the CISSP is an "industry standard", I personally have found greater knowledge from other sources.

Myu particular favourites in the "Certified" stakes are those provided by ISECOM ( the Institute for Security and Open Methodologies ) who provide two certifications OPSA and OPST, both of which are to do with the application of the OSSTMM ( Open Source Security Testing Methodology Manual - it's clear why it is abbreviated ! ). This is a real world guide to security testing and risk assesment, and is in use in many large organisations as well as by individual Pentesters and Security Consultants ( such as myself ).

The certifications cover the in depth use of the tools and methods required to use the OSSTMM and would easily eclipse the CISSP in terms of breadth and depth.

ISECOM is on the web at and you can find all the details of the OSSTMM, courses and other projects there.

Incedentally, at the same time that I sat my exam, a number of friends that I met on the same course sat as well. Out of them, a significant number were allready security professionals with a lot of experience, they were crippled by the rather unclear usage of English in the exam questions, even though they were allowed a dictionary, symantics of a question very often defined the answer.

From all of this you might think that I don't value my CISSP, I do, it is a clear level of knowledge that I can demonstrate to others at a defined standard, what I don't think it is is a demonstration of the in-depth and highly technical knowledge required by a security professional.

All The Best,

Simon Biles