What the CISSP? 20 years as a Certified Information Systems Security Professional

CISSP stands for Certified Information Systems Security Professional, a qualification that I obtained on this day in 1996. Back then, very few people had heard of CISSP or the organization that created it, the International Information Systems Security Certification Consortium. This non-profit professional body is known as (ISC)² which is pronounced "I-S-C-squared" (because the name contains two each of those three letters, which is cute but a pain for typographers and search engines). These days CISSP is an acronym you'll hear a lot if you spend time dealing with cybersecurity, and (ISC)² is a name you'll encounter at many events, such as the (ISC)² Security Congress. In a moment I will talk about what it means to be a CISSP, but first, a few words of caution.

One place that you frequently see the letters C-I-S-S-P is in job descriptions for cybersecurity positions. For example, a quick search of openings on the employment website indeed.com finds 1,998 new job listings that include "CISSP" (far more than some related certifications (e.g. CCNA: 1,604; CISA: 1,105; and CEH: 352). Now you might think that, as someone who has derived many benefits from being a CISSP for 20 years, I would welcome this strong showing. And in some ways I do, but I also see a serious problem: too many employers inappropriately put "CISSP required" in job requirements.

Why is this a problem? Because it creates understandable resentment from people who are qualified to do the work that the advertised position entails, but don't happen to be CISSP-certified. I will try to shed some light on this problem as a way of giving back on the twentieth anniversary of meeting the requirements to become a CISSP.

Those requirements included passing a six hour exam several weeks before the certification came through, an exam that I had to fly to Seattle to take. Or maybe it was Portland. Anyway, I know I flew there the day before the exam and the weather was cool and damp as I went from the airport to a hotel near the test center, toting a bag of books that I pored over late into the night. One of those books was The Stephen Cobb Complete Book of PC & LAN Security, which was far from complete despite being 556 pages long (believe me, the title was the publisher's idea). The next morning, in a line of about two dozen people waiting to go into the test room, the guy next to me said "I recognize you, you wrote that security book." Any ego boost from being recognized was quickly deflated by the stress-inducing realization that at least one member of the public might be able to figure out if I flunked the exam. Thankfully, I did not.

But what does passing the CISSP exam prove? Having participated in question writing sessions for the test, it was my understanding that passing the exam should: "confirm that you know what it takes to manage an organization's information system security". In other words, it means you know how to get an organization to meet the information system security challenge, now and moving forward. This is different from being skilled and experienced in each and every technical role which that undertaking requires. And therein lies considerable confusion and, for some people, frustration.

Suppose you've learned how to perform penetration testing, maybe as a sysadmin or helping out a friend who has a job in IT. You've become immersed in Kali, you know how to handle a Pineapple, and you've coded some clever tools of your own in Python. Now you'd like to get a job where you can put this knowledge to good use on a full-time basis. You check out indeed.com for your area and wow, there's a company just down the road from where you live that is looking for a pen tester. Sweet! But then you get to the bottom of the listing and there it sits, under Mandatory Requirements: CISSP.

Now, speaking as a CISSP, I'm happy to inform you that you don't need to be a CISSP to be good at pen-testing. And I'm happy to tell that to any prospective employer who thinks you do. Furthermore, getting your CISSP may not add much to your pen-testing abilities. And if you take the exam and flunk because of questions about appropriate fire retardant for data centers or correct heights for perimeter fencing, you're not going to be a happy camper. On top of that, there is the CISSP experience requirement to consider: a minimum of five years of cumulative paid full-time work experience in two or more of the eight domains of the CISSP CBK (see (ISC)² Common Body of Knowledge):

Note that a waiver to reduce the experience requirement to four years is possible, based on certain education parameters or other professional certifications (see this page on the (ISC)² website).

It should also be noted that you have to commit to a code of ethics to be a CISSP and you must keep learning after you get your certification, or your qualification will expire. These are sensible requirements for the proper role of the CISSP. Here's what (ISC)² says that the CISSP means: "you have the deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization." The point is, the CISSP does not attest to mastery of a specific technical cybersecurity skill set. And companies shouldn't take it to mean that.

In fact, when a company says that you must be a CISSP to perform a job which mainly consists of specialized technical security operations, then you might want to question their understanding of how information security works. (However, I totally get that questioning the judgement of a prospective employer is a non-trivial undertaking.) On the bright side, I do see more employers using language like "willing to attain CISSP" which strikes me as a very healthy approach.

Frankly, after studying information security for more than 25 years, 20 of them as a CISSP, I think the healthiest approach to hiring people to work in cybersecurity is to set aside checklists, including laundry lists of certs and degrees. Organizations should evaluate candidates based on A. what they have shown they can do, and B. what the person in charge of security, the person for whom they are going to work, thinks they have the potential to accomplish.

I realize that this approach is hard to implement at scale, but I also think that as a nation, heck, as a planet, we have to do much better at hiring for cybersecurity roles. Numerous studies indicate that tens of thousands of cybersecurity openings go unfilled every year (and that's just in the US, globally they're talking hundreds of thousands). But I still meet very bright and motivated people who aspire to work in the industry and can't get hired. We need to close this gap and solve these hiring problems if we are going to stand a chance at securing our digital future. And whatever else it means to be a CISSP, it means sharing a commitment to achieving that goal.