CISSP security certification under fire from academics

Industry based certifications such as (ISC)2's Certified Information Systems Security Professional (CISSP) courses are simply not enough, according to Professor Bill Caelli, the head of the software engineering and data communications school at the Queensland University of Technology.

"The CISSP is a very important start... but doesn't contribute much real world knowledge," he told ZDNet Australia at AusCERT's Ausconf security conference, describing the certification as nothing more than "an awareness raising exercise".

Management don't understand what is and isn't covered by courses such as CISSP, Caelli says.

Going one step further, Caelli has called for government regulation of security professionals.

"Industry must feel confident... I am for regulation of information security professionals who have a shingle on their door saying 'security professional,'" he said.

The idea that veterinarians, and taxi drivers are regulated and security professionals aren't doesn't make sense.

"I can control and manage critical infrastructure but I can't even fix up your pussy cat," he quipped.

Dave Dittrich, who is currently developing an information assurance curriculum for the University of Washington, echoes these sentiments. He stops short of suggesting the industry needs to be regulated.

"Regulation is a blunt instrument," he said. "The security industry changes too fast for government mandated regulation".

Just as civil engineering jobs are staffed by civil engineering graduates, Dittrich says information security roles will eventually require degree level qualifications as the discipline is standardised. He also expressed concerns over the limitations of the CISSP course.

"You have a lot of practitioners out there who've taken that [CISSP] exam... but technically they're not quite up to speed," he said.

• Related stories

• Alerts

Add your opinion

1. I recently obtained my CISSP. I have to say that it isn't all that easy to achieve. I doubt that someone without a reasonable amount of experience can just pick up a book and pass the exam. I have over 17 years experience, in various aspects of IT from el Anonymous -- 14/05/03

   I recently obtained my CISSP. I have to say that it isn't all that easy to achieve. I doubt that someone without a reasonable amount of experience can just pick up a book and pass the exam. I have over 17 years experience, in various aspects of IT from electronic design, coding, right through to implementing large networks with various security requirements. It still took me 6 hours to get through the 250 questions in the exam. We did attend a review course, but also did a lot of group study.
   
   CISSP is also very broad in that is meant cover all aspects of security - from policies and procedures, through physical and logical controls, business continuity, software development practices and crypto. As a CISSP you cannot claim to be an expert ,say, in all things related crypto. (For instance you almost definitely would know the difference between assymetric and symmetric crypto, know which algorithms fit in which category, have good working knowledge of how they function. But you wouldn't be able to recite every function and operation of the algoritm to ,say, be able to code it up).
   
   But you can say that you are a security professional that has experience (which you have to justify through work references) and knowledge (by the exam) across the wide range of security issues that will be facing organisations today. Thereby you can help customers identify their security issues and propose (and probably implement) appropriate solutions.
   
   BTW Ask an academic crypto boffin to help a company develop a security policy or even manage a transition to become a more security-aware organisation and see how sucessful they would be. This is "real-world".

   • Reply to comment
   • Reply to story
   • Report offensive content

2. Academics want regulation of the information security professionals!! They want people to undergo degree level courses before being able to call themselves security professionals !! On the other hand we have corporates who require these professi vb -- 14/05/03

   Academics want regulation of the information security professionals!! They want people to undergo degree level courses before being able to call themselves security professionals !!
   
   On the other hand we have corporates who require these professionals but are short sighted enough to say we shall hire them only if they have worked in specific verticals.
   
   I too am a CISSP, over 13 years of expereience internationally for mission critical industries such as international airports and terminals, but guess what banks requiring to fill security related positions will not talk to me here in Australia, because I have not worked in the finance industry (not sure though if it is the banks or the agencies).
   
   While we are creating degree level courses, why not create degree level courses for every industry vertical that we come across??? Seems thats the way the agencies would prefer it, never mind that the person is a specialist/experienced in a particular skills such as security or bcp/drp.

   • Reply to comment
   • Reply to story
   • Report offensive content

3. "...technically not up to speed." Who is kidding who here!? Getting a degree is going to make one "technically up to speed"!? Give me a break, here! There is Knowledge and then there KNOWLEDGE! The first is "book lernin'" and rick aleshire -- 14/05/03

   "...technically not up to speed." Who is kidding who here!? Getting a degree is going to make one "technically up to speed"!? Give me a break, here! There is Knowledge and then there KNOWLEDGE! The first is "book lernin'" and the second is experience - CISSP and a college curriculum is "book learning" and experience is just that - what you have acquired.
   
   All of the "so called" university experts, etc. who are decrying the "limitations of the CISSP" are now getting on the bandwagon because they realize as academia they have failed to educate the "college students" to meet the demands of the modern IT community. They are now trying to play catchup and they are chasing the "proverbial greed - money"!

   • Reply to comment
   • Reply to story
   • Report offensive content

4. The CISSP is a measure of ones knowledge, just as a degree is a measure of ones knowledge. You do not sit the CISSP exam to learn something new... You take it to measure your abilities according to a standard. AND only after having met the requisite eth David Williams -- 15/05/03

   The CISSP is a measure of ones knowledge, just as a degree is a measure of ones knowledge. You do not sit the CISSP exam to learn something new... You take it to measure your abilities according to a standard. AND only after having met the requisite ethical, moral, and experience requirements. Go ahead Professor, Berate my CISSP and develop your own security course. It will be outdated by the time next semester is upon us. Your students will have no real world experience. Does maintaining your degree require that you report your industry involvement on continuing education to maintain your status. The CISSP designation is not a "set it and forget it" award like many other certs. I have shared and learned much from my peers via the avenues ISC2 provides to communicate with other CISSP's. I've never been afforded that opportunity from ANY of my college courses. 99% of the information delivered in all technologies related courses is outdated within months - We're in an industry where product/technology lifecycles are 6 to 24 months. ANY measure of security skills older than that are mostly useless. Hopefully you see how I might feel your academic approach falls short of the CISSP. Peace my friend - and teach them well, the world needs good security professionals - but don't try to belittle me or my colleagues in the process.

   • Reply to comment
   • Reply to story
   • Report offensive content

5. Academics ... It's all very well to criticise but there isn't any mention of the current alternative(s). Until there are alternatives, we need to do the best with what we've got. Down-playing CISSP without a replacement is very dangerous to the industry Anonymous -- 16/05/03

   Academics ... It's all very well to criticise but there isn't any mention of the current alternative(s). Until there are alternatives, we need to do the best with what we've got. Down-playing CISSP without a replacement is very dangerous to the industry. Anyhow, what's any criticism worth without a solution? ... zip!

   • Reply to comment
   • Reply to story
   • Report offensive content

6. CISSP is not the end nor the beginning. It is another step in one's pursual of achievement. I have a BSc in Computer Science, certifications from Cisco and Checkpoint and over 3 years pratical experience with security solutions. Therefore, the CISSP does Girard Moussa -- 08/11/03

   CISSP is not the end nor the beginning. It is another step in one's pursual of achievement. I have a BSc in Computer Science, certifications from Cisco and Checkpoint and over 3 years pratical experience with security solutions. Therefore, the CISSP does help me as much as any university degree, since it is a world-wide recognized certification that has the depth and breadth of any university course.
   
   Therefore, like any other certification, if properly mixed with relevant experience, CISSP is a great ascertation of one's knowledge and commitment to self development and continuing the pursual of knowledge.
   
   Girard...

   • Reply to comment
   • Reply to story
   • Report offensive content

7. I obtained my CISSP one year ago. I have to say that I have broadened my knowledge and gone into the door of information system security through CISSP exam preparation. I may not be an expert in every area, but at least I have known that security covers Anonymous -- 23/12/04

   I obtained my CISSP one year ago. I have to say that I have broadened my knowledge and gone into the door of information system security through CISSP exam preparation. I may not be an expert in every area, but at least I have known that security covers a lot and the direction whenever I need to gain the detailed knowledge. I have got my bachelor of E.E and master of IT. But I believe that my CISSP knowledge is more useful for my work.

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Hot Spot - What's Important

Achieve continuous availability with high performance NonStop blade technology

Looking to buy a printer? Our superguide rates the latest printers and shines a light into the industry.

Download Your Microsoft Unified Communications Fact Pack now.

Microsoft Unified Communications - Take your Self Assessment Today.

Reader Services

Popular Topics

Essentials