The good news for me this last week was that I eventually took the CISSP exam and passed. I was obviously pleased and relieved, and I am currently going through the endorsement process. Despite the drubbing that the CISSP as a certification over the last year or so I have to admit that on the whole I was impressed with the depth and breadth of the subjects covered.
Of course the caveat to this is that I think this on the basis that the CISSP is an information security certification, not an IT security certification. There is plenty of content about fire extinguishers, foot candle illuminations of parking areas or even the legal constraints of transferring information outside of the EEA, all of which are important to my mind when taking into account the broader concepts of information security (especially when considering the Confidentiality, Integrity & Availability triangle). Much of the criticism I observed was around the relevance of topics like my previous three examples to IT security, to which I reply “It’s not”. There are sections that focus on these areas, but they quite rightfully don’t dominate the subject matter.
That said, there were areas that I thought were woefully under represented in the reference material that I used, for instance I disagreed with the definition of ISO 27001 versus ISO27002, their definition of an adequate security measure for WEP (hiding the SSID… really?) and other small points. I was however revising against the 2nd edition CBK which has now been updated to the third edition, so perhaps there have been updates in some of these areas.
The other area I struggled with was the relevance of some of the information required for the exam. The level of details required in areas like security architecture for models that actually aren’t in use any more or encryption techniques or even the finalists in the competition to decide what encryption method to use in what ultimately became AES… over twenty years ago! None of this is going to be useful to me in may day to day job at all.
But again, overall it really made me think about my “craft” and I have found it beneficial. There was an element of me taking this exam as a box ticking exercise given my current role, but this was mainly because I came to infosec quite late in my career and there were questions being asked as to why I didn’t have this qualification. It made sense to get it done now and out of the way as it were, and add to my CISM and CGEIT (and MBCS CITP… at this rate my business cards are going to have to be very wide.)
The big question for me now though is what’s next? CRISC or the CIPP/E? Risk or Privacy?