http://zaph.com/blog All About Code Sun, 29 Nov 2015 01:19:48 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://zaph.com/blog/?page_id=5#comment-129 Sudheesh Sun, 29 Nov 2015 01:06:50 +0000 http://zaph.com/blog/?page_id=5#comment-129 Having a CISSP certification is more than an HR thing. As meoninted, its not about technical skills and merit. It's about having a professional understanding of the 10 bodies of knowledge and being able to apply that thinking in an infosec kind of way. It is purposefully "an inch deep, and a mile wide" for a reason.In the realm of information security, before we even THINK about technical safeguards we have to understand the real problems. The real risks. The real threats. The biggest failure in the industry right now is having geeks think they are information security professionals. It is rather sad to see a person with an A+ Security cert or Cisco Security cert try to sit around a table and talk about applying qualitative risk analysis to determine what assets need to be protected, and to what degree. They fail miserably because they were taught that security was a technical problem, and not a business one. Big mistake there.I always look at it like this. A CSO/CISO/security consultant would have a CISSP. The people that report to him and apply the technical safeguards to meet corporate security policies would have a SANS GIAC or something similar.Is the CISSP a good cert to have? Absolutely. It means you have a good understanding of the 10 bodies of knowledge and can have a competent conversation with other infosec pros in the process of doing your job function. And if you take the certification seriously, it also shows that you follow a code of ethics in how you conduct yourself and your work in the field. I really wish security vendors would have more CISSP... then we wouldn't see so much FUD being spread around.Is the CISSP essential to show your 'leet Snort skills? Absolutely not. But it wasn't designed for that. Combining a cert to show you understand deeper, more important infosec principles and practices (ie: CISSP) with a technical cert like GIAC gives you the breadth of knowledge needed to be an infosec pro in this day and age.I don't think you are giving yourself the credit you deserve. The security principles and practices that you learned and had re-enforced are now part of you. It can't be taken away. And that might be why you look back and think it doesn't echo your views on how security principles should be taught. I have no idea of your full background, but if you are like most, the CISSP looks trivial NOW because you already went through it. A combination of real world experience and the 10 CBK have given you a stronger foundation than most people in the field. Don't give up on it so quickly. Renew. Having a CISSP certification is more than an HR thing. As meoninted, its not about technical skills and merit. It’s about having a professional understanding of the 10 bodies of knowledge and being able to apply that thinking in an infosec kind of way. It is purposefully “an inch deep, and a mile wide” for a reason.In the realm of information security, before we even THINK about technical safeguards we have to understand the real problems. The real risks. The real threats. The biggest failure in the industry right now is having geeks think they are information security professionals. It is rather sad to see a person with an A+ Security cert or Cisco Security cert try to sit around a table and talk about applying qualitative risk analysis to determine what assets need to be protected, and to what degree. They fail miserably because they were taught that security was a technical problem, and not a business one. Big mistake there.I always look at it like this. A CSO/CISO/security consultant would have a CISSP. The people that report to him and apply the technical safeguards to meet corporate security policies would have a SANS GIAC or something similar.Is the CISSP a good cert to have? Absolutely. It means you have a good understanding of the 10 bodies of knowledge and can have a competent conversation with other infosec pros in the process of doing your job function. And if you take the certification seriously, it also shows that you follow a code of ethics in how you conduct yourself and your work in the field. I really wish security vendors would have more CISSP… then we wouldn’t see so much FUD being spread around.Is the CISSP essential to show your ‘leet Snort skills? Absolutely not. But it wasn’t designed for that. Combining a cert to show you understand deeper, more important infosec principles and practices (ie: CISSP) with a technical cert like GIAC gives you the breadth of knowledge needed to be an infosec pro in this day and age.I don’t think you are giving yourself the credit you deserve. The security principles and practices that you learned and had re-enforced are now part of you. It can’t be taken away. And that might be why you look back and think it doesn’t echo your views on how security principles should be taught. I have no idea of your full background, but if you are like most, the CISSP looks trivial NOW because you already went through it. A combination of real world experience and the 10 CBK have given you a stronger foundation than most people in the field. Don’t give up on it so quickly. Renew.

]]>