I say yes.

Martin McKeay from Network Security Blog disagrees. He writes:

I kind of like Daniel Miessler’s writing and think he has some good posts, but he totally misses the point of the CISSP when he complains about CISSPs who can’t program a home network. The CISSP isn’t aimed at testing someone’s ability to program their Linksys router, it’s aimed at testing someone’s ability to think about the philosophy of security.

Ok, here’s the thing: part of the CISSP is technical. They cover everything from trojans to encryption algorithms to covert channels. It’s just an overview, but it’s part of the CBK for a reason.

If the fundamental networking knowledge required to configure a Linksys router isn’t within a candidate’s grasp, then they shouldn’t be discussing security philosophy with anyone. As Martin points out, this is a management certification. Don’t we already have enough managers who learn big buzzwords like risk management and don’t know even the fundamentals of that which they are trying to protect?

Why do you think they teach generals how to fight and require them to move up the ranks before letting them command large armies? It’s because that knowledge of the lower-level capabilities is what offers the foundation for making sound decisions at the higher levels.

Think about the decisions that security managers are supposed to be making — how to implement a DMZ, host IPS vs. network IPS, DLP?, NAC?, how to publish information in a secure fashion within an extranet. Can one effectively make these decisions without basic networking knowledge? One can say, “secure that”, but if you don’t have any knowledge of what it entails then you’re not adding any value to the organization.

Quite simply, managers who don’t know the basics are dangerous. They have all the power and none of the knowledge. This combination leads to frustrated employees, poor policy making and negative outcomes for their organization.:

p style=”text-align: center”> aotmp.com

I’ve had some discussions about how the GIAC GSEC credential compares to the CISSP in terms of difficulty and respectability. Here is one such discussion from a forum I frequent.:

The main reason the CISSP in more respected is because of the standards the ISC2 has established, such as proving the identification of the applicant, verifying they meet the experience requirements, and the way the exam is hosted.

That definitely earns the exam some respect, to be sure, but keep in mind that the first time pass rate is over 70%.

I would give you this analogy: The CISSP is like taking the SAT’s You walk into a room with just a pencil and take a 6hr, 250 question exam that many of the times has more than 1 right answer but you have to draw on your experience to determine which one is “more right” The GSEC is like creating and turning in an Essay and taking an open book test.

Ok, let me put it this way, which of those two scenarios do you think represents reality in the infosec world? Cramming facts and regurgitating them via #2 pencil, or dealing with harder, more technical questions with access to any book and any search engine you want?

It’s the latter.

That’s what problem-solving is — you have Google, you have the text books, you have anything you want. That doesn’t make complex problems easy, it just makes them possible. That’s how the real world works.

Put it this way, I’d be willing to bet that 50% of all CISSPs don’t know what netcat is. What does that say about their infosec skills? What percentage of GSEC holders know what it is? Probably 99%.

Don’t confuse world-wide acceptance with proof of superiority. CISSP is standard, it requires experience, and it’s got a good, broad base of questions, but it’s the kind of test people cram for, pass, and then forget the material it was made up of. That’s not a good measure of a dedicated, technical infosec professional; it’s more a measure of someone who takes their career seriously and knows how to study.

I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.

More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge – not for testing whether or not you’d be qualified to actually do anything.

Don’t get me wrong, if you are going to do one first, or only one of the two, I’d say get the CISSP. It’s more recognized and more respected than any other cert out there. All I am saying is that you shouldn’t confuse this with its difficulty. Almost nobody knows anything about the GSE certification either, but the two PhDs that have it said it was harder to get than their degrees.

I think after you have both you may see it more the way I do. I’d hire a GSEC holder to do some security on a network with significantly less reservation, whereas a CISSP-holder would have to go through the same sorts of checks that someone with nothing more than a 4-year degree would. Just because they can study and take themselves seriously doesn’t mean they know or love their discipline.:

Question 1: Using the space provided, write an improved implementation of a UDP checksum calculation in binary. (Note: the use of the 1 and 0 keys are not allowed) Question 2: Stand up and run as fast as you can into the nearest wall. Get up and come back to resume your exam.

…and those were just the warmup questions… Nah, but seriously. Very hard test. This one I’m proud to have…

I have over 90 hours (from a “regular” school) and all I lack is some core, but despite my now excellent CV I still feel the pang of inadequacy due to not having finished my degree. So I’m considering once again doing something about it — sooner rather than later. I’ve always known I am going to finish before moving into management at around 40, but maybe I can do it earlier — online.

I’m considering University of Phoenix Online, which seems to be the premier option, but I still have some negative thoughts about the whole online thing. I wonder if others will feel the same way, e.g. hiring managers, peers, etc., or if it ultimately won’t matter. At this point I almost think the BS degree is a “check the box” issue more than anything else. You either have one or you don’t.

The program I’m looking at actually seems pretty cool; it’s a bachelor of science in information security:

Bachelor of Science in Information Technology/Information System Security

So what are your thoughts on the matter. Do I ruin my reputation by having one of these degrees? Or is it a “just get one” scenario where all that matters is that it’s an accredited school?

Any input would be appreciated…

The next one is noticeably harder, though. It’s more on snort and IDS than general TCP/IP knowledge. In my opinion, it’s the “real” test of the two. I’m confident, however, as I just did a practice test for it and passed (not by much) without using any resources…

Yeah, feelin’ good…

I’ve had to put forth relatively little effort to get the certifications I have thus far, but I’m thinking this one’s going to be different. This one is the first that’s supposed to represent actual expertise, as opposed to just familiarity.

Anyway, If you see me posting about being the latest GCIA-certified mofo in town, you’ll know I passed. If you hear nothing at all…that means it didn’t go so well. Here’s to hoping it’ll be the former…

LINK: A Guide To Information Security Certifications

This wouldn’t be so bad, but I honestly have not started studying yet. I have the Exam Cram 2 Book to study from, and I can only hope that it’s enough.

Well, wish me luck. And if any of you out there have any advice (other than “start studying earlier, idiot”), I’d love to hear it.

The main reason the CISSP in more respected is because of the standards the ISC2 has established, such as proving the identification of the applicant, verifying they meet the experience requirements, and the way the exam is hosted.

That definitely earns the exam some respect, to be sure, but keep in mind that the first time pass rate is over 70%.

I would give you this analogy: The CISSP is like taking the SAT’s You walk into a room with just a pencil and take a 6hr, 250 question exam that many of the times has more than 1 right answer but you have to draw on your experience to determine which one is “more right” The GSEC is like creating and turning in an Essay and taking an open book test.

Ok, let me put it this way, which of those two scenarios do you think represents reality in the infosec world? Cramming facts and regurgitating them via #2 pencil, or dealing with harder, more technical questions with access to any book and any search engine you want?

It’s the latter.

That’s what problem-solving is — you have Google, you have the text books, you have anything you want. That doesn’t make complex problems easy, it just makes them possible. That’s how the real world works.

Put it this way, I’d be willing to bet that 50% of all CISSPs don’t know what netcat is. What does that say about their infosec skills? What percentage of GSEC holders know what it is? Probably 99%.

Don’t confuse world-wide acceptance with proof of superiority. CISSP is standard, it requires experience, and it’s got a good, broad base of questions, but it’s the kind of test people cram for, pass, and then forget the material it was made up of. That’s not a good measure of a dedicated, technical infosec professional; it’s more a measure of someone who takes their career seriously and knows how to study.

I’ve met CISSPs who can’t configure a home network — no joke. Again, I studied for it and passed it in one week’s time, and that’s with zero previous study of the test materials.

More than I can a test that has a 70% first-time-pass rate that’s explicitly designed for managers and non-technical types. It’s for a wide, wide base of knowledge – not for testing whether or not you’d be qualified to actually do anything.

Don’t get me wrong, if you are going to do one first, or only one of the two, I’d say to get the CISSP. It’s more recognized and more respected than any other cert out there. All I am saying is that you shouldn’t confuse this with its difficulty. Almost nobody knows anything about the GSE certification either, but the two PhDs that have it said it was harder to get than their degrees.

I think after you have both you may see it more the way I do. It’s almost as simple as academic vs. hands-on, or birds-eye-view vs. in-the-trenches. I’d hire a GSEC holder to do some security on a network with significantly less reservation, whereas a CISSP-holder would have to go through the same sorts of checks that someone with nothing more than a 4-year degree would. Just because they can study and take themselves seriously doesn’t mean they know or love their discipline.: