I have been taking a bit of flak regarding my post comparing the CISSP to the GSEC. It’s been interpreted as negative towards the CISSP, which I suppose is fair to some degree. I find the prevailing argument put forth by Martin McKeay in support of the certification to be weak at best (essentially that GSEC is technical and CISSP is management), and I wanted to briefly refine my thoughts on the matter.

An Ideal World

I think we can all accept that a perfect certification would guarantee that a holder of said credential would be excellent for any information security role. We can also agree that no such certification is practical nor even possible. So given that constraint we are forced to create certifications that are focused in particular areas. So the GSEC is focused on the technical implementation side, and the CISSP is focused on the management side. Fair enough.

What I think is important to note, however, is that this doesn’t mean the GSEC doesn’t cover conceptual topics, nor that the CISSP doesn’t cover technical ones. In other words, even if a major certification is weighted in a certain area it doesn’t mean it’s not going to at least touch on the opposite end of the spectrum. So the question becomes one of simply deciding where the weight is — technical or conceptual.

My point is simple: it’s far more responsible for a low level certification not to cover upper-level concepts than it is for a higher level certification to not cover technical basics. I again point to the battle field. You don’t require infantrymen to know the basics of military strategy, but you do require generals to know the basics of soldiering.

A Knowledge Progression

Remember that this is why generals must move up the ranks. This is for the precise reason that strategic understanding is built upon the requisite practical knowledge gained in the lower ranks. Without this foundation a general may ask a soldier to drop a bomb on a target from 500 feet in the air, or ask a tank to sneak into an enemy building and conduct a room to room search. I’m exaggerating, but you get the point.

Upper echelon leaders must understand the capabilities of the entities they control before they can make sound strategic decisions. This applies equally to information security managers and military generals. The notion that in information security one can simply jump right into management without having at least a decent understanding of the moving parts (technology) is no less asinine then putting a private in charge of an army.

This is my argument against the CISSP’s history of being non-technical. More importantly it’s my argument against those who claim it’s permissible for it not to be technical because it’s a management certification. That makes it more important for an all-encompassing knowledge base to be tested, not less. And I think it’s clear that ISC2 knows this. That’s why they included all 10 domains.

They had the right idea — management certifications require holistic knowledge of the discipline, just as generals require a holistic understanding of warfare. This isn’t just the reason for the 10 domains, but also for the experience requirement — just like for the general. The analogy could not be more clear.

Conclusion

It’s simply absurd to claim that people in “management” roles don’t need to be versed in technology. Chefs learn about food. Architects learn about the structural integrity of their building materials. Physicists learn math. Why should information security experts not have to learn the building blocks of their discipline like everyone else?

And most importantly, technical managers need to speak technology at least to a level that prevents them from being seduced by salesmen and GUIs. Some may argue that this is the role of non-management engineers, but it’s a weak argument. They should supplement a manager’s technical knowledge, not represent the totality of it.

If the CISSP wishes to become a true test of leadership-level information security expertise it needs to be able to test for a higher level of technical knowledge. Not extreme — but higher.:

I say yes.

Martin McKeay from Network Security Blog disagrees. He writes:

I kind of like Daniel Miessler’s writing and think he has some good posts, but he totally misses the point of the CISSP when he complains about CISSPs who can’t program a home network. The CISSP isn’t aimed at testing someone’s ability to program their Linksys router, it’s aimed at testing someone’s ability to think about the philosophy of security.

Ok, here’s the thing: part of the CISSP is technical. They cover everything from trojans to encryption algorithms to covert channels. It’s just an overview, but it’s part of the CBK for a reason.

If the fundamental networking knowledge required to configure a Linksys router isn’t within a candidate’s grasp, then they shouldn’t be discussing security philosophy with anyone. As Martin points out, this is a management certification. Don’t we already have enough managers who learn big buzzwords like risk management and don’t know even the fundamentals of that which they are trying to protect?

Why do you think they teach generals how to fight and require them to move up the ranks before letting them command large armies? It’s because that knowledge of the lower-level capabilities is what offers the foundation for making sound decisions at the higher levels.

Think about the decisions that security managers are supposed to be making — how to implement a DMZ, host IPS vs. network IPS, DLP?, NAC?, how to publish information in a secure fashion within an extranet. Can one effectively make these decisions without basic networking knowledge? One can say, “secure that”, but if you don’t have any knowledge of what it entails then you’re not adding any value to the organization.

Quite simply, managers who don’t know the basics are dangerous. They have all the power and none of the knowledge. This combination leads to frustrated employees, poor policy making and negative outcomes for their organization.: