Why CISSPs DO Need to Be Decently Versed in Technology

cissp_logo

I have been taking a bit of flak regarding my post comparing the CISSP to the GSEC. It’s been interpreted as negative towards the CISSP, which I suppose is fair to some degree. I find the prevailing argument put forth by Martin McKeay in support of the certification to be weak at best (essentially that GSEC is technical and CISSP is management), and I wanted to briefly refine my thoughts on the matter.

An Ideal World

I think we can all accept that a perfect certification would guarantee that a holder of said credential would be excellent for any information security role. We can also agree that no such certification is practical nor even possible. So given that constraint we are forced to create certifications that are focused in particular areas. So the GSEC is focused on the technical implementation side, and the CISSP is focused on the management side. Fair enough.

What I think is important to note, however, is that this doesn’t mean the GSEC doesn’t cover conceptual topics, nor that the CISSP doesn’t cover technical ones. In other words, even if a major certification is weighted in a certain area it doesn’t mean it’s not going to at least touch on the opposite end of the spectrum. So the question becomes one of simply deciding where the weight is — technical or conceptual.

My point is simple: it’s far more responsible for a low level certification not to cover upper-level concepts than it is for a higher level certification to not cover technical basics. I again point to the battle field. You don’t require infantrymen to know the basics of military strategy, but you do require generals to know the basics of soldiering.

A Knowledge Progression

Remember that this is why generals must move up the ranks. This is for the precise reason that strategic understanding is built upon the requisite practical knowledge gained in the lower ranks. Without this foundation a general may ask a soldier to drop a bomb on a target from 500 feet in the air, or ask a tank to sneak into an enemy building and conduct a room to room search. I’m exaggerating, but you get the point.

Upper echelon leaders must understand the capabilities of the entities they control before they can make sound strategic decisions. This applies equally to information security managers and military generals. The notion that in information security one can simply jump right into management without having at least a decent understanding of the moving parts (technology) is no less asinine then putting a private in charge of an army.

This is my argument against the CISSP’s history of being non-technical. More importantly it’s my argument against those who claim it’s permissible for it not to be technical because it’s a management certification. That makes it more important for an all-encompassing knowledge base to be tested, not less. And I think it’s clear that ISC2 knows this. That’s why they included all 10 domains.

They had the right idea — management certifications require holistic knowledge of the discipline, just as generals require a holistic understanding of warfare. This isn’t just the reason for the 10 domains, but also for the experience requirement — just like for the general. The analogy could not be more clear.

Conclusion

It’s simply absurd to claim that people in “management” roles don’t need to be versed in technology. Chefs learn about food. Architects learn about the structural integrity of their building materials. Physicists learn math. Why should information security experts not have to learn the building blocks of their discipline like everyone else?

And most importantly, technical managers need to speak technology at least to a level that prevents them from being seduced by salesmen and GUIs. Some may argue that this is the role of non-management engineers, but it’s a weak argument. They should supplement a manager’s technical knowledge, not represent the totality of it.

If the CISSP wishes to become a true test of leadership-level information security expertise it needs to be able to test for a higher level of technical knowledge. Not extreme — but higher.:

Related posts: