Obtaining the Brass Ring in Information Security - BETA VERSION

Many of my students state their goal from our classes is to obtain their CISSP certification. The industry certification “Certified Information Systems Security Professional (CISSP)” is for many information security professionals seen as the gold standard of career professional certificates. Many of my students say their reason for seeking the CISSP is that they want to enter Information Security as a new career field in an increasingly challenging market for information technology professionals.

Information security relates to protecting organizations assets, outsourcing is more challengeable than operational level functions. Established Informational Technology professionals understand the criticality of IT in almost all organizational actions from interpersonal communication to SCADA controls; however they also recognize the push to reduce IT operational costs around Shared Services and consolidated Centers of Excellence. In a way, this current need to cut costs and overhead comes from the relative safety IT has enjoyed in the past. There was the time of large actions such as Y2K mitigation efforts or fundamental business strategies that fueled the DotCom boom, when a website or public email contact could influence an organization’s success in an expanding global market for their services.

Information Technology’s need for skilled labor ensured jobs in IT when all other industries were suffering the current economic downturn resulting from the same globalization of the workforce. Organizations can select their work performance in the certain locations, enjoying a lower wage or reduced requirements for safety, driving increased profits for the cost of employment of relatively-skilled workers. Due to the fact that Information Technology is yet to gain its full maturity, transformations occur regularly with distributed computing, virtualization, VoIP, mobile networking and Cloud computing being the most recent examples of our desire for “all data, anywhere, all the time.” In every book I have written, I always note that Information technology encompasses a range of skills in which The Only Constant is Change! Whatever the current range today, the only guarantee tomorrow is that it will include something else as an evolution from the current options.

With technologies such as expert systems (artificial intelligence) and robotics expanding in an independent capability, automation displaces an increasing spectrum of employment tasks from human stenographers to mechanical tooling specialists and even agricultural collectors. Medical robots allow a single surgeon to attend multiple number of patients in the same time as once took multiple skilled practitioners, while 3D printing may soon displace traditional trades-craft workers in construction, food preparation, manufacturing and transportation trades. In this midst of this chaotic restructuring from human labor towards automation, information security attracts IT professionals as a last bastion “safe” from outsource or transformation wave sweeping the globe. The increasing sophistication of today’s workers, who possess personal computers at home and software on their phones, has eliminated many of the early IT skilled trades, hence those, who look for the next opportunity are turning their eye towards one of the few remaining protected avenues to practice their trade and expand their established expertise – Information Security.

A quick search on any of the job sites identifies the CISSP as a mandate across many different sub-specializations in this trade, so many set that as their goal to “enter the trade” of Information Security when the CISSP has actually been designed on the basis of older Guild-practitioner employment models like those of skilled tradesmen in Electricity, HVAC, or Plumbing. Critics of the CISSP certification are easy to find, because its value is often measured in terms of a “super Security+” to use CompTIA’s entry-level vendor-neutral security certification as an example. Many of my Security+ students will later join my CISSP classes with that very expectation – as if one is simply an expanded version of the other.

Even requirements such as the DOD directive 8570-01m designate certifications that will match different operational specialties in Information Awareness Technician (IAT) or Information Assurance Manager (IAM) requirements, with the Security+ covering Level 1 requirements for IAM and Level 2 for IAT positions, while the CISSP supports up to Level 3 (the highest level) for both IAT and IAM positions. From the flowcharts of the directive, this makes the (ISCC)2’s CISSP and others like the CISA or CISM from ISACA appear to be simply the next step from lower level certifications. However, the CISSP is not a gold star to the next level of employment based on an expanded or even new skill set in comparison to entry-level certifications, because the same Information Security “C-I-A Triad” forms the basis for both. At its root, Information Security relies on protection of three aspects of data: Confidentiality (only authorized access), Integrity (only authorized changes), and Availability (ready when an authorized access is attempted). True, the practitioner will need a broader skill set to work on their job tasks as they progress in their profession, but the foundation remains the same.

Even the CISSP itself has later certifications that can be obtained to address focus in professional development, like the Information Systems Security Architecture Professional (CISSP-ISSAP), Information Systems Security Engineering Professional (CISSP-ISSEP), or the Information Systems Security Management Professional (CISSP-ISSMP), but these upgrades lack the appeal that the CISSP itself holds. Checks on job sites like Monster.com or The Ladders show plenty of jobs that require the CISSP as an employment requirement or preference for selection, while the others are seen far less often. Interestingly, the CISSP is often seen on postings that are not Information Security focused like IT Directors, Enterprise Architects and even some CIO positions. This general value is what people are chasing after, when they set the CISSP as their goal in professional development, without understanding why this apparent “super Security+” designation is rated as it is.

In fact, some practitioners argue very strongly against earning the CISSP designation like the discussion in 2012’s Black Hat InfoSec conference called “Why you should not get a CISSP.” These claims typically address the CISSP as it is an expanded entry-level certification, rather than its obvious employment benefit indicates. Complaints are being made towards the CISSP’s scope is too broad (often described as “an inch deep, a mile wide”), even though many organizations around the world depend on legacy networks and servers designed when the 8086 chip was the height of computing power. The “aging” Common Body of Knowledge (CBK) required for the exam itself is constantly being addressed in its third major revision, although its content is updated annually because both attack forms and defensive measures enjoy an almost constant state of evolution. Preparing for the CISSP exam is like trying to prepare for a dissertation defense across all aspects of security in all environments that could be found still in use – and questions can even come from recent events in the news, so a practitioner must be up to date on emergent issues when they step into the testing environment.

In order to obtain a CISSP, the only knowledge is not the ticket – passing the exam (700/1000) alone is not actually the gateway to this prize. Like older trades, obtaining the CISSP designation also requires documented experience covering 5 years of work in at least two of the Ten Domains of Information Security (areas of the CBK), and also an endorsement from another CISSP. People taking a Boot Camp or studying the resources for test-taking often find themselves equipped with the Associate of (ISC)2 for CISSP, which is not particularly desired in employment unless a hiring officer requires it in lieu of an actual CISSP, while you obtain the necessary time in the field and impress another CISSP holder with your knowledge and successes to obtain their endorsement.

This is the way of many trade Guilds, where experience during the process of advancement as an Apprentice and Journeyman eventually gains the designation of trade Mastery after other tradesmen accord their recommendation of your skills and knowledge. This process reveals the CISSP perfection ahead of other professional certifications, because it does not introduce a new skill set that you will bring to your employer once assimilated, but instead it identifies a general skill set of trade-craft and a personal achievement in your career that has been verified and recommended by at least one other Master of the trade. Holding a CISSP neither will automatically make you a better CIO, nor it will allow you to brandish the power of certification and banish all hackers from your organization’s network boundaries - thoughtfully, it does allow you to make your touch upon information security through many different techniques and technologies. It helps to understand the type of needs that must be addressed when the next form of malware is released and DR needs to be implemented.

The CISSP is not a “gold star” to demonstrate your perfect attendance in school, it is instead a “brass ring” to be reached for all your career way long. Back in the early 20th century, public carousels were very popular forms of entertainment. The outer ring of horses do not move like their inner companions, that is why riders there were offered another task – to catch rings held around the carousel. Most were just for fun, but a few brass rings allowed the winners to take a free ride or other desirable reward. The “brass ring” has come to stand for “reaching towards the greatest goal” and the CISSP has become that goal in the Information Security arena. Those, who gain its designation, find hiring preferences and requirements fallen aside in their search for a job amidst an increasingly hostile hiring environment. However, the requirements for ethical conduct and continued professional development (at least 120 CPEs every 3 years, at least 20 per year) indicate that the value ascribed to these masters of their field will be updated to address, emerging threats to our interconnected global network.

Critics leave aside those, who understand the value of mastery in their trade. They can reach for this brass ring and wield their professional designation to the development of their employer and other IT professionals in turn. The guild system may seem outdated in today’s world, but like other skilled tradesmen, the value here can be measured and it is being weighed adequately in today’s job market. If you want to excel, then pursue this as a mark of.
Mastery in our trade!

May 2, 2014

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013