CISSP - A Certified Waste of Time

In which your intrepid columnist hands over $450 to sit for the CISSP exam, only to conclude that it measures little of value.

By Jon Lasser

Mar 13 2002 8:07AM PT

This past Saturday, I felt like I was seventeen again. And, at least in this case, that's not a good thing.

For more than three hours, I filled in little bubbles with a number two pencil and gnawed nervously at my fingernails. I was taking the CISSP certification exam, from the (ISC)^2 . (That's pronounced "ISC Squared," if you're curious, and it stands for International Information Systems Security Certification Consortium. CISSP stands for Certified Information Systems Security Professional)

While I would guess that I passed the exam (I'll find out in a few weeks), overall I was not impressed. If you want a test that proves that the taker has absorbed a large body of largely meaningless and mostly irrelevant data, this does the trick.

The test consists of 250 multiple-choice questions (twenty-five of which are being tested for future exams, and are not scored) taken from ten "security domains," that collective form what the organization calls the "Common Body of Knowledge" (CBK) -- a very broad, but very shallow, overview of computer security that the (ISC)^2 Web site claims "is a compilation and distillation of all security information collected of relevance to Information Security."

That's quite a tall order. But even if all security information could be distilled into a body of facts, it would be of use to almost nobody.

And that's the problem with the CISSP test. The facts on the exam are the wrong sorts of facts: things that should be looked up in books when necessary, because they're not relevant on a day-to-day basis. If I need to know how many rounds are used by the DES cipher, I can look it up. 'A truly meaningful certification would be more specific, concentrating on a single job function or area.'


main page ATTRITION feedback