Saturday, December 31, 2011

what my cissp means to me

I've had my CISSP for six and a half years. I would have had it before that, but I couldn't really afford study materials and the test. When the company I was working for in 2005 offered to pay for it, I got it pretty much immediately.

While on the one hand, it's great that my company was willing to pay for it, it was also a bad thing because it signalled a trend. When a certification is necessary to obtain or retain a job, the idea is supposed to be that the people who hold that job are the best and brightest, but what it really means is the opposite, and the certification becomes devalued. When I got my MCP in networking back in 2000, it was the furthest I wanted to go, because Microsoft certification had become a joke. Now the same is happening with the CISSP. A lot of people say it's already happened.

When I took the CISSP exam in April of 2005, I had just finished a week-long bootcamp, also paid for by my company. I don't want to say that the bootcamp didn't teach me anything I didn't already know, but I will say that there was nothing that I didn't know at least something about. For instance, I learned things about encryption that I hadn't known before, but I'd certainly known the base concepts and wasn't "lost" like a lot of the other people in my class. I was pretty sure that I would pass the exam because I had the requisite 10 years experience in Infosec already.

That said, walking out of the exam, I wasn't sure I had passed. I wasn't the first person to leave but I left a lot of other people in there. I was very hopeful, but I honestly had no idea how I had done. I hear this happens a lot. I'd been sitting in an uncomfortable chair all week, and I don't test well (which is part of the reason why I don't have a whole STRING of certs), but I was hopeful.

I was elated to find I had passed. A lot of other people who took the boot camp with me -- including another person from my company -- did not pass at their first sitting. Some of them subsequently went on to get their CISSPs later. Some of them left Infosec. I was glad that part was over, but harder than taking the test was finding a sponsor. It's not that nobody would sponsor me; it's that I took the certification seriously and wanted someone who actually knew my work to endorse my certification. I eventually asked a representative from one of my company's customers, a person with whom I'd worked extensively. Neither of us has ever had cause to regret that decision.

As I say, I take my certification very seriously. As someone who is largely self-taught -- meaning not that other people didn't help to teach or mentor me but that I was not spoon-fed my knowledge, choosing to actively pursue my IT education through nontraditional means -- I am deeply grateful to have that certification and spend a good deal of my time continuing to educate myself. Unfortunately, the more I know, the more I realize I don't know. But that also gives me hope, because I've never believed that there's such a thing as an expert in any field. In fact, if one of my esteemed colleagues -- most of whom are men -- calls himself an "expert", that's a pretty good indication he's not. (It's okay if someone else says it. Just, really...sooo tacky to say it about yourself. Just sayin'.)

I take it seriously, but I've watched it become devalued. For instance, the DoD mandates that IT personnel of a certain level have or obtain a CISSP, including military personnel who are assigned to IT jobs. Well, uh, great, except that I can personally state that some of those personnel have no idea what they're talking about when it comes to IT in general and Infosec in specific. Since they can't exactly be fired (or, not easily) from their jobs for not passing the exam, it follows that the exam must be rendered passable for them, i.e. through extra coaching etc. Basically, in the end, there are a lot of people who have CISSPs who have no real interest or aptitude for Infosec -- never mind the passion that I and a lot of other "older" CISSPs bring to the mix. It's become just another checkbox, like old technology. I see people disparage the cert every day now.

A side effect of all this is that the assumption is often made that if you have a CISSP but a) no other certs or b) someone doesn't personally know your work that you're a newbie and nothing you say is meaningful or relevant. I've been treated this way several times by some of my esteemed colleagues who assume that I'm one of these newly-minted CISSPs who got handed the cert instead of earning it. And really, what can I say? I'm not one of the "old salts" in this business, as some of them are. But at the same time, I'm not one of the newly-minted CISSPs currently rolling off the assembly line. I've been "doing Infosec" since before it became trendy, and I'm certainly passionate about it. I have paid -- and continue to pay -- my dues.

My certification continues, and will continue, to mean a lot to me, regardless of what other people think. I may be the manic pixie dream girl of the Infosec community, but I'm here to stay...and so is my certification.

No comments:

Post a Comment