The IT certifications in general and the CISSP in particular are discussed in numerous blogs and articles (ex: http://securecyber.blogspot.com). This certification became a de-facto standard for the Information Security field, the same way as MCSE became a standard for Microsoft certified professionals.
I don’t want to speculate or repeat the widely expressed statements about the value of the CISSP certification. I just share my experience with it.
The main difference is that the CISSP certified professional is not necessarily the person who can configure the firewall. We are talking about the security standards, policies, risk management, cryptography, etc. It’s not the certification of hands-on expertise but rather general knowledge of entire security industry (2 miles wide and 2 inches in a depth).
While I have about 8 years of hands-on experience in IT security (firewalls, IDS, UNIX, Win2003 security, PKI, secure desktop), I found that with my CISSP I cannot find the appropriate job – my certification is not enough! To be exact, my particular security skills do not match to the most of the job positions where the CISSP is required. In addition to the CISSP, most of the employers are asking for 2-3 years of experience working with policies, NIST and other standards, the same number of years as an Auditor, or risk model investigator/designer.
Yes, this certification is highly respected. Yes, it’s valuable addition to your resume IF and only IF you have been working not as hands-on security professional but rather as a manager or auditor. If you will hear other opinions that negate mine, think again. Since March 2007, I did not find even one position in Baltimore, MD area where this certification would fit taking into account my skills.
I am not hugely upset, however. While preparing myself to the exam, I expanded my horizon, learned many new topics, and became more well-rounded. In addition, I have the same expert knowledge in Web Design and LAN/WAN area, so I have the place to apply my skills. But my 4 months of efforts to become the CISSP do not pay off as I expected and as it is described on the web.
(ISC)2 successfully marketed the CISSP certification to the degree that DoD made this cert as a requirement for those who protect the DoD networks. I’d say that the value is slowly growing (at least in accordance to the marketing efforts), but it does not bring the result you may expect…