CISSPs should know basic networking
Daniel posted an opinion on whether CISSPs should know basic technical skills such as networking. This has been a debate for some time. Some people feel that most CISSPs use there cert for management only. Some say that it is used for gaining a leg up in the security field and getting that golden job. I know several people that have there CISSP and they run the gamut from technical to non-technical. In my opinion every CISSP should have at least a cursory level of understand about technical issues.
I have seen many people with the CISSP that could not configure a home router and when they got into a meeting they could not tell if the wool over their eyes by more technical people. This can be very bad for the company they represent. If it is your job to mitigate risk for your company you must understand the risks that each technical decision poses.
The bottom line is that we are supposed to be security experts. And as an expert we should at least know the basics of any technical topic that could pose a security risk to our companies. I have said it once and I will say it again. Security is not a business preventing function, but a business enabling one. We enable business by eliminating or reducing risk to an acceptable level. How can you know what that level is if you do not understand the basics of the topic?
Wot about riting skillz?
“weather, there, gambit” ne “whether, their, gamut”
Guess I should not post while half asleep. But yeah I will correct.
I had a CISSP - let it lapse because it didn’t impress me. Most good security people that I’ve run into discount it or consider it a negative after having dealt with too many people who hold the certificate but lack basic skills.
My reasons for getting the certificate are a bit odd. At the time, many companies were posting jobs and listing CISSP as a requirement. I wanted to know if these were the kinds of places that I wanted to work. I bought a book, skimmed over the parts I wasn’t comfortable with for about 4 hours and went to take the test. I walked out of the test after 2:05 thinking it was too easy and after a couple of weeks, found out that I had passed.
Discussions with other test takers at the site before the exam lead me to believe that they were in various managerial roles and their employer had paid for them to take the boot camp. None struck me as well versed on technical issues.
For a certification that is supposed to be a strong indicator of someone’s security knowledge and background, it struck me as a bit weak.
Maybe one of these days I’ll check out the GIAC or something. I hear that one is better.
I fired my first CCIE the other day…
…this will happen whenever one does not keep up with the latest, as well as retain the basics.