Healthy Paranoia Show 13: To CISSP, Or Not To CISSP

Welcome to another lofty episode of Healthy Paranoia where we take on the profound problem of security certifications, specifically the Certified Information Systems Security Professional (CISSP). Joining Mrs. Y and Greg Ferro is an illustrious cast of infosec luminaries, including; well-known security analyst Wendy Nather, founder Grecs, IPv6 fanatic Joe Klein, and the enigmatic Jay James.

We cover topics such as:

  • Cert Junkies
  • How listening to this podcast will fulfill your CPE requirements
  • Cloud constipation and why Greg Ferro is like Roto-Rooter
  • That Richard Bejtlich‘s name should always be invoked in respectful, hushed tones (genuflection optional)

Show Notes:

The Post that started it all, “Going Paperless.”

A take on professionalizing security by Dave Shackleford with a response from @451’s Wendy Nather.

A post from Rich at Securosis, “Why I’m Not a CISSP.”

“Your CISSP is Worthless – So Now What?” by Dave Shackleford

“10 Reasons Why Security Professionals Get Hired”

“What makes a good information security professional?”

April Fool’s CNIP certification

DoD 8570

NSA National Centers of Academic Excellencehamlet_as_cissp

Mrs. Y
Mrs. Y is a recovering Unix engineer working in network security. Also the host of Healthy Paranoia and official nerd hunter. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop. When not blogging or podcasting, can be found using up her 15 minutes in the Twittersphere or Google+ as @MrsYisWhy.
Mrs. Y
Mrs. Y
  • returnofthemus

    LOL, Good Gawd Greg you truely surpassed yourself this time, as if Network Security is the be all and end all of Information Security, lets face it Cisco can’t even get that one right, so hardly surprising so many CCIEs are walking around clueless on this issue, remember Cisco’s Self-defending Network, need I say more?

    Anyway just thought I share this for those still interested in pursuing (ISC)²®. certification, wouldn’t do Greg any harm to take a look either 😉

    (ISC)²®, CSA partner on new cloud security

  • Eric Hanselman

    An awesome intro! This needs to be acted out at a con somewhere.

    Greg’s point really seems to be the underlying issue. In comparing a CISSP to CCIE, the latter ultimately has a clear performance exam. The reference standard is whether the setup works with the specified Cisco gear. It’s like the VMware VCDX. For security, we don’t have a product suite that can serve as the altar on which we assess knowledge. Yes, knowing everything about Cisco means that one knows most of networking today, but it is still an implementation.

    While there are security implementations, there is still too much conceptual and perceptual skill in security. More specific and practical security certs seem to be the only path. That, of course, will lead to even greater proliferation of certs. And fewer ponytails.

    – A reluctant CISSP(borrowed from a bearded gent)