Friday, June 20, 2008

CISSP is here to stay! Sorry, Dre.

Dre wrote an article in which he put the argument down that the CISSP is on its way out. What he really argues is that a "generalist" Information Security position is no longer very important, specialisation is the only way to go.

I disagree. I am a CISSP and an InfoSec "generalist' but that is not why I disagree.

I love it when I read a blog and then read another about a totally different topic but that in some way relates to the first blog. And the second blog I read today is Mr Andy, IT guy's blog. In his blog entry he complains rather tongue in cheek about how many meetings he attends.

While Andy and I are many miles apart it amazes me just how similar our lives are and, yes, I also spend ages in meetings. On average I spend about 2 hours of my day not in meetings. And I love it. Every meeting that I attend makes me more educated by how the business I work for - works. I also give my input and hopefully touch on all the people just how important protecting information is.

Just like Andy, I was a techno geek until recently. I was a Firewall specialist. A Check Point Firewall specialist. I could read the pseudocode it would chuck out. I could edit the configuration with a text editor. I could read log files. I knew the system backwards. I am now employed in a company that doesn't even have a Check Point Firewall. I have moved onto something totally different.

There is a need for people who can configure security devices, perform active directory magic etc, etc. Even guys who are experts in logs. But you certainly don't want these guys tied up in meetings the whole day. You want them working on the systems that they know well.

You also want someone who can go to meetings and interface with business. Someone who can make a risk decision or at least know who to speak to. This person must be technical but also able to chat formally and informally to business and must always be thinking security. He must understand that meetings are not a waste of time but time spent educating business about security.

It is my belief that this person is not just important for a large organisation like the one I work for but even a one person shop should have one. Obviously, in that case a consultant should be used rather than a permanent employee but it is important.

The person does not have to be a CISSP but it is a good way to show that they are interested in an InfoSec career.

On a related note - I, like Andy, miss the technical side of InfoSec. But I also enjoy the ability to see my larger ideas implemented. I also enjoy selling InfoSec, something I am passionate about. In short, I enjoy my job and am happy I moved from being a techie to being an analyst. They are very, very different jobs. There are some people who may not be as happy as me. I know some, they are techies and are really good at what they do and they have no want to move to anything else. They want to specialise. In South Africa, these people are not rewarded for their knowledge and that is a problem because there is a need for the specialists. Hopefully, as demand increases and there are some techies that shine, they will be rewarded.


dre said...

What he really argues is that a "generalist" Information Security position is no longer very important, specialisation is the only way to go.

I totally didn't say that. I said the opposite.

Thanks for the other insights, though.

And CISSP is not here to stay. It's going to be replaced by the OWASP people certification. Read some of the comments and feel free to share more of your thoughts on our blog

Anonymous said...


Great post. My thoughts closely follow yours.

I was thinking about this issue this weekend. I strongly agree that there is a need for both specialists and "generalists." Another way I like to think of an InfoSec generalist is as a translator. Business often people need someone to help them understand what the technologists are saying and the technologists often need someone to help them understand what the business people are saying. Of course this is a very simplified analogy, but I think an important one.

Like you, my role at work is more of a generalist role and, like you, I spend a lot of time talking to people on both the technical side and the business side. I find my understanding of technical matters helps me make the specialists concerns understandable for the business people and likewise, my understanding of the business drivers helps me convey the business peoples needs and concerns to the specialists.

Everybody's goal should be the same which is to enable business with an acceptable level of risk. Sometimes we need a referee in the middle and that usually seems to fall to those of us who call ourselves "generalists."

Kevin Riggins

Anonymous said...

I am Paul Fleischer-Djoleto, Ghanaian analyst/programmer with 13 years experience in the said domain. I will be sitting for the cissp exams this October. I have been confused by the fact that I saw that the the cissp was not about specific vendor products. So I was always thinking of taking the ccna after passing the cissp to compliment the cissp.

after reading "CISSPis here to stay!Sorry, Dre." I have had a clear scope of the nature and duties of what a cissp must will doing at his work place that is being more of an analyst that a techie. Now I know that I can work with the cissp alone without the ccna. Thanks for this.