Friday, March 26, 2010

Wheeee!!!

I'm a CISSP!!!!


For you laypeople...that expands to Certified Information Systems Security Professional.

As I've already mentioned in other fora, several days ago I received the actual piece of paper, complete with gold embossing. Has my name on it, and everything! And I got the lapel pin, too!

What the certification means is that I can now claim to any potential employers or project owners (1) I passed a rather annoying 6 hour exam on ten "domains" (areas) of Information Security and (2) over the course of my career I've had at least 4 years of experience in at least two of those domains (in my case those would be Access Control, Operations Security, Application Security and Information Security and Risk Management) and (3) an existing CISSP vouches for (2) and that I'm of good character and that I'm competent. (Vampire kind of thing going on there. One has to wonder who "made" the first CISSP, but I digress). Surprisingly, having a certificate to these three claims appears to be a requirement for many jobs and participation on many projects.

The exam was truly annoying, and in my opinion, sometimes more an exercise in parsing English carefully than a technical exam. But studying for it was definitely a useful, if somewhat frustrating experience. The exam is "managerial" level (as most training materials will emphasize), also commonly called a mile wide and an inch deep. The content is sometimes poorly defined, contradictory, arbitrary, and focuses on some trivia that is easy to test but almost irrelevant to realistic modern threats (e.g. the infamous Smurf attack -- bet you never thought you'd hear me talking about Smurfs). However, there is some very important content, as well, and the process of thinking about it and organizing it in my mind was, for me, the most valuable part of the experience.

Overall, I'm glad I've got it, but I don't think it changes much what I'm capable of.

No comments: