RE: CISSP Question

["David Harley" <david.a.harley () gmail com>]

> So if you already have 4 years of experience in management, 
> or design, or consulting, what is the value of the CISSP? You 
> are already doing the job that most people are getting the 
> certification are aiming for.

That depends on the individual. 

Check https://www.isc2.org/cgi-bin/content.cgi?category=1187 again.
Eligibility doesn't require you to be practising or with experience in all
ten domains: it requires that you give some indication that you have the
experience and qualities that should help you make the best use of the
baseline security knowledge that the exam tests you on, which -is- across
all the domains. 

So:

* You might at some time want to try for a job that requires you to
demonstrate knowledge of domains that don't really apply in your current
job. CISSP might not (probably shouldn't) qualify you for a top job in
domains in which you don't have practical experience, but does demonstrate
that you have potential at or above entry level. But it's about potential,
not "the awesome power of certification" to quote (probably inaccurately) a
Dilbert cartoon. It isn't your CISSP, or GIAC, or your PhD, or even your ten
years at the coalface that make you the right person in the right place:
it's a whole aggregation of skills and qualities.
* You might feel that better acquaintanceship with the whole Common Body of
Knowledge might enable you to do your job even better. FWIW, that's why I
did a CBK review: I hadn't done any generalized training for a while and
felt that a refresher would sharpen my skills and fill in the gaps that
inevitably open when you work in a very specialized area. Going for the exam
& cert was more or less an afterthought, though I'm glad I did it, and would
resent any suggestion that it somehow -lessens- my credibility. It wasn't
-that- easy!
* You might feel that people who can demonstrate practical skill and
experience -and- theoretical knowledge sometimes have more to offer than
people who have only one or the other - I certainly do. NB I said
"sometimes"!
* You might want to validate your practical knowledge and experience by
proving that you can meet the eligibility criteria. There are many reasons
for that: 
        - your employers might appreciate you better (having certified
professionals on the staff has a number of potential benefits to the
organization above and beyond the job the cert holder occupies:
PR/credibility, access to professional networks and so on).
        - they might even pay you better.
        - you might be required to demonstrate continuing professional
development in your work or your professional affiliations - (ISC)2 require
this, by the way.
        - you display commitment to professional standards. And so on. 

> Now of course this is a 
> majority case, as there are people who get the cert for other 
> reasons. 

I'm not sure you've proved it's a majority case. 

> Experience in doing the projects, actually getting involved 
> in the industry on your own, is the better way to spend your 
> money then getting a certification.

Really? I wouldn't personally be inclined to pay anyone to employ me. :) 

I think this is still our bone of contention. You seem to suggest that the
issue is experience versus a certification. I don't think it is. You don't
have to have one or the other - actually, one is rarely an adequate
substitute for the other. Having both is better than having only one. But
it's not absolute proof of competence (or incompetence). It's (stop me if
you've heard this before) an indicator. Jobwise, it's still down to the
interviewer to ask the right questions (I don't think we're in disagreement
there) and get the right independent verification to establish that the
interviewee is up to the job. But how to conduct an interview properly is a
whole different topic...

-- 
David Harley CISSP
Security Author/Editor/Consultant/Researcher
Small Blue-Green World
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html