CISSP & CISM & Their real value for technical people

Posted on by

Let me start from a completely opposite angle first.

I hate CISSP. I hate CISM.

Yup. Yet I recommend them.

And I can say that, because I passed the CISSP exam in 2007 and CISM exam in 2011. Maybe not the best scores, but who cares. I passed.

I hate them cuz they represent the institutionalization of IT security & their role is more a recruitment tool than actually making people make the organizations more secure. A guy who has a CISSP, CISM, but never looked at the code or configured a software product is a drone. And is actually the worst hire for your org.

Now, if you didn’t sit any of them you cannot discuss / criticize them a.k.a. you should shut up.

So, I passed exams for both and then, for a couple of years I paid my annual fees for CISSP.

Then, I realized it’s a non-sense to do so, so I stopped. [Note: many real ‘hackers’ I know who passed CISSP for the sake of ‘consulting work’ do not pay annual fees at all; they let the thing expire; they are definitely smarter than me since they didn’t lose any money and I did]

<ISACA rant>

For CISM I never got a certificate, cuz ISACA people keep insisting for last 3 years for my ex-managers to sign up some stupid papers to prove I am eligible. Now, I am eligible , but the paper requires a gazillion of signatures and my ex-bosses actually did sign them yet missed one or two signatures. Seriously, it’s not just one signature required, but the whole paper needs to be signed multiple times. Who has a time for stupid stuff like this?

So, I am not going to bother my ex-bosses again. I actually respect them and their time more than ISACA. So ignored the whole thing b/s for 3 years. Yet they continue sending me a reminder. Every month. And if you wonder why I didn’t tell them to stop – I was curious how long it will last 🙂

</ISACA rant>

So, back to the story.

I believe that CISSP and CISM exams are useful, but are a one-off, and – perhaps surprisingly – certificates I could say that are the main ones you should study for if you want to work in the IT security for long.

Just do not pay them annual fees cuz it’s a waste of your dough.

When you pay the annual fees you are paying for so-called maintenance and ‘keeping’ the certificate in a good shape. What does it even mean? Think of it – if you passed BSc, MSc, etc. you don’t need to pay a  maintenance fee, yet you worked much harder to get them and studied at uni, not sat the exam organized by some private profit-oriented institution. Something doesn’t add up here. It’s a cash cow & if you are feeding it.

Despite criticism, both CISSP and CISM exams lead you to a great body of knowledge – one that will change your perception of things. And it should. If you are a researcher, vulnerability researcher, hardcore reverser, anti-corporate, and in general “I do it my own way” you will hopefully realize and be for a nice surprise on how many things you can learn from studying for these exams. It’s actually worth it. Your ‘I can break it’ world is actually very small. Expanding horizons should be a never ending purpose for anyone who is in the business of IT Security. The CISSP/CISM will explain to you a business angle and the core knowledge about security – this is something you won’t learn from a hacking book. And such knowledge about security is a foundation on which you can build a proper IT Security practice. If you deny yourself knowledge then you better be outta here. Do not fight the system, use it. The knowledge you can gain when you learn for these 2 exams is good for you and your future. Just don’t pay more than they are worth.

To conclude:

  • Find a sponsor who will pay for your bootcamp/course/exam, or… just a book
  • Study&Learn – be serious about it
  • Pass the exam, or not – who cares
  • Ignore the certificates
  • Do not pay annual fees
  • Profit (and you will)