tssci security

R.I.P. CISSP

We all know about the CISSP. You've heard the whispered hallway conversations. You've seen the business cards, the email signatures, and the government contract requirements. You might even know the secret handshake, or have the magical letters attached to your name somewhere yourself.

Alternatively, you may despise what it has done to the IT security industry and community. I do not despise it, and while I embrace it in concept (I'm not a CISSP, by the way) -- I have to agree that it has outlived its usefulness as a technical measure of capability. Special note: this is a very bad thing and it needs attention. No show of hands necessary.

Not all of the CISSP has been bad. It's given our industry a way to measure strong analyst level skills with information security concepts. Some claim there are benefits in the CBOK and ethics charter -- although these have been debated into nothingness over the years, with no innovations or improvements made. While some may argue that the CISSP was DOA, no one can dispute the fact that the CISSP's ability to deliver is currently MIA.

Wait, you're a CISA? Wait, you are a <insert other IT security certification here>? You'll also want to read on because this is also referring to you.

Specialist or Generalist: Pick one. Woops, you're too slow

I read Dan Geer's keynote at SOURCE Boston a few weeks ago, and a few things hit me. Near the end, he says:

Only people in this room will understand what I am now going to say. It is this: Security is perhaps the most difficult intellectual profession on the planet. The core knowledge base has reached the point where new recruits can no longer hope to be competent generalists, serial specialization is the only broad option available to them.

Geer is right: security is hard. It's also very intellectual. It brings a lot of ideas to the table.

Kevin Mitnick was doing his thing way before CISSP was around. It wasn't until later that intellectual success (but possibly ethical failure) stories such as Adrian Lamo, who showed that expert-level penetration-testing can be done by a hacker-without-a-home, a simple (possibly even outdated by average technology standards) laptop, and a web browser.

The reason why Adrian Lamo was so good, the reason why this industry exists, and the reason why security products fail are all interlinking problems. The only people who stand to win are the people who cause the most damage. Security is about damage prevention. Which is why Ranum is probably right, although I guess that's an argument for another time.

I sometimes (read: not often enough) work with a handful of people. Most are specialists -- a world-renown secure code reviewer, one of the world's best pen-testers (so I hear from even outside my organization), and an audit/framework/process guru. The generalists in our group (like myself) are a dying breed. I might also add that at least one of them is my age and brings an even broader skill-set and expertise to the table than I do. I consider myself very fortunate. Let me continue with this train of thinking by bringing us back to what Geer was saying about specialists vs. generalists:

Generalists are becoming rare, and they are being replaced by specialists. This is speciation inaction, and the narrowing of niches. In rough numbers, there are somewhere close to 5,000 various technical certifications you can get in the computer field, and the number of them is growing thus proving the conjecture of specialization [...] will not stop.

Today, I want to continue in the spirit of The New School of Information Security, and claim that we don't need expensive certification programs (i.e. products) that cater only to a certain kind of elite. We need to get back to basics.

IT Security certifications available to-date

You don't need them; I don't have them. Certifications breed specialization. We need more generalists. Don't get certified and don't pursue a certification.

Of the people that I work with, only the specialists have certifications. Note that the guy that is smarter than me (I asked him to provide input into this) -- he doesn't... and he says that the only certification that he was ever interested in through his career (I assume he's been working in this industry for over 10-12 years like myself) was from SAGE. He says it's no longer offered.

What is different about the OWASP People Certification Project

James McGovern wrote on his blog recently about this new project. In his blog post, Is it a bad thing that there are no IT security generalists?, he summarizes his points as follows:

As an Enterprise Architect, I understand the importance of the ability for a security professional to *articulate risk to IT and business executives*, yet I am also equally passionate that security professionals should also have the capability to *sit down at a keyboard and actually do something* as opposed to just talking about [it]. [...] If you are a skilled penetration tester, can write secure code and can reverse engineer software, you are worth more than any CISSP. For those who embrace the mental disorder of hybridism and distillation, *balance between these two are needed* where true IT security professionals understand both [...]

Can we appease both the voracious business needs and the wrath of the unstoppable and ever-expanding security learning curve? Is the OWASP People Certification Project the program that can do this?

If James can truly make this sort of thing happen (and I truly believe he is doing it and that he can do it -- based on everything I have seen so far), then I will do my best to ignore the obvious contradictions or annoyances -- and put my full support behind it.

It's not just James, either. Everyone I've met who has been involved in the OWASP project has been stellar. The OWASP organization has brought diverse people together in ways that DefCon/BlackHat, HOPE, Phrack, and many other grassroot efforts never could.

Will OPCP replace CISSP? Only time will tell, but I will tell you now that it indeed will. Wait and see.

Posted by dre on Thursday, June 19, 2008 in Security and Work.

blog comments powered by Disqus
blog comments powered by Disqus