Why I'm Not Getting a CISSP
In the last post we reviewed some thoughts on how Information Security can be more "Agile" by participating earlier in the SDLC. When Security and DevOps collaborate and think more in terms of small iterations, more often, then we end up on a similar Agile-like track as that of our friends in development, and everybody works better together.
One of the other things I discussed in my presentation to the Portland ISSA chapter, was the disparity between where vulnerabilities are created, and where IT Security budgets get spent. I'm pushing that off for another week, but I'll summarize: it costs 40-1000x more $$$$ to fix flaws in operations vs. at design or development. Guess where 90% of IT Security budgets get spent? You guessed it... at the perimeter... on bandaids to solve the problems that early-stage engagement with development could have prevented.
So, I'm putting my $$ where my mouth is. I'm not pursuing a CISSP, because I believe there is a better certification, one that is focused on professionals who are devoted to solving the problem where it starts, not just protecting the enterprise after the fact. We still need those guys too, but we need secure coding ninjas, securing the all.the.things before they get out there.
What is the CISSP?
If you're not familiar yet with the CISSP, it's a certification launched in 1994 by the International Information Security Consortium (ISC)² to attest to the skills and qualifications of individuals in the Information Security field. It is specifically designed to test acumen across a wide variety of domains. Here are the eight domains from the 2015 test description... tell me if you notice anything interesting:
- Security and Risk Management
- Asset Security
- Security Engineering
- Communications and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
You guessed it... only one domain out of 8 actually has much to do with SOFTWARE!
So, is there a better way for me to certify that I'm a secure software ninja, specifically?
Glad you asked ;-)
Why I AM instead pursuing my CSSLP
I'm sure you probably figured out by now that there was a catch to this. I'm still definitely in favor of folks who's goal is to secure EVERYTHING... please, go for it. Take the CISSP, be a CISO or operational security type fellow. I'm 100% behind you.
But, if you're like me and believe your focus, your life's work should be software, and you want to see it SECURE... then consider the more recently devised: Certified Secure Software Lifecycle Professional certification from (ISC)² to be the vastly more needed and appropriate way to measure your super ninja software architecture skills.
If better software is what's needed, I believe more developers, software architects, dev managers, devops practitioners, devops managers, and others employed in the SDLC should be seeking certifications that correlate to what they actually do, vs. a generalized overview like the CISSP.
So, here's my reading material for the next few weeks; the All In One CSSLP Exam Guide. I plan to sit for the test in the next month. More on that later as I get closer to the test date and when I pass it!
My bedtime reading for the next month, the All In One CSSLP Exam Guide
Code well. Code Secure!