Wednesday, May 13, 2020

CISSP is at most equivalent to a 2-year associates degree

There are few college programs for "cybersecurity". Instead, people rely upon industry "certifications", programs that attempt to certify a person has the requisite skills. The most popular is known as the "CISSP". In the news today, European authorities decided a "CISSP was equivalent to a masters degree". I think this news is garbled. Looking into the details, studying things like "UK NARIK RQF level 11", it seems instead that equivalency isn't with master's "degrees" so much as with post-graduate professional awards and certifications that are common in industry. Even then, it places CISSP at too high a level: it's an entry level certification that doesn't require a college degree, and teaches students only familiarity with buzzwords used in the industry rather than the deeper level of understanding of how things work.

Recognition of equivalent qualifications and skills

The outrage over this has been "equivalent to a master's degree". I don't think this is the case. Instead, it seems "equivalent to professional awards and recognition".

The background behind this is how countries recognize "equivalent" work done in other countries. For example, a German Diplom from a university is a bit more than a U.S. bachelor's degree, but a bit less than a U.S. master's degree. How, then, do you find an equivalent between the two?

Part of this is occupational, vocational, and professional awards, certifications, and other forms of recognition. A lot of practical work experience is often equivalent to, and even better than, academic coursework.

The press release here discusses the UK's NARIC RQF framework, putting the CISSP at level 11. This makes it equivalent to post-graduate coursework and various forms of professional recognition.

I'm not sure it means it's the same as a "master's degree". At RQF level 11, there is a fundamental difference between an "award" requiring up to 120 hours of coursework, a "certificate", and a "degree" requiring more than 370 hours of coursework. Assuming everything else checks out, this would place the CISSP at the "award" level, not a "certificate" or "degree" level.

The question here is whether the CISSP deserve recognition along with other professional certifications. Below I will argue that it doesn't.

Superficial not technical

The CISSP isn't a technical certification. It covers all the buzzwords in the industry so you know what they refer to, but doesn't explain how anything works. You are tested on the definition of the term "firewall" but you aren't tested on any detail about how firewalls work.

This is has an enormous impact on the cybersecurity industry with hordes of "certified" professionals who are none-the-less non-technical, not knowing how things work.

This places the CISSP clearly at some lower RQF level. The "RQF level 11" is reserved for people with superior understanding how things work, whereas the CISSP is really an entry-level certification.

No college degree required

The other certifications at this level tend to require a college degree. They are a refinement of what was learned in college.

The opposite is true of the CISSP. It requires no college degree.

Now, I'm not a fan of college degrees. Idiots seem capable of getting such degrees without understanding the content, so they are not a good badge of expertise. But at least the majority of college programs take students deeper into understanding the theory of how things work rather than just the superficial level of the CISSP.

No experience required

The CISSP requires 5 years of job experience, but as far as I can tell, most people fudge it. Most jobs these days involved computers, and most computer jobs have some security component. Therefore, when getting a CISSP, applications exaggerate the security responsibilities of their jobs.

This is why the CISSP is widely regarded as an entry-level certification, as so many holders of the certification are inexperienced.

Grossly outdated

In a rapidly evolving industry, of course such certifications will be outdated. I'm not talking about that.

Instead, I'm talking about how much of the coursework was outdated in the 1980s, such as the Bell-Padula model or the OSI model.

Moreover, I'm not criticizing the certification for having outdated bits -- I'm criticizing it for having such low technical standards that they don't even understand how outdated it is.

They have things like "OSI Session Layer" which nobody really understands.

The OSI Session Layer was a concept from 1970s mainframes that the OSI thought would be important in future network standards, but when the industry moved from mainframes to personal computers in the 1980s, the idea disappeared, to be replaced with new and different "session" concepts that are no longer in a "layer".

There's nobody involved in the CISSP tests with sufficient expertise to understand this. Instead, they learned it was important, even though they never really groked it, so they insist in putting it on the tests for the next generation. In other words, it's not just the test that's superficial, but the entire organization behind the test.

In contrast, other organizations are run by experts. Those teaching master's programs hold Ph.Ds, for example.


There isn't a single university granting degrees. Instead, there are thousands of organizations around the world conferring degrees.

Conversely, the organization behind the CISSP (the ISC2) has a monopoly on the CISSP. They spend considerable effort marketing it, convincing organizations such as the UK NARIC to value it higher than it deserves. It's an entry level certification that the CISSP tries to convince organizations is worth far more.

It's a little crooked in its efforts. In an industry that values openness and transparency, the organization is notoriously opaque. It has some of the worst marketing, such as the above press release implying that the CISSP is equivalent to a master's degree. It never actually says "equivalent to a master's degree", but of course, that's how everyone has interpreted it.


I'm not saying anything is perfect. Academic degrees have their own problems. Other professional certifications have problems. Determined idiots regularly succeed at defeating even most discerning of recognition granting institutions.

The issue here is at what level to place the CISSP. That level is around that of an associates degree, the first two years of university. It's probably worth undergraduate credit, but not post graduate credit. It's nowhere near the standard that other post-graduate and professional certifications.

Bonus: if not CISSP, what then?

If the CISSP is crap, what should people use instead?

A computer science degree or notable achievement.

You should have an organization with expertise at the top, with managers having enough expertise themselves to evaluate candidates. There's a ton of really good people with neither college degrees nor professional certifications out there. Such things are useless to people with so much expertise and experience that such things are far beneath them. Organizations full of such people are the most effective ones.

However, that's a minority. The majority of jobs are managed by people who can't judge candidates, who therefore must rely upon third-parties, such as degrees and certificates. Government jobs and some non-tech industry jobs are good example of this.

In such cases, talented people will either rise to lead the teams, and fix them -- or get frustrated and leave to find other jobs that value their actual contribution more than their certification.

But if that's where you are, then I'd hire computer science degree from universities. At least, if the students actually paid attention, they learned how things worked underneath, and can easily learn the cybersecurity buzzwords on top of that knowledge. In contrast, all a CISSP promises is that students learned the buzzwords.

I'm a big critic of academia, I seem to have gotten more out of college than the norm. So many bad people have degrees and so many good people don't. But at least if we are talking about bad certifications, a bachelors degree is less bad than a CISSP.

That's not to say the CISSP is all bad. College is out of reach of many people. Getting a CISSP certification is an alternate route into the profession. The point of this post isn't that the CISSP is all bad, but that's closer to a 2-year "associate's degree" than a 4-year "undergraduate degree" or a post-graduate degree.


Unknown said...

This is very well-written and reasoned. I find myself as one of those who, in my opinion, am a productive member without a degree. It becomes a bit of a litmus test as to whether you are received as qualified due to your experience and knowledge, or as insufficient due to lack of this accreditation. Often times, I will be surprised by which path taken by a given party. Thank you for the post!

Unknown said...

Very well written piece and I agree on everything that’s been said.

Unknown said...

Truth. Lets all share this amongst the HR community.

UplayOnline said...
This comment has been removed by a blog administrator. said...
This comment has been removed by a blog administrator.
ayeshakaur said...
This comment has been removed by a blog administrator.
Unknown said...
This comment has been removed by a blog administrator.
Unknown said...
This comment has been removed by a blog administrator.