The Home of the Security Bloggers Network
Home » Security Bloggers Network »
There are few college programs for “cybersecurity”. Instead, people rely upon industry “certifications”, programs that attempt to certify a person has the requisite skills. The most popular is known as the “CISSP”. In the news today, European authorities decided a “CISSP was equivalent to a masters degree”. I think this news is garbled. Looking into the details, studying things like “UK NARIK RQF level 11”, it seems instead that equivalency isn’t with master’s “degrees” so much as with post-graduate professional awards and certifications that are common in industry. Even then, it places CISSP at too high a level: it’s an entry level certification that doesn’t require a college degree, and teaches students only familiarity with buzzwords used in the industry rather than the deeper level of understanding of how things work.
Bonus: if not CISSP, what then?
A computer science degree or notable achievement.
You should have an organization with expertise at the top, with managers having enough expertise themselves to evaluate candidates. There’s a ton of really good people with neither college degrees nor professional certifications out there. Such things are useless to people with so much expertise and experience that such things are far beneath them. Organizations full of such people are the most effective ones.
However, that’s a minority. The majority of jobs are managed by people who can’t judge candidates, who therefore must rely upon third-parties, such as degrees and certificates. Government jobs and some non-tech industry jobs are good example of this.
In such cases, talented people will either rise to lead the teams, and fix them — or get frustrated and leave to find other jobs that value their actual contribution more than their certification.
But if that’s where you are, then I’d hire computer science degree from universities. At least, if the students actually paid attention, they learned how things worked underneath, and can easily learn the cybersecurity buzzwords on top of that knowledge. In contrast, all a CISSP promises is that students learned the buzzwords.
I’m a big critic of academia, I seem to have gotten more out of college than the norm. So many bad people have degrees and so many good people don’t. But at least if we are talking about bad certifications, a bachelors degree is less bad than a CISSP.
That’s not to say the CISSP is all bad. College is out of reach of many people. Getting a CISSP certification is an alternate route into the profession. The point of this post isn’t that the CISSP is all bad, but that’s closer to a 2-year “associate’s degree” than a 4-year “undergraduate degree” or a post-graduate degree.
*** This is a Security Bloggers Network syndicated blog from Errata Security authored by Robert Graham. Read the original post at: https://blog.erratasec.com/2020/05/cissp-is-at-most-equivalent-to-2-year.html
More Webinars 
