I'm reasonably sure nobody at Matasano has a CISSP. I'd be surprised to hear they have certs of any kind.<p>At the high end of information security, these things do not matter at all.
I'm an ISO (Information Security Officer). I am responsible for IT security for a large organization.<p>I don't have a CISSP, although most other ISO's I know do. I've worked in security for about six years. It's a real mixed bag. Some ISO's are just high-level managers, while others are much more hands-on and technical. I do have several SANS GIAC technical certifications, although I don't consider those better or worse than a CISSP. Certs are really just a requirement if you want to work in IT security.<p>Like all certs, the CISSP is not a good measure of practical knowledge. I've met hundreds of people who hold various certs and various degrees. And none of that really matters.<p>What matters is prior computing experience and interest. Have they coded? What languages? Do they have a real interest in general computing. Can they show code they have written? Do they have github accounts (or similar)? Have they been a sys admin or network admin? Do they know OS fundamentals (file systems, user accounts, IPSec, firewalls, logging, shell scripting, etc).<p>If you find someone who has that past computing experience and a keen interest in general computing, and who has a college degree (major doesn't matter) and who holds a CISSP or SANS GIAC certs, then they'll work out great. But you don't want to hire the guy or gal with an MBA and a CISSP who has never administered a system unless you're only looking for a manager and you have security analysts/engineers to do the heavy technical lifting.<p>And I think this is where the problem comes in. These kinds of people (MBAs with no experience) are hired, then when the sys admins and other technical staff meet them they are shocked and amazed at how little they know about general computing and wonder how on earth they're going to "secure" systems when they've never installed an OS or configured iptables/pf or brought up a SPAN interface on a Linux box running snort or sent a PGP encrypted email message. In these cases, you have to have analysts and engineers to do the actual work and the managers can do the policies/documentation/audits.<p>So it's important to be very clear on the technical requirements and expectations (if any) of the security positions. You don't want to find out later that your "security guy" doesn't know what a bit or byte is and has never heard of IPv6 and thinks it has something to do with car engines.<p>Just my experience.
"What I want from the CISSP or any certification program is that it be hard to pass."<p>On exam difficulty, try CCIE certification. There are two parts, the written ($350 per an attempt) and then the lab part which cost $1500 per an attempt. The lab part has a 26% pass rate over the history of the exam. In comparison, the CA Bar exam has a 35% and 55% pass rate, which is the lowest in the US.<p>You also can't just take it anywhere, you have to travel to a designated lab testing center, and depending on where you are that means cost of travel and lodging.
I thought about this one for a little bit and threw it into the bucket of "well, most certifications are worthless", but I don't think I fully believed that.<p>Our security team consists of individuals that I would consider <i>great</i> and folks that do some of the leg work required of a security department at a large company. We have folks who audit and provision access, a job that would require knowing the basics of RBAC most of the time.<p>I think the point this article is making isn't entirely correct. I've yet to find a <i>test</i> that magically ensures that someone is competent, be it a large number of tests required to pass a degree program or a single test required to pass a certification. It is part of a broader picture. A resume with zero experience/visible work that includes a degree in CS is going in the bin unless it's a person targeting an intern position. A resume with zero degree, a few years of experience and solid examples of their work is going to get attention (and depending on the work, it won't matter if you have traditional corporate experience).<p>In InfoSec it's possible to get the equivalent. Companies who care enough to fix the problems in their software grant credit that can be cited in a resume/CV. Some will pay bug bounties if you find a vulnerability and follow their disclosure requests.
Even though people consider the CISSP cert useless, it is still better then what the current alternatives. Security+ and CEH are even worse. Though it is no excuse for not having a useful cert because all your "competeitors" are worse...