Is the CISSP certification still worth it in 2023 ?
Spoiler alert: yes it is !
The Certified Information Systems Security Professional (CISSP) is the most well known of all cybersecurity certs and considered the “gold standard” within information security
These last couple of years however have seen a backlash against cybersecurity certs within the wider community as senior professionals scoff at these “paper certs” which dont tell you anything about qualified a person is
It is now considered “cool” not to have a cybersecurity cert
I do understand SOME of the criticism as a lot of people just become cert factories and do every certification under the sun without any real world experience to back it up.
CISOs and companies are disappointed when they hire a (on paper at least) “certified” person and turns out he or she is not able to deliver on cybersecurity like they hoped
In the backlash against certs, the CISSP has also been targeted which I think is massively unfair as most of the criticism comes from people who a) do not understand what the CISSP is and b) what it tells you about a person
First let us take a quick look what the CISSP is
The CISSP cert
As per the exam outline itself
CISSP validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.
The CISSP Common Body of Knowledge (CBK) consists of the below eight domains:
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations
Software Development Security
Along with passing the exam, you need to demonstrate 5 years of work experience in one of the eight domains listed above otherwise you are considered an associate of (ISC)²
And that's it honestly .. it is a massively wide exam covering a huge amount of cybersecurity topics and (ISC)² have done a good job of keeping it updated and relevant over the years
I passed my CISSP exam in 2005 ( yes I am that old ) and I can personally attest to how much the topics have changed over the years
Criticism against the CISSP
A few of the common criticisms against the CISSP are :
It only teaches concepts and is not technical in nature
The CISSP never made that claim that it deep dives into specific technologies and is supposed to be vendor neutral certification. The whole point of the cert is to teach you concepts that you can apply to any technology over time
It does not make you an expert in any particular area
Yes again the CISSP covers literally every area of cybersecurity in its 8 domains and then it is up to you to decide what area you want to specialize in . The exam will make sure you have the necessary foundation in place to succeed in cybersecurity but wont tell you what area to deep dive into
It is too expensive to get and maintain
OK this I will probably agree with as the cost to get, maintain and annually renew the cert definitely can compound over time ( some companies are nice enough to reimburse these costs though )
Companies that get breached have CISSPs on their teams
Yes and who was the genius that thought that having a CISSP makes you hacker-proof ? Companies that are PCI DSS or ISO certified also get compromised but that does not mean you throw away these standards
There is no substitute for cybersecurity experience !
Agreed 100% which is why there is a 5 year experience requirement. Even with a CISSP, you have to interview the person and see if they meet what are you are looking for.
CISSP + Experience is what gives a person credibility and this changes with every person.
What companies hiring CISSPs need to know
Most of the criticisms above can be leveled at virtually any certification and part of the problem is the hiring manager’s perception of the CISSP
They automatically assume the person is an expert if they spot the green cert on a person’s profile
They have to realize that it is not a “silver bullet” that will solve your cybersecurity problems once the person is hired.
At the same time, it is ridiculous to think that the CISSP does not give value
You can have a team of 50 pentesters but they will not know how to create a high level cybersecurity roadmap or launch a risk management program which is something a CISSP studies in depth
There is a reason that the CISSP has so much brand recognition in the industry even after so many decades and that is because it has remained relevant and produced capable professionals over the years.
Why you should get CISSP certified in 2023
I got CISSP certified in 2005 like I mentioned and I was the 5th CISSP certified person in my country at that time
A person holding a CISA or a CISSP was a min-celebrity in the industry at that time with consulting companies falling over each other to hire you
That is no longer the case sadly ..
Times are tough and tech layoffs mean there is a huge competition amidst job seekers with many CISSPs looking for jobs
But consider this ..
While having a CISSP will not give you too much of an advantage .. NOT having a CISSP means you will not even pass the first screening phase
HR will probably screen your CV and remove it even before it reaches the CISO’s desk
Start preparing for the CISSP AND start getting that hands-on experience on your CV to stand out.
Whether you agree or not .. CISSP is considered the big daddy of cybersecurity certs and a great stepping stone to future management roles.
Wishing you all the best in your 2023 cybersecurity career !