Let me first start off with the disclaimer that I am a CISSP and (nominally) a member of (ISC)2.

I’ve been part of very few professional organizations throughout my career and college days. I even shied away from the women in engineering groups on campus, although I knew a lot of women in them. I tended towards the ad hoc, social groups instead. Blame it on the Cotillion club I was (forced to be) a part of when I was in high school, I just don’t like paying to be part of a “club”. I pay (ISC)2 only because I have to to keep my CISSP (and to other organizations for the same reason), I’m not a member because I believe in their mission or their goals. I think they’re overpriced and useless to me other than maintaining my credential (which is another can of worms…).

I’m more likely to be found at the local Linuxchix get together, or NoVAHackers because they are cool people who just happen to have the same interests I do. Yes, we’re “organized”, but I don’t have to pay to be part of the group (other than food and drinks, etc…). These folks I consider friends.

With the behemoth that is (ISC)2, I don’t even feel like part of the group. I’m assigned a number and then go on my merry way as long as I keep paying every year and submitting my CPEs. Which I’m perfectly happy to do.

I think the (ISC)2 has admirable goals, I’m just not motivated enough to care about them that much. I don’t participate in the elections (much), and I always pass up the proctor CPE opportunities and exam review opportunities. Could I help change the organization if I participated more – probably. And Wim Remes is trying to do just that by running for the board.

I don’t know what percentage of other CISSP holders feel like I do, but I’m sure I’m not the only one. And I’m not even sure that there’s anything (ISC)2 can do to change that – it’s not their “fault” we don’t care.

Any ideas or suggestions? Or arguments on why I should care more about the organization?

2 thoughts on “(ISC)2 and the CISSP

  1. infosecChap says:

    I wholly agree. the only reason for cissp is for people with no experience to get through the jobs filter, or for people in tangential roles to get on the infosec bandwagon. for example, I have a project manager who has done CISSP which means that information assurance clients are happy to use him as his cissp “badge” gives him assumed competence.

    but that’s all.

    i think that the “good standing” payments are just rubbish. i don’t have to pay to keep my degree “in good standing”. i don’t have to pay to keep my driving licence “in good standing”. it’s just a way to earn money. the exam itself is a money spinner.

    I’d advise joining IISP or similar

    having said that, i do keep my cissp updated. why? because my employer pays and just in case i need to apply for another job. this is despite the fact I have an MSc, am a professional member of IISP and have a bunch of others like MCSE, PRINCE II and I’m chartered etc etc

    ISC2 is pretty irrelevant and as soon as recruiters stop asking for it, the better we will all be

  2. brennz says:

    The CISSP certifies nothing more than the regurgitation of useless security facts. Nontechnical wannabe security types love it, because it “proves” their value. Technical security types are forced to get it in order to hit the HR or contract checkbox. I despise how (ISC)2 has tricked employers into believing it is worthwhile.

Comments are closed.