Saying goodbye to my CISSP

Part of growing up is figuring out that your time and attention are 1.) your most valuable resources, and 2.) finite. To paraphrase Gollum, they are your “preciouses”.

So it helps to be thoughtful and deliberate about how you spend them. You need to figure out where to focus to get the most from your investment.

As an IT person, some of that investment tends to be in studying and professional certifications. We have to make choices about what we’re going to pursue (what’s most interesting and what will help in the future), and what we’re going to leave behind (what’s uninteresting and least helpful).

The yearly renewal for my CISSP is due in a few days. I’m going to let it lapse.

Checking all the boxes

I got my (Certified Informations Systems Security Professional) CISSP cert while working for a firm that does IT audit – it was important to them to have a CISSP on their staff. I had done quite a bit of security work as part of my IT jobs, so I bought the study guide, registered for the test, and drove to a hotel in Dallas to sit for it.

I was the only IT person in the room. Everyone else was an auditor. They glared at me when I finished first and walked out of the room- they had been at the hotel for two weeks for a CISSP bootcamp. I had shown up the night before and flipped through the study guide. It was the difference between an IT person approaching security and a security auditor approaching IT.

My pass note came in the mail. I had checked the CISSP box. Over the next few months I took part in some audits and checked a lot more boxes.

And I quickly became convinced that IT audit is where dreams, happiness, and prarie dogs go to die. Be kind to your auditors, you may be the only thing keeping them from throwing themselves in front of a train.

From pride to apologies

Of my certs, the CISSP is the one that gets the most comments. At first it was exciting – it was the first management level cert I acquired and it felt nice to have  recruiters calling.

But over the years I’ve found myself becoming defensive.

“Oh, you have your CISSP?!”

*Look around* “Yes, but I promise I’m really down to earth and practical.”

My defensiveness was a response to the culture I was getting exposed to – security group meetups, forums, fights with auditors. In the past couple of years I found myself really not enjoying IT security.

The thing is, I love IT security. There are interesting problems to solve and an element of Sherlock Holmes-style mystery that’s a lot of fun.

But the curriculum and culture of CISSP (and much of IT security) isn’t really geared toward problem solving – it’s geared towards writing policy to deflect liability, even though many technically focused jobs ask for it.

As I went to events and gobbled up continuing education, I became less certain about who would be able to get the most value from the cert.

An Information Security Officer? It probably is a foundational cert if you want to blab about vague, misguided attempts at corporate risk mitigation. I guess that works. I bet the CISO in charge when Target got hacked had his CISSP.

It’s not really a good cert for auditors either, as it just gives them confidence to ask the wrong questions. It’s definitely the wrong cert for someone technical – I don’t think its creators would argue too strongly with that.

I know for sure that, right now, it’s the wrong cert for me. It may have helped me get a job or two, but I have to put my time and attention elsewhere to focus on more interesting and valuable things. I’ll still bake security into everything I do, I’ll just do it without the extra letters at the end of my name.

Image Credit: Ken Caruso