However, I don’t believe that getting and maintaining a CISSP is necessarily going to keep you “up to date” on the state of the industry. I believe subscribing to blogs, listening to podcasts, writing your own articles and engaging in debates on forums like the Security Catalyst will do a better job of keeping you current, and making your skills visible.

Several years ago I wanted to move into IT Security consulting from Product Management at Entrust. When I met with some of the heads of local consulting companies, they said it would be a good idea for me to write the CISSP, if only to demonstrate that my work experience had given me the relevant knowledge. They recognized that it didn’t give a guaranteed skillset, just an indicator.

I did get my CISSP and it worked; and within a year I was working as an independent consultant. However, after 3 years I found that my job experience covered enough of the industry, and I was keeping up to date. So, I let my CISSP certification lapse. None of my clients to date has questioned the currency of my skills, and I may have missed 5 points out of 100 on a compliance matrix for a government standing offer by not having it. I dont feel I need to use it as an indicator of my knowledge any more.

I don’t bad-mouth the certification. It is a pretty tough mental exercise to prepare for and write. But once you have the experience and inherent credibility from your work, you may not need it. But people who wield their CISSP initials like a sword get the brunt of the scorn from others; mostly because it has become a bit of a stereotype in the industry. It is certainly an achievement, but when people see it in an email signature block there is a thought that flashes through their mind, “How much real experience does this person have, if they have to display their badge in every email?”

I think its important to take some pride in accomplishments, but more important to keep them in the right context.