Information Security Certifications: Is the CISSP Just a Badge, or Is it More?

John Colley defends the merits of the CISSP exam
John Colley defends the merits of the CISSP exam

The (ISC)² is a pioneer organization that, with its CISSP certification, has become the dominant international professional body for information security, and also the favored target for critics. As a board member, chairman for two terms, and now a member of the senior team, I have witnessed – over 14 years – the steady progress of our ability to respond to expectations. I have also understood generally found the critics’ opinions to be founded in myth and misunderstanding.

Personally, I succumbed to the biggest myth of them all: that the examination is easy for anyone with a modicum of experience. I chose to take the CISSP exam in 1998 when I had seven and half years of experience and was convinced that I knew enough to pass it. I found the examination one of the toughest I have ever taken and finished it with no idea about whether I had passed. I did pass, however, and within six months I became an active advocate for the development of the information security profession. The existence of (ISC)², the not-for-profit body that developed my new certification, provided a facility for me to do so.

Since then, in contrast to critics’ claims, over time the examination has become more difficult as the amount of knowledge relevant to the discipline has exploded. Membership has grown, not because of a dumbing down of the examination, but due to a ramping up in the recognition of information security’s importance.

The myth that the CISSP is ‘all American’ is perhaps understandable as it is borne in truth from the early days when the common body of knowledge upholding the CISSP was based on the experience of the then, nearly all American membership. It is worth noting that all (ISC)² certifications are a reflection of the membership. Currency is maintained by regular job task analysis (JTA) surveys and a rigorous process of confirming validity through external references. Our examinations are not the fabrication of a small, commercially driven group sitting in our US headquarters. Herein lays the root cause of why the CISSP has earned its standing. The early pioneers defined the practice and set the foundation for a profession with their collective knowledge and commitment to make it known.

Almost 25 years later, this process continues. Our most recent JTA injected the knowledge required of current technology topics, including cloud, social media and mobile computing. Test development reflects the collective experience of the membership, experience that inherently gets deeper as we grow to serve more people working from more countries.

Any qualification demonstrates commitment: the commitment to study for them; the commitment to maintain continuing education; and, in the case of our qualifications, the commitment to follow and abide by a code of ethics. All (ISC)² qualifications are accredited to the ISO 17024 standard, which requires they be a valid test of competency. Employers understand those holding these qualifications have made an effort to gain the base knowledge required of the discipline and are committed to continuing their professional development. This provides a good baseline for the hiring process. I would never suggest, however, this is all that is required.

Our members expect benefits that go beyond the mere possession of a qualification. They demand and receive support for their continuing professional education, but they also want recognition for the profession they have chosen and to have a voice in this community. As (ISC)² develops its leadership role, this is exactly what is being achieved. Members have the opportunity to be active in independent local chapters, increasingly influential regional advisory boards, and to participate in formalized ambassadorship programs.

I welcome criticism as a sign of our progress and a positive force pushing our development as an organization. We perhaps should do more to communicate this progress. All too often, however, it comes from those seeking to be seen as a rare or elite commodity, rather than part of a growing and valued community. At a time when many are beginning to voice concern over a skills shortage, such criticism appears ill-placed – but that is the stuff of another conversation.


John Colley, CISSP, is the managing director EMEA and co-chair of the European Advisory Board for (ISC)²

What’s hot on Infosecurity Magazine?