CISSP stands for Certified Information Systems Security Professional, a qualification that I obtained on this day in 1996. Back then, very few people had heard of CISSP or the organization that created it, the International Information Systems Security Certification Consortium. This non-profit professional body is known as (ISC)2 which is pronounced “I-S-C-squared” (because the name contains two each of those three letters, which is cute but a pain for typographers and search engines). These days CISSP is an acronym you’ll hear a lot if you spend time dealing with cybersecurity, and (ISC)2 is a name you’ll encounter at many events, such as the (ISC)2 Security Congress. In a moment I will talk about what it means to be a CISSP, but first, a few words of caution.
One place that you frequently see the letters C-I-S-S-P is in job descriptions for cybersecurity positions. For example, a quick search of openings on the employment website indeed.com finds 1,998 new job listings that include “CISSP” (far more than some related certifications (e.g. CCNA: 1,604; CISA: 1,105; and CEH: 352). Now you might think that, as someone who has derived many benefits from being a CISSP for 20 years, I would welcome this strong showing. And in some ways I do, but I also see a serious problem: too many employers inappropriately put “CISSP required” in job requirements. Why is this a problem? Because it creates understandable resentment from people who are qualified to do the work that the advertised position entails but, don’t happen to be CISSP-certified.
In fact, when a company says that you must be a CISSP to perform a job which mainly consists of specialized technical security operations, then you might want to question their understanding of how information security works. (However, I totally get that questioning the judgment of a prospective employer is a non-trivial undertaking.) On the bright side, I do see more employers using language like “willing to attain CISSP” which strikes me as a very healthy approach.
I realize that this approach is hard to implement at scale, but I also think that as a nation, heck, as a planet, we have to do much better at hiring for cybersecurity roles. Numerous studies indicate that tens of thousands of cybersecurity openings go unfilled every year (and that’s just in the US, globally they’re talking hundreds of thousands). But I still meet very bright and motivated people who aspire to work in the industry and can’t get hired. We need to close this gap and solve these hiring problems if we are going to stand a chance at securing our digital future. And whatever else it means to be a CISSP, it means sharing a commitment to achieving that goal.