Is CISSP certification worth the effort?

As I was scanning the presentations delivered at last week's Black Hat conference, one really jumped out at me. Presenter Timmay delivered a provocative session entitled "Why You Should Not Get a CISSP" -- a topic I recall as being hotly debated five years ago. As Timmay puts it, "For two decades, the flagship offering of the (ISC)2 [International Information Systems Security Certification Consortium] has been the CISSP, widely regarded as the only must-have certification for information security practitioners. But has it stood the test of time?... We explore the 10 domains of the CBK [the "common body of knowledge" upon which the certification exam is based], how the test has changed, and whether or not bothering with this certification can even help your career."

If you're not familiar with the CISSP, here's a primer: In order to gain CISSP certification, you need to have five years of infosec experience (or four years and a degree) and endorsement from another CISSP, plus you have to score at least 70 percent on a 250-question multiple-choice test. Then, if you agree to adhere to the (ISC)2 code of ethics and claim to have a clean criminal history, you're in. CISSP certification has to be renewed every three years, with continuing education requirements: taking classes, attending conferences and seminars, teaching, volunteering, writing.

Last year, as Eric Parizo discusses in a SearchSecurity article, the (ISC)2 came under fire for trying to "dramatically swell its CISSP ranks ... the organization's top priority -- funneling as many qualified information security professionals to employers as it can -- is at odds with some CISSPs who fear their hard-earned certification is being watered down by a bevy of inexperienced applicants." He goes on to explain the organization's quandary: "Despite more than 76,000 active CISSPs worldwide and 3,200 who took the test last December, [companies] can't find enough qualified infosec pros to work for them."