There was a defcon talk about CISSP. Here is a summary of the talk as well as the actual slides:


I am not sure why this is necessarily a controversial topic, though it does seem to come up almost every year. Certs are a problem in IT generally and InfoSec in particular. I am not sure if CISSP is any different from any other cert out there. There are a handful that I consider worthwhile: GSE, different flavors of CCIE and maybe a handful of others, like MCA, RHCA and VCDX. The common thread that runs across all of these is the hands on test and demonstration of real world experience.

Everything else is really just resume fluff. It’s good enough for demonstrating that you have some concept of fundamentals for a junior position, but not much else. No certs, and CISSP in particular, demonstrate the expert level knowledge that they purport to do. Ultimately, it’s almost always about showing a body of work and years of experience. I do think it’s a more pressing problem in the InfoSec field, simply because it’s such a broad domain and it’s more difficult to validate someone’s skillset.