CISSP now equivalent to a master’s – but what are they really worth?

The Certified Information Systems Security Professional (CISSP) certification is a touchy subject. Those who’ve completed the course – and there are a few at Immersive Labs – will tell you that it’s no mean feat. UK NARIC, the UK agency that compares international qualifications and skills, attested this in a recent study, weighting it equally…

The Certified Information Systems Security Professional (CISSP) certification is a touchy subject. Those who’ve completed the course – and there are a few at Immersive Labs – will tell you that it’s no mean feat. UK NARIC, the UK agency that compares international qualifications and skills, attested this in a recent study, weighting it equally to a master’s degree. But can a course that takes just hours to pass really compare to one that requires two years?

The input necessary to achieve a master’s is arguably far greater than that required to attain the CISSP certification. Online training providers offer CISSP crash courses that prepare candidates in a week, but you couldn’t scratch the surface of a master’s in this time – coffee-fueled all-nighters or otherwise. The meagre few-hundred pounds that the CISSP cert costs has also sparked debate, and those who’ve splashed thousands on a master’s are understandably peeved that their time, money, and effort is deemed no worthier than a three-hour test.

The CISSP-qualified among us don’t have it all their way though, as the credential is valid for just three years. You can renew it by obtaining 120 continuing professional education (CPE) credits or retaking the exam before the certification expires, but an annual maintenance fee is still required. A master’s, on the other hand, stays with you for life – but that doesn’t make it truly evergreen. The fast-moving nature of cyber means that knowledge gained depreciates quickly, and within a decade you are ultimately left with a tired bit of paper. The CISSP certification also requires you to have at least five years of full-time, relevant job experience before taking the exam, so those who’ve passed will tell you it’s the fruit of many years’ labor.

Regardless of workload and difficulty, the industry-wide perception is that CISSP is more useful for getting a cybersecurity job than actually doing a cybersecurity job. It focuses on assessing cybersecurity knowledge, problem solving, decision making, and understanding industry standards and policies, but the practical component leaves much to be desired. As cybersecurity is highly technical, this is an insurmountable pain point.

Certifications can provide a theoretical footing in cybersecurity, but nothing will improve human cyber readiness like hands-on experience, which is why CISSP’s elevated status is problematic: it promotes an outdated way of validating learning. Those who want to further their cybersecurity careers may look on and think, ‘that’s great, everything I need to get a top-paying job can be bought for a few hundred pounds and ticked off in a week’, when nothing could be further from the truth. Cyber is a rapidly evolving industry, and for individuals to be of value – that is, to improve their organization’s risk posture and not just check a box to get through a recruitment process – they must upskill constantly. Threat actors don’t sit an exam and decide that’s enough to be going on with; they innovate every day, and the same must be true of the good guys.

Whether you are CISSP qualified or have a cyber-related master’s is irrelevant if you aren’t continually equipping yourself with new skills, practicing them in real-world scenarios, and evidencing the outcome. One Twitter user said ‘In light of the #CISSP news on equivalency with MSc, I've decided that my 20+ years’ commercial experience now confers the official status of Grand Master.’ We think they have a point.

At Immersive Labs, we help organizations equip, evidence, and benchmark their human cyber readiness, preparing them to counter the latest attacks. There are no geographic or technical limits on a user’s experience, and our technology allows unlimited access to cloud-based labs on demand. This means that relevant content can be served up and accessed at any time by any number of teams or individuals. You can see why more and more enterprises are putting their faith in Immersive Labs by booking a demo today.

We help businesses to increase and evidence human capability in every part of cybersecurity.

Legal