The Nice Guy Paradox [Solved]

I have been taking a bit of flak regarding
my post comparing the CISSP to the GSEC. It’s been interpreted as negative towards the CISSP, which I suppose is
fair to some degree. I find the prevailing argument put forth by Martin
McKeay in support of the certification to be weak at best (essentially that
GSEC is technical and CISSP is management), and I wanted to briefly refine
my thoughts on the matter.

An Ideal World

I think we can all accept that a perfect certification would guarantee that
a holder of said credential would be excellent for any information
security role. We can also agree that no such certification is practical nor
even possible. So given that constraint we are forced to create
certifications that are focused in particular areas. So the GSEC is focused
on the technical implementation side, and the CISSP is focused on the
management side. Fair enough.

What I think is important to note, however, is that this doesn’t mean the
GSEC doesn’t cover conceptual topics, nor that the CISSP doesn’t cover
technical ones.
In other words, even if a major certification is weighted in a certain
area it doesn’t mean it’s not going to at least touch on the opposite end
of the spectrum. So the question becomes one of simply deciding where the weight is —
technical or conceptual.

My point is simple: it’s far more responsible for a low level
certification not to cover upper-level concepts than it is for a higher
level certification to not cover technical basics. I again point to the battle field. You don’t require infantrymen to know
the basics of military strategy, but you do require generals to know
the basics of soldiering.

A Knowledge Progression

Remember that this is why generals must move up the ranks. This is for the
precise reason that strategic understanding is built upon the requisite
practical knowledge gained in the lower ranks. Without this foundation a
general may ask a soldier to drop a bomb on a target from 500 feet in the
air, or ask a tank to sneak into an enemy building and conduct a room to
room search. I’m exaggerating, but you get the point.

Upper echelon leaders must understand the capabilities of the entities
they control before they can make sound strategic decisions. This applies equally to information security managers and military
generals. The notion that in information security one can simply jump right
into management without having at least a decent understanding of the moving
parts (technology) is no less asinine then putting a private in charge of an
army.

This is my argument against the CISSP’s history of being non-technical. More
importantly it’s my argument against those who claim it’s
permissible for it not to be technical because it’s a management
certification. That makes it more important for an all-encompassing
knowledge base to be tested, not less. And I think it’s clear that ISC2
knows this. That’s why they included all 10 domains.

They had the right idea — management certifications require holistic
knowledge of the discipline, just as generals require a holistic
understanding of warfare. This isn’t just the reason for the 10 domains, but
also for the experience requirement — just like for the general. The analogy
could not be more clear.

Conclusion

It’s simply absurd to claim that people in “management” roles don’t need to
be versed in technology.
Chefs learn about food. Architects learn about the structural integrity
of their building materials. Physicists learn math. Why should information security experts not have to learn the building
blocks of their discipline like everyone else?

And most importantly, technical managers need to speak technology at least
to a level that prevents them from being seduced by salesmen and GUIs. Some
may argue that this is the role of non-management engineers, but it’s a weak
argument. They should supplement a manager’s technical knowledge, not
represent the totality of it.

If the CISSP wishes to become a true test of leadership-level information
security expertise it needs to be able to test for a higher level of
technical knowledge. Not extreme — but higher.: