Readers Respond: Security Cert Provider Cries Foul

Readers respond to Jeff Moad's article "Security Cert Provider Cries Foul."

First let me introduce myself, I am Clement Dupuis, the maintainer of the CISSP & SSCP Open Study Guide Web site, located at I have been involved with the CISSP certification for many years… I have been following the CISSP certification closely and I lately found out that it is changing and is no longer what it used to be.

The clientele pursuing their CISSP today is very different from what it was 5 years ago. Today you have people who wish to become CISSP because it is in demand, it is the leading security certification, it is the key for them to find employment. Some of them barely meet the minimum experience requirement. The new CISSP is, in some cases, very technical and no longer only management oriented. The new CISSP is very different from the one done years back by persons with dozen of years of experience. The certification has to evolve to meet these challenges, but this is not taking place. There have been many talks on the CISSP Forum about a master CISSP or some type of specialty within specific domains.

The article about (ISC)2 CISSP vs ISACA CISM was quite interesting. However, I do not believe that ISC2s only motive is to become the savior of the security certification world by avoiding the introduction of yet another security certification. The groups motives are diverse and, in some cases, might seem to be motivated by capital gains as much as the well being of its constituents.

You present ISC2 as a single not-for-profit entity; however, this is not exactly the case. There is the (ISC)2 Consortium, which is the non-profit arm of (ISC)2, and there is also the (ISC)2 Institute, a for-profit spin off. This creates a situation where (ISC)2 is attempting through different tactics to have a monopolistic approach towards the certification. It seems that their approach is to own the delivery of any training related to the certification. They do not have a system in place to validate the quality of training delivered by schools other than their own institute. They do not offer these competing schools a way to become accredited, there is no documentation about such a process on their site, their partner selection is unknown and the partners are not even listed on their Web site.

Traditionally, (ISC)2 had no competition as there was nobody else competing with them in the delivery of such training... As the demand for the certification increased, so did the business opportunity as seen above by the new (ISC)2 for-profit institute. Lately we have seen on different mailing lists allegations from members closely related to (ISC)2 that these training schools are using their copyrighted material and that students who took training with such schools could lose their certification over it. All of these allegations are unsubstantiated, and I have yet to see any proof of these allegations.

The schools that I know and with whom I have established a relationship are all very professional and have talented people that can produce their own material that is at par with (ISC)2 seminars. A lot of these schools have directly contributed to the current success of the certification. Without them spending tons of money on advertising the certification, we would not be 15,000 today...

In [a comment in your article] M. Johnson said that "The vast majority of people weve talked to were dismayed … because they believe theyll now be expected to pay fees to two organizations to get and maintain certifications in order to satisfy their clients." I do not believe that people will maintain two certifications but will simply endorse the certification that shows the greater value and a certification that bring something to its membership. Personally, I expect a professional organization to assist me in my daily tasks, I expect them to inform me of significant development that I should be aware of, I expect them to establish some form of communication, and last but not least I do not expect that the only correspondence or information I will receive is a letter telling me that I owe my certification body $85 once a year.

From the comments that you have reported from ISACA, I was happy to see that they remained professional, did not indulge in calling others down and that they are willing to collaborate with others for the well being of all. I am convinced that ISACA has the maturity, experience and dedication to make the CISM a great certification if they run their program as well as it has been run for the CISA.