First let me introduce myself, I am Clement Dupuis, the maintainer of the CISSP & SSCP Open Study Guide Web site, located at www.cccure.org. I have been involved with the CISSP certification for many years… I have been following the CISSP certification closely and I lately found out that it is changing and is no longer what it used to be.
The clientele pursuing their CISSP today is very different from what it was 5 years ago. Today you have people who wish to become CISSP because it is in demand, it is the leading security certification, it is the key for them to find employment. Some of them barely meet the minimum experience requirement. The new CISSP is, in some cases, very technical and no longer only management oriented. The new CISSP is very different from the one done years back by persons with dozen of years of experience. The certification has to evolve to meet these challenges, but this is not taking place. There have been many talks on the CISSP Forum about a master CISSP or some type of specialty within specific domains.
The article about (ISC)2 CISSP vs ISACA CISM was quite interesting. However, I do not believe that ISC2s only motive is to become the savior of the security certification world by avoiding the introduction of yet another security certification. The groups motives are diverse and, in some cases, might seem to be motivated by capital gains as much as the well being of its constituents.
You present ISC2 as a single not-for-profit entity; however, this is not exactly the case. There is the (ISC)2 Consortium, which is the non-profit arm of (ISC)2, and there is also the (ISC)2 Institute, a for-profit spin off. This creates a situation where (ISC)2 is attempting through different tactics to have a monopolistic approach towards the certification. It seems that their approach is to own the delivery of any training related to the certification. They do not have a system in place to validate the quality of training delivered by schools other than their own institute. They do not offer these competing schools a way to become accredited, there is no documentation about such a process on their site, their partner selection is unknown and the partners are not even listed on their Web site.
Traditionally, (ISC)2 had no competition as there was nobody else competing with them in the delivery of such training… As the demand for the certification increased, so did the business opportunity as seen above by the new (ISC)2 for-profit institute. Lately we have seen on different mailing lists allegations from members closely related to (ISC)2 that these training schools are using their copyrighted material and that students who took training with such schools could lose their certification over it. All of these allegations are unsubstantiated, and I have yet to see any proof of these allegations.
The schools that I know and with whom I have established a relationship are all very professional and have talented people that can produce their own material that is at par with (ISC)2 seminars. A lot of these schools have directly contributed to the current success of the certification. Without them spending tons of money on advertising the certification, we would not be 15,000 today…
In [a comment in your article] M. Johnson said that “The vast majority of people weve talked to were dismayed … because they believe theyll now be expected to pay fees to two organizations to get and maintain certifications in order to satisfy their clients.” I do not believe that people will maintain two certifications but will simply endorse the certification that shows the greater value and a certification that bring something to its membership. Personally, I expect a professional organization to assist me in my daily tasks, I expect them to inform me of significant development that I should be aware of, I expect them to establish some form of communication, and last but not least I do not expect that the only correspondence or information I will receive is a letter telling me that I owe my certification body $85 once a year.
From the comments that you have reported from ISACA, I was happy to see that they remained professional, did not indulge in calling others down and that they are willing to collaborate with others for the well being of all. I am convinced that ISACA has the maturity, experience and dedication to make the CISM a great certification if they run their program as well as it has been run for the CISA.
: Readers Respond: Security Cert Provider Cries Foul”>
I can only agree with David Foote, president and chief research officer at Foote Partners LLC; (ISC)2 has not been able to adapt to the changing landscape where there is more than a single delivery mechanism for the CISSP training. They should concentrate on key issues such as validating credentials, establishing a network of authorized schools for delivery of training worldwide, looking after the updates and content of the CBK, establishing firm communication with constituents, delivering advisories and tools to help the membership, acting as the lead in development of standards and consensus and a lot of other areas that are not related to the training portion of the certification.
It is funny to see CISSPs worldwide subscribe to SANS advisories and newsletters as their number one source of information when there is a membership of 15,000 people ready to help others but that is not considered or asked to help.
In closing, I believe that ISACA is an organization that has as many credentials as (ISC)2. They have made a strong demonstration of their abilities to run a certification with the CISA.
It would be nice if a follow-up to the article could be posted with the other side of the coin.
It seems unfortunate that we have this kind of debate over certification. The academe (unusually) doesnt seem to have this kind of problem. Both (ISC)2 and ISACA have considerable knowledge and skills in specific areas of computer security, and I doubt that either would feel it sensible to claim that they alone have all the knowledge required for every possible aspect.
When reality takes hold, perhaps people will realise that there has to be overlap between the knowledge these bodies require, just as there has to be differences. MBAs study accounting, but not the point of being accountants, although they may become CFOs. The issue is to understand clearly what the body of knowledge represents as value to a business.
If you consider that the British Standard (now international ISO/IEC 17799) has, in Britain, a certification standard (Part 2) it may be a useful model in this debate. Organizations accredited to issue certificates must use staff who are adequately qualified, and their work is subject to periodic external review. Either the (ISC)2 or the ISACA qualification could be very sensible indicators of capability, as could certificates from other sources. When work is reviewed it is not the qualification that is being checked, but the conduct of the work. That is, and I trust will remain, paramount. Reviews may well need more than one expert when skill overlaps have to be addressed, and organizations may need more than one kind of person to carry out the certification tasks properly.
So please could we have a return to a more rational approach to these matters rather than what might be misunderstood to be nothing more than a turf fight.
(FIMC and CMC and on the CESG CLAS list)