Security Cert Provider Cries Foul

A top security certification provider this week charged that a rival group's plan to offer a comparable certification will force security pros to obtain multiple credentials.

The non-profit owner of the leading professional certification program for security managers has charged that a rival groups plan to offer a comparable certification will confuse the market and force security professionals to obtain multiple credentials.

Officials from the ISC2 (International Information Systems Security Certification Consortium Inc.) posted a statement on the organizations Web site Tuesday criticizing plans by the ISACA (Information Systems Audit and Control Association) to launch a new certification targeting information security managers. The new ISACA certification, to be called the Certified Information Security Manager and due to launch in June, could compete with the well-established CISSP (Certified Information Systems Security Professional ) certification from ISC2.

In its unsigned online challenge to ISACAs plan to roll out the new certification, ISC2 officials say the CISSP certification already "meets or exceeds the areas the CISM professes to address." The statement also questions the qualifications of ISACA to move into the security practitioner certification space. Currently ISACA offers a certification focused on security auditors.

"Traditionally, ISC2 and ISACA have respected each others complementary missions that address the different accountabilities of the information security profession," the ISC2 statement reads. "However, ISACA has recently announced a new certification outside of its recognized leadership in the audit community."

In an interview with eWEEK, ISC2 officials denied the statement was simply an attempt to derail a potential competitive certification. "Theres nothing wrong with competition, providing it adds value," said Bob Johnston, CISSP and manager of credentialing services at ISC2, in Framingham, Mass. But, said Johnston, by addressing the same audience and body of knowledge already targeted by the CISSP, the new certification would confuse the marketplace.

"The vast majority of people weve talked to were dismayed … because they believe theyll now be expected to pay fees to two organizations to get and maintain certifications in order to satisfy their clients," said Johnston. Currently it costs CISSP candidates $450 to take the exam plus an $85 annual maintenance fee. Optional preparation courses would cost more.

In a written response to the ISC2 statement, Leslie Macartney, chairman of the CISM certification board, said her organizations new certification will be "unique among and complementary to existing security credentials." Macartney said the ISACA certification will be different from the CISSP because, to obtain it, candidates will be required to document security management experience, not just pass a test. This, she said, "ensures that only those who manage and oversee an enterprises information security effort can earn it."

Macartney declined to directly answer ISC2s charges that the CISM will confuse the market.

Although ISACA officials have said the CISM has been in development for two years, ISC2s Johnston said his organization was not consulted about it prior to its public unveiling in August. Nor, said Johnston, have ISC2 and ISACA had direct discussions since then about resolving potential overlaps between the two certifications.

The public sniping between ISC2 and ISACA is unusual in the normally refined, quasi-academic world of professional IT certification. ISC2s willingness to publicly criticize ISACA "indicates theyre on the defensive and that the CISSP may be perceived as vulnerable to a new competitor," said David Foote, president and chief research officer at Foote Partners LLC, a management consultancy and IT workforce research firm located in New Canaan, Conn. Foote said the CISSP is widely prized and the leading credential for security managers. Currently it delivers a median bonus pay of 10 percent of base pay, and that rate has risen by 25 percent over the last year, Foote said. According to ISC2, by the end of this year, 15,000 security managers will have obtained the CISSP credential.

"If a company is doing a search at the security management level, they will demand the CISSP," said Foote. "If you dont have it, youd better have a lot of experience."

Still, said Foote, ISC2 has done a relatively poor job of offering education and training courses to help candidates prepare for the CISSP exam. This, he said, is an area where ISACA, with its new credential program, could do better.

Ironically, ISACA currently offers continuing education classes for current CISSP holders. CISSP holders must take a minimum number of classes per year in order to maintain their certificates. ISC2 decides which classes qualify for credit.

ISC2s Johnston said his organization will soon be reviewing the ISACA classes as well as those from other providers.

"No question, at this point we are revamping [the] program slightly, and there will be a point at which ISACA, like every other organization, will have to reapply."