RSA 2013: A spirited debate about infosec certs

A highlight at RSA Conference today will be a panel discussion on infosec certs. The question: Are they still valuable?

Few topics will spark emotion in security practitioners like the value of security certs. These days, one cert in particular is a favorite punching bag: the CISSP, administered by (ISC)2. In recent years, I've heard several industry friends brag about letting theirs expire. Yesterday at BSidesSF, two friends got into a spirited argument about it.

Today, the debate continues during a panel discussion from 2:50-3:50 p.m. in Room 302 at the Moscone Center. The talk -- "Information Security Certifications: Do They Still Provide Industry Value?" -- will include the following voices:


Thomas Stamulis - Regional Director, Verizon

Richard Moore - Vice President, Senior Information Security Manager, RBS Citizens

Andrew Ellis - Chief Security Officer, Akamai Technologies

Hord Tipton - Executive Director, (ISC)2

Jennifer Minella (Jabbusch) - Chief Information Security Officer, CAD, Inc.

The talk description:

Information security certifications have been around for more than two decades, and hundreds of thousands of professionals have attained them. As the industry matures, many academic institutions now offer bachelor and advanced information security degrees. Should the infosec community continue to support these certifications or should we encourage a more traditional academic approach?

The talk comes after a year of intense campaigning from people looking to get on the (ISC)2 board. Candidates vowed to clean house if elected.(ISC)2 Executive Director Hord Tipton didn't flinch when I asked him about all the discontent during one of our several chats in the last couple years:

"What irks people is that certs are job requirements and some folks don’t feel they need a certification to be validated," Tipton told me. "It's often the same people who are fussing."He admitted the organization isn't perfect, and that members regularly have the opportunity to offer feedback on what could be better."We received 20,000 responses to the most recent survey," he said. "We evaluate everything we hear and use the feedback to make our certification program better." But,he added,"The quickest way to fail is by trying to satisfy everyone." One piece of feedback the organization is working into the program is a sharper focus on forensics, he said.

Stamulis has been outspoken on the need for big changes at (ISC)2. It'll be interesting to watch the back and forth between him and Tipton. Moore, Ellis and Minella will make it interesting as well. I'm friends with them all, and can tell you they never shy away from a good debate.

Copyright © 2013 IDG Communications, Inc.

8 pitfalls that undermine security program success