More hats in the (ISC)2 ring

The race for a seat on the (ISC)2 Board of Directors is getting interesting, with several highly-respected infosec professionals vying for a spot on the ballot. Many have criticized (ISC)2, which administers testing for the CISSP security certification, for letting the process languish. Some have let their certification lapse and, upon doing so, have bragged about it on Twitter and elsewhere.

Last week, I told you about one candidate, Liquidmatrix founder Dave Lewis. Below is an updated list of people who have tossed their hats in the ring, vowing to make the CISSP certification process into something to, as Lewis put it, “be respected again.”

–Related post: “Does (ISC)2 need change from within?“

I’ve brought up the criticism in a couple converations with (ISC)2 Executive Director Hord Tipton. His message: There will always be haters, but a majority of the 80,000 people (ISC)2 serves are happy. “What irks people is that certs are job requirements and some folks don’t feel they need a certification to be validated,” Tipton told me in one interview last year. “It’s often the same people who are fussing.” He admitted the organization isn’t perfect, and that members regularly have the opportunity to offer feedback on what could be better.”We received 20,000 responses to the most recent survey,” he said. “We evaluate everything we hear and use the feedback to make our certification program better.” But,he added,”The quickest way to fail is by trying to satisfy everyone.” One piece of feedback the organization is working into the program is a sharper focus on forensics, he said.

–More on this conversation in “(ISC)2 exec director: There will always be haters.”

All that said, some believe the only ticket to meaningful change is fresh blood on the board. To that end, here’s a more complete list of who’s seeking a seat:

Dave Lewis aka @Gattaca Vote Here

Scot Terban aka @Krypt3ia Vote Here

Chris Nickerson aka @indi303 Vote Here

Boris Sverdlik aka @Jadedsecurity Below or Vote Here

Sverdik said this about the effort on his Jaded Security site:

I know you must be all shocked to see this and frankly so am I. Wim Remes truly believes that bringing fresh blood to the board is working in a positive way to drive change for the better.

Seeing that Dave Lewis is running (Vote for Dave) makes me feel that instead of sitting on the sidelines and bitching about it I should join the fight to drive change at ISC2. I’m not going to promise things that I may or may not be able to deliver on, but I can promise I will stick to what I believe is a shared vision in the community for a value add certifying body. In order to change perception of the certification and the certifying body we need to change. The platform that I have is relatively straight forward:

1. The current test does not adequately provide any assurance that the candidate has a firm grasp of real world security as a whole. It is geared towards individuals that are good at memorizing text and being able to test well on the subject. It is very reminiscent of the MSCE/CCNA of the 90s. The format needs to change beyond just being updated with the latest technology. I’d like to see some form of essay driven questions that would truly test the candidates knowledge of real world security problems and identify their logical thinking on how they would address them. This would be akin to the CCIE where candidates are required to actually fix hw/sw problems on Cisco gear to demonstrate aptitude. This is one of the few ways I feel we can test true knowledge and eliminate the bootcamp mentality.

2. The pre-certification audit process also needs to be updated to provide assurance that the candidate has “real” security experience and to do this we must change the current endorsement process. ISACA requires that candidates have former employers and/or colleagues sign off on the attestation. ISC2 should do the same as this is the only way to attest to experience.

3. CPE requirements should be expanded so that they treat content producers and consumers equally. We produce a daily podcast, yet can only submit one hour of CPEs for the production of the content, while individuals who listen to the podcast can submit per episode. This is somewhat biased and puts off individuals from producing content and contributing to the community. We all agree that to be a good security practitioner you need to always stay up to date on the industry and there are many ways this can be done, outside of vendor driven conferences.

4. Financial Transparency is what we have all been asking for. ISC2 collects annual dues and has a responsibility as every responsible 501(c) to be transparent with accounting.

If you are a CISSP, take a few moment to vote.

Like any cert provider, (ISC)2 has it’s strengths and weaknesses. Since I’ve never studied to become a CISSP or had to do the work to maintain the title, I have no personal opinion. But in seven years of writing about the security community, I’ve heard plenty of complaints and have written about it. My goal in covering this is to generate discussion among you. I want you to go on Twitter, Facebook, Google+ or wherever else you are comfortable and share your views.Is the CISSP cert still worth attaining, or is it no longer in sync with today’s security challenges?Are people complaining over a bunch of nothing or are there real problems in how (ISC)2 serves the community?While we’re at it, what about the other certs and the organizations that administer them?

Keep discussing.