Friday, August 24, 2012

These guys want to reform the ISC2/CISSP

The best known professional certification in cybersecurity is the “CISSP” (by the (ISC)² organization), but it’s horrible. The test givers are incompetent. The organization is corrupt. Its ethics are unethical. It’s a typical example of rent-seeking behavior rather than a badge of quality. These problems have only gotten worse over the last decade as the organization has resisted reform.

So what should we do about the CISSP? Fight to destroy it? Or fight to reform it?

Well, some erstwhile critics are trying to reform it by getting elected to the (ISC)² board, displacing the incompetent/corrupt boobs who currently sit there. This started last year with the election of Wim Remes (@wimremes), and continues this year with four more:
(1) Boris Sverdlik (@JadedSecurity) []
(2) Dave Lewis (@gattaca) []
(3) Chris Nickerson (@indi303) []
(4) Scot Terban (@krypt3ia) []

These people are different than the existing board members for two reasons. The first reason is that they are technically competent, “doers” rather than “managers” or “academics”. The second reason is that rather than cheerleaders for (ISC)²/CISSP, they’ve been vocal critics.

Critics are necessary to the health of any organization. The more criticism is resisted, the more group-think sets in, and the more corrupt it gets. That the (ISC)² is run by cheerleaders and ignores critics has been a grave problem.

The more of these five that get elected to the board, the more they will be able to reform it. You can read their petitions for each of their specific platforms, which are actually fairly minor reforms (like transparency and accountability).

I’m not saying that reform is necessarily a good idea; I’d rather destroy the CISSP. But, if you are a member in good standing with the (ISC)² and want to increase the value of your CISSP certification, then you should probably vote for these guys.

Update: more info here:
Update: By "doer" I mean "somebody with a published body of work". For example, Wim Remes (who got on the board last year) is a "manager", but he is also the only board member which lists "speaker at Blackhat" as part of his bio. It's this published work that makes him a "doer". We can all check out his published works, his podcast, and his twitter feed in order to judge for ourselves whether he's competent. The same can't be said for the other board members, their competency is opaque for us to easily judge.


Anonymous said...

Reading this nice blog from Italy, this situation reminds me closely about the Italian politics. Apologies for the off-topic comment. But in fact I think this is a kind of politics, and could be applied to many other situations.

Anonymous said...

I've earned 2 CPEs reading this.

Anonymous said...

I don't get the negativity towards the CISSP. It's not a technical exam, it's a critical thinking skills exam targeted at the management level. I frankly wish more managers had CISSP training. Cyber warfare is a very real and imminent threat, we need more training, not ripping apart one of the only two organizations that develop cyber security training.

Robert Graham said...

Lol, you said "critical thinking skills". I doubt you know what that means.

Anonymous said...

Unless these guys offer some data points about what is broken and some ideas on how to "fix" ISC2 - something - they don't get my vote.

Anonymous said...

These guys have been offering points for a LONG time about what is wrong with the CISSP. If you want to know more, follow them on Twitter or read their blogs. They have been very vocal (especially Boris) about ISC2, the CISSP, and the state of security in general. Read the links posted by their names, read more of their blogs, and their Twitter feeds, then make some judgments.

Unknown said...

Hey Robert,

with all due respect for your opinion but categorizing any and all (ISC)2 board members as unaccomplished dumbfucks is a little too much, even for me ;-) A little research would turn up that some of these people have contributed significantly to our field of expertise (as broad as it is). I won't point out specific examples but I'm pretty sure anybody can look into those contributions by putting the individual names into Google (or duckduckgo for all that matters). As far as I'm concerned, I've developed a deep respect for all of my colleagues on the board and the time they devote to their task there(each with their own ideas and beliefs which may be orthagonal to mine). Some I even consider my mentor.

Everybody knows why I joined a year ago and I can't be more happy with members exercising their right to petition than I am today.

Saying that I'm the only one standing for change on the current board, is also not the reality. Any decision made needs (at least) a majority vote. No matter how inflated my ego, I only have one vote on a total of 13 ;-)

It's my opinion that this is an organisation run by it's members (by representation). As much as any may loathe decisions or things the organisation represents, he or she can choose to stand up and volunteer for a board position OR support a person running for a spot that best represents his or her ideas.

Lastly, and not specifically a point in your post, some have commented on the 'unclear' election process. I found no problems on understanding the process when I ran my petition last year. The endorsed slate consists of people nominated by people within the organisation. Having been involved in the nomination process myself, I can only say that the process is rigourous and every decision for or against a nominated candidate can be properly explained to said candidate. I don't think the who's who of those candidates that didn't make it should be public information.

Note that I speak for myself here and you shouldn't consider my 'emoting' an official statement from the organisation or the board. We're all individuals working together for a membership. As such, I'm exercising my right to express my personal opinion and trying to shed some light on the whole thing from my point of view ;-)


ba san said...

However, it is true that many people may get attracted to bags but the money in their pocket fails to speak on their behalf. It’s never that way with Chloe handbag as the prices are after market meant to make all purchase and enjoy the luxury (Chloe Marcie) that comes from them. link:

Anonymous said...

I dont understand why you are knocking this cert.

I have just passed and am awaiting final certification after working in IT / info sec for over 6 years.

It is a very difficult to achieve qualification , it requires a high level of commitment
, clear thinking , reasoning and discipline to pass.

I would consider it a very useful HR tool to at least weed out the spoofers from the real infosec candidates.
It is hard to achieve and this alone sets the bar high in terms ofthe quality of people who attain it.

It gives a very useful broad overview and tie together of all aspects of the security environment
as well as broadening your mind in terms of seeing the bigger picture , and allows you to develop emotional intelligence
to speak on management level - something many infosec people lack.

No its not very hands on , and operationally useful, but it does test the skills you need from a management and financial
POV - something most Senior managers are more concerned with in reality.

all in all , tough as it was I am very glad I did it , and it has focussed my desire to improve in other areas as well.

Unknown said...

Tell ISC2 that in America, we believe in honors, ethics, doing the right thing and FREE MARKET

ISC2 is trying to shut down because we offer the security community options to do self study for the CISSP exam!!!