Retirement is a time for reflection. How will you look back on your five years with the (ISC)2?
I certainly will look back with pride that under my leadership we've grown from a small community that was primarily U.S.-centric to a strong, well respected international certification. We've reached a point where companies are make hiring decisions on whether people have our CISSP certification.
In general terms, I'm very proud of our international growth. When I took over, we had 300 CISSPs outside the U.S. Now that number has grown to more than 12,000 in 110 countries. I worked very hard on building alliances throughout the world. It's helped the overall reputation of ISC2 that we have this broad international acceptance. How do you explain the quick rise in the ranks of certified CISSPs to 33,000 today?
Hard work in getting the message out, and spreading the message of professionalizing the information security practice through certification. We have good people carrying that message here and on the international front. And the people who have the certification are standing up to what our claims are. They are performing the job as advertised. Until the CISSP had some recognition, there was no real benchmark. If someone applied for a job, all a manager had to go by was the resume. There was no third-party endorsement. With such rapid growth, is there a concern that the value of the certification would ever be watered down?
I wanted this kind of growth, particularly internationally, otherwise the CISSP would just be referred to as a U.S. certification. The sense was we had just touched the surface of the information security practitioner population.
We aggressively moved forward by offering the exam all over the world; we expect this year to give 450 exams in 45 countries. Our motto is to bring certification to where there's people. Last year we did our workforce study, and it says there are 1.3 million information security practitioners in the world. Let's say 10% show interest in becoming CISSP, that's only 130,000. We've only scratched the surface. What shape is the CISSP in today, and what work remains to be done?
The certification today is stronger than it's ever been, and that's not just us saying it. The things that
I don't think they're valid. You have to have four years' experience within the 10 domains the exam covers, or three years and a Bachelor's [degree] to sit for the exam. You do have to have practical experience and have to have continuing education to maintain certification -- 120 hours every three years. I see those same [criticisms] and we certainly listen, take heed and invite those people who are critical to be specific and join the process. All of our questions are written by volunteers who are CISSPs. We even go so far as to put together an international panel to review it to make sure it can be answered in every language. What's the best advice you can offer your successor?
No. 1 is obviously to continue and improve the rigor of the examination, which the board would insist upon -- to very strongly focus on constituent service. This year, for the first time, we will re-certify more people than we will certify. [My successor] must continue to inform practitioners of the value of the cert to make them want to retain it.