What is the first thing you'd like to bring to (ISC)2?
(ISC)2 is the first job where there's been a predecessor. [Outgoing CEO] Jim Duffy did a great job of taking what had been a volunteer organization and professionalizing it. He moved us from 3,000 constituents to more than 33,000 -- and still growing. What I see my
No. There are different kinds of certifications to address different sectors of the market. We are the gold standard; we are ANSI*certified [for the CISSP]. We will get ANSI certification for other credentials. *American National Standards Institute But does certification mean something different as more and more people achieve it?
No. I see it taking on a meaning that maybe we need to fashion better. [The certification] represents really understanding a base of knowledge and practices. It represents a period of experience and it represents a code of ethics. As we get standard practices, similar to [those that] accountants and doctors [have], when practices become a procedure, then we will advance the profession. The CISSP exam is now translated into five languages and has achieved huge international growth. Is it becoming harder to establish common security practices that cross borders?
If you have an international standard, the intent is to make it global. Will there be regional or country specific implementations? Yes. But the intent is to make it global. As you do that, do you need to create components within the exam that are specific to certain nations and regulations that exist within those nations?
We're looking at that. We're looking at that in two countries, which I won't name right now.
I don't see us coming down to the level of saying you're a U.S. Sarbanes-Oxley specialist. But U.S. and European law are increasingly driven by a compliance perspective. So a government specialty that dealt with regulatory compliance might be a good thing. But are we going to do it? We're still working to try to find out. One criticism of the exam is that it should feature more hands-on material. How do you answer that charge?
Increasingly we're putting in scenarios, higher cognitive testing. I'm not sure what the right level of scenario-based testing is.
Editor's Note: (ISC)2 estimates that 20% to 25% of its questions are scenario-based and says it is looking at expanding that percentage. As more security pros earn CISSP accreditation, do you see the need to add new segments of certification or higher levels of certification that distinguish those practitioners with more experience?
We have been looking at analogies to MDs, CPAs and engineers. An MD is an MD; a CPA is a CPA. We think that a CISSP is a lifetime credential. But we're still looking above and below CISSP to see what makes more sense in the market today and what makes more sense in the market five years from now. But is the right answer to reinforce the CISSP with more extensions? Or is there the need for a horizontal-level certification? I started off as an information security manager. I did risk management. Is risk management a horizontal [practice] or is it higher [than information security]? You could say risk management is higher in some cases because information security comes under it. Is a compliance officer different than a security manager? I don't see a lot of blacks and whites. I see a lot of grays. I don't think we need a new credential. I think we need to bolster the CISSP. I feel more comfortable to say [these roles] are horizontal than to say that one is higher or lower.