(ISC)2, a non-profit provider of security training and certificates, is best known for its Certified Information Systems Security Professional (CISSP) designation,
viewed as the baseline vendor-neutral certification for information security professionals. In January, Wim Remes was elected as the chairman of the (ISC)2 board of directors, a rapid ascension for an admitted outsider who first ran for the board two years ago on a "platform of change."
In this wide-ranging interview with SearchSecurity, Remes discussed the goals he has set for (ISC)2, the changes he has already seen take root, and the ways he wants the group to better serve its members, including restoring the value of the CISSP.
If I didn't believe in my ability to provide that change, I wouldn't be talking to you as chairman of the board today.
Wim Remes, chairman of the board, (ISC)2
What was your original involvement with (ISC)2, and how have you seen the organization change over the years?
Wim Remes: I got my CISSP in 2006, and like most of the (ISC)2 members, I wasn't really involved in the organization. As I got more and more involved in the security community, I became more aware of what the organization could be. I didn't think it was living up to its promises, and I have to say that more people were thinking the same way.
So in 2011, I ran basically on a whim. Despite being from a small European country and not being well-known in the industry, I was successfully elected. I won a seat based on a platform of change, and in the past few years we've worked hard to turn the perception of (ISC) 2 from what I would call a profit-based organization focused on selling certificates to a more member-focused approach. That's where we are now, as I've been elected as chair: driving this home and creating as much value as possible, not only for (ISC)2 members -- though they are the focus -- but also for the security industry and community.
What has your time on the board been like? What has surprised you, both positively and negatively, about the way (ISC)2 operates?
Remes: First, from a positive perspective, when I joined, the only person on the board I had heard of was Dan Houser. I immediately learned that they were all very positive people that were engaged in getting the organization to the level where I also wanted it to go.
However, I would say the board was too involved with day-to-day management. Any organization that realizes the board is beginning to manage the organization knows it is not on the right track. The board should focus on strategic issues and the goals of the organization; management basically gets paid to run the organization. So we brought consultants in that had experience with non-profit boards. … I think we're at a level now where we can say that the board is no longer managing the organization and can effectively focus on designing and monitoring the implementation of the strategy.
What would you say caused the board to be too active in the day-to-day management of the organization?
Remes: We as a group are mostly coming from a hands-on, problem-solving level. We're not strategic minds per se. And if that is where your core skillset is and that's what you do on a daily basis, you don't necessarily notice that is what you are doing. The consults helped us to understand what our issues were and where we needed to do better.
Many say the industry is facing a severe shortage of qualified IT security professionals -- Executive Director Hord Tipton said a few years ago that millions more are needed. What are your thoughts on those claims? Should (ISC)2 push more professionals to attain the CISSP certification?
Remes: There is a lack of qualified security professionals; I think we can all agree on that. Over the years, I think there has been a growing misconception over what the CISSP actually is. It represents a body of knowledge that should be assumed to be known by anybody that practices information security. You will never hear me say that all CISSPs are fully qualified security professionals, depending on the area of information security in which they are active.
Do I think we need to work towards more qualified security professionals? I definitely believe so. Do they all need to be CISSPs? I'm not convinced of that. When I have discussions about the CISSP and the certification, I believe the CISSP defines what I would call a 'lingua franca' among security professionals, but you will never hear me say the CISSP is the end-all and be-all of security certifications.
You said you weren't overly involved with (ISC)2 after gaining CISSP certification in 2006, and that most members were the same. Is the organization doing anything to drive increased involvement among members?
Remes: We are definitely working on that. In April 2012, we adopted the new (ISC)2 strategy, which is strictly a member-focused strategy. If you look at what we have done during the past two years, more new (ISC)2 chapters have been globally implemented. Local members run their chapters and that allows us to be much more in touch with our membership. Myself and many of my fellow board members are very involved in their local chapters and communities, and that definitely helps us understand the needs of our members.
What is (ISC)2 doing to produce a new generation of infosec talent, which you agreed is needed to meet increased demand?
Remes: We have the (ISC)2 Foundation, which is a separate organization from (ISC)2 itself. That's where we have all of our scholarships and are working to develop more research. We're also working with several universities worldwide to adopt the CISSP and SSCP content into undergraduate and graduate degrees. We also have the Safe and Secure Online, a program that was developed by (ISC) 2 to provide information security knowledge, including how to behave safely and securely online, for those ages 7-14. It is a course that can be given through schools to students, but also to teachers and parents. It gives our members the ability to give back to their local communities, which is something I strongly believe in.
While information security becomes more prominent in education settings, your own security skills were largely self-taught. How would you like to see young people build up that initial security knowledge?
Remes: If I look at the number of sleepless nights I've had trying to solve security, that's not something I would wish on anybody [laughs]. I think it would definitely be helpful in academia if security became part of the core body of knowledge, and that is already underway. Do I believe the system will produce security professionals that are ready to go? I don't believe so. Most of the security professionals I know are very passionate about what they do, and I think self-study is a core aspect of a security professional. Somebody that is in this business needs to have a passion to keep learning and adapting.
In a relatively short period of time, you've gone from campaigning as an outsider to, as chairman of the board, the ultimate insider. What do you think of that transformation? Do you still believe in your ability to provide that needed change to the organization?
Remes: If I didn't believe in my ability to provide that change, I wouldn't be talking to you as chairman of the board today. I started on a platform of change, and if I can't make that change happen, I would step away. I strongly believe in the people I'm working with, people like Dan Houser, Greg Thompson, Dave Lewis and Jennifer Minella. I think we form a very strong team and have good blend of experience and knowledge to make this happen.