News Stay informed about the latest enterprise technology news and product updates.

Interview: CEO to say so long to the (ISC)2

For five years, James E. Duffy has been the face of the (ISC)2 and the CISSP certification. He'd now like to devote more time to being a husband, father and grandfather. Duffy announced in February his decision to retire as CEO and president of the security certification organization. During his tenure with (ISC)2, the CISSP has become the gold standard of security certs, growing its ranks to 33,000 certified practitioners worldwide, including 12,000 outside the United States. That international growth--the CISSP exam is now offered in German, Korean, Japanese, French and soon Spanish--is something Duffy, 60, hopes the organization will continue to pursue. Another benchmark for Duffy came last June when the CISSP became the first IT certification to earn ISO 17024 accreditation. Duffy talked to us about where the CISSP will go in the coming years.

Retirement is a time for reflection. How will you look back on your five years with the (ISC)2? I certainly will...

look back with pride that under my leadership we've grown from a small community that was primarily U.S.-centric to a strong, well respected international certification. We've reached a point where companies are make hiring decisions on whether people have our CISSP certification.

In general terms, I'm very proud of our international growth. When I took over, we had 300 CISSPs outside the U.S. Now that number has grown to more than 12,000 in 110 countries. I worked very hard on building alliances throughout the world. It's helped the overall reputation of ISC2 that we have this broad international acceptance. How do you explain the quick rise in the ranks of certified CISSPs to 33,000 today?
Hard work in getting the message out, and spreading the message of professionalizing the information security practice through certification. We have good people carrying that message here and on the international front. And the people who have the certification are standing up to what our claims are. They are performing the job as advertised. Until the CISSP had some recognition, there was no real benchmark. If someone applied for a job, all a manager had to go by was the resume. There was no third-party endorsement. With such rapid growth, is there a concern that the value of the certification would ever be watered down?
I wanted this kind of growth, particularly internationally, otherwise the CISSP would just be referred to as a U.S. certification. The sense was we had just touched the surface of the information security practitioner population.

We aggressively moved forward by offering the exam all over the world; we expect this year to give 450 exams in 45 countries. Our motto is to bring certification to where there's people. Last year we did our workforce study, and it says there are 1.3 million information security practitioners in the world. Let's say 10% show interest in becoming CISSP, that's only 130,000. We've only scratched the surface. What shape is the CISSP in today, and what work remains to be done?
The certification today is stronger than it's ever been, and that's not just us saying it. The things that

Learn more about the CISSP exam

Let SearchSecurity help you prepare to ace the test

See how CISSP ranks in terms of highest paid certifications

Bookmark our CISSP page to keep up on the latest news and advice on the certification

need to be done and worked on: We need to increase the rigor; do more translations; promote our concentrations like the ISSAP (Information Systems Security Architecture Professional, which demonstrates competency in security architecture) and ISSMP (Information Systems Security Management Professional, which demonstrates competency in security management); [and] test in greater depth. How do you address the knocks against the CISSP, in particular those that charge the exam doesn't test practical experience?
I don't think they're valid. You have to have four years' experience within the 10 domains the exam covers, or three years and a Bachelor's [degree] to sit for the exam. You do have to have practical experience and have to have continuing education to maintain certification -- 120 hours every three years. I see those same [criticisms] and we certainly listen, take heed and invite those people who are critical to be specific and join the process. All of our questions are written by volunteers who are CISSPs. We even go so far as to put together an international panel to review it to make sure it can be answered in every language. What's the best advice you can offer your successor?
No. 1 is obviously to continue and improve the rigor of the examination, which the board would insist upon -- to very strongly focus on constituent service. This year, for the first time, we will re-certify more people than we will certify. [My successor] must continue to inform practitioners of the value of the cert to make them want to retain it.

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.