News Stay informed about the latest enterprise technology news and product updates.

New ideas from (ISC)2's new chief

ORLANDO, Fla. -- Rolf Moulton, CISSP-ISSMP, CISA, CCP, has been steering the ship of the (ISC)2 for about six weeks now. But the new CEO's relationship with the security certification organization goes back a ways. Moulton, who created information security programs for Unilever, BP America and the City of New York, formerly sat on the (ISC)2's board of directors. He says his primary goal is to improve member services. But Moulton told SearchSecurity at this week's Infosec World that he's also pondering some changes to the popular CISSP certification.

What is the first thing you'd like to bring to (ISC)2?
(ISC)2 is the first job where there's been a predecessor. [Outgoing CEO] Jim Duffy did a great job of taking what had been a volunteer organization and professionalizing it. He moved us from 3,000 constituents to more than 33,000 -- and still growing. What I see my

job as doing is taking the excellent foundation that Duffy created, including a highly professional staff, and positioning us for the next three to five years of growth, including doubling our constituent base. What are the implications of doubling the number of certified security professionals? Is (ISC)2 watering down the value of the cert?
No. There are different kinds of certifications to address different sectors of the market. We are the gold standard; we are ANSI*certified [for the CISSP]. We will get ANSI certification for other credentials. *American National Standards Institute But does certification mean something different as more and more people achieve it?
No. I see it taking on a meaning that maybe we need to fashion better. [The certification] represents really understanding a base of knowledge and practices. It represents a period of experience and it represents a code of ethics. As we get standard practices, similar to [those that] accountants and doctors [have], when practices become a procedure, then we will advance the profession. The CISSP exam is now translated into five languages and has achieved huge international growth. Is it becoming harder to establish common security practices that cross borders?
If you have an international standard, the intent is to make it global. Will there be regional or country specific implementations? Yes. But the intent is to make it global. As you do that, do you need to create components within the exam that are specific to certain nations and regulations that exist within those nations?
We're looking at that. We're looking at that in two countries, which I won't name right now.

Pass the certification exam

Visit's Security School on CISSP training

Stay abreast of CISSP-related news and information

It would be premature to announce that until we come to closure. It would not be a country-specific certification, though. I think of them as little oak clusters added to the [CISSP] badge.

I don't see us coming down to the level of saying you're a U.S. Sarbanes-Oxley specialist. But U.S. and European law are increasingly driven by a compliance perspective. So a government specialty that dealt with regulatory compliance might be a good thing. But are we going to do it? We're still working to try to find out. One criticism of the exam is that it should feature more hands-on material. How do you answer that charge?
Increasingly we're putting in scenarios, higher cognitive testing. I'm not sure what the right level of scenario-based testing is. Editor's Note: (ISC)2 estimates that 20% to 25% of its questions are scenario-based and says it is looking at expanding that percentage. As more security pros earn CISSP accreditation, do you see the need to add new segments of certification or higher levels of certification that distinguish those practitioners with more experience?
We have been looking at analogies to MDs, CPAs and engineers. An MD is an MD; a CPA is a CPA. We think that a CISSP is a lifetime credential. But we're still looking above and below CISSP to see what makes more sense in the market today and what makes more sense in the market five years from now. But is the right answer to reinforce the CISSP with more extensions? Or is there the need for a horizontal-level certification? I started off as an information security manager. I did risk management. Is risk management a horizontal [practice] or is it higher [than information security]? You could say risk management is higher in some cases because information security comes under it. Is a compliance officer different than a security manager? I don't see a lot of blacks and whites. I see a lot of grays. I don't think we need a new credential. I think we need to bolster the CISSP. I feel more comfortable to say [these roles] are horizontal than to say that one is higher or lower.

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.