News Stay informed about the latest enterprise technology news and product updates.

(ISC)2: 'Nothing has changed' on CISSP requirements

In this Q&A, (ISC)2 board member Howard Schmidt -- a former Microsoft CSO, eBay CISO and White House cybersecurity advisor -- explains why the Authorized Academic Center program was started and why (ISC)2 believes concerns that the CISSP certification will lose its luster are off-base. has received plenty of reader response to a column from Winnipeg, Manitoba-based author and infosec professional Sean Walberg, in which he argued that the highly-valued Certified Information Systems Security Professional (CISSP) certification may lose its luster now that two colleges will soon offer International Information Systems Security Certification Consortium coursework as part of their undergraduate degree offerings via the (ISC)2 Authorized Academic Center (AAC) program. Walberg said the move could make it easier for less experienced security pros to gain certification.

In this Q&A, (ISC)2 board member Howard Schmidt explains why concerns that the CISSP certification might become less relevant are unwarranted.

Some veteran CISSPs object to the AAC program because they say it may make it easier for less-experienced security pros to obtain the same certifications held by those who have been in the field for decades. What's your response to that?

Howard Schmidt: The bottom line is that nothing has changed. The certification program hasn't changed. You have to go through the entire program. AAC just allows you to start learning earlier and get the baseline knowledge. To get certified, you have to do all the same things you had to do before. Requirements are the same across the board. 

As Walberg and some of our readers have said, Microsoft's MCSE cert has been "watered down" because of an "over-marketing" of the program. Are you worried about the same thing happening to the CISSP?

Howard SchmidtHoward Schmidt

Schmidt: Not at all. With the IT security workforce, we only have 40,000 people certified to date. Part one of this is marketability. The certification will certainly give you an advantage. But look at CPAs (certified public accountants). Those who want to be CPAs need to get that baseline knowledge and education. I know people who go through all the education and then decide they don't want to go through the certifications and they still go off and do useful work and have a career in the field, even if they're not CPAs. 

How did the AAC program come into being?

Schmidt: We were looking to move the educational process earlier into the career and get this to be the beginning of people's curriculum. The program is an entry point for people to start gaining knowledge at the beginning, when they decide to go into IT security. This gives them a good baseline of knowledge. 

The program has been in existence for some time now, but (ISC)2 has only recently signed up its second school, while saying it hopes to eventually partner with as many as 100 schools. Why hasn't the organization recruited more schools to join up to this point?

Schmidt: There are actually a lot of universities that have developed similar programs on their own based on our material, so there isn't a need to aggressively market this.

Can you name some of them?

Nothing has changed... To get certified, you have to do all the same things you had to do before.
Howard Schmidt

Schmidt: Boston University, Dakota State University, the University of Alberta, Northumbria University in the U.K., and the National University of Singapore. They advertise that their programs include classes that use CISSP and SSCP domains, but these programs are not endorsed or authorized by (ISC)2

What are the key benefits of the AAC program for college students and infosec pros alike?

Schmidt: At the college level, this gives you a baseline and you can become an associate of (ISC)2. Later, you go through the usual field experience and other things to earn full certification. 

So for the record, the program doesn't allow you to actually earn a certification in college?

Schmidt: You can't get the certification without the requisite years of experience. This at the college level doesn't give you the certification. 

What role do college internships play in the AAC program?

Schmidt: Nothing specific. We give scholarships for post grads to do research around the world, but there is no relationship with college internships in the AAC program.

What's your take on the proliferation of certification "boot camps" for the CISSP and other certifications, and what effect, if any, do you think the AAC program will have on them?

Schmidt: Some boot camps are very good, [but] we have no legal authority to stop them. We have to make sure certain standards are being met. If you don't get consistent training along the way and get the requisite skills in whatever programs you do, you won't pass the test. If I were spending money on a boot camp, I'd ask myself if it was going to give me the requisite experience and help me pass later on.

Next Steps

Opinion: 'Student' CISSPs put certs value in jeopardy

Opinion: What is a security professional, anyway?

Feedback: Readers respond

Dig Deeper on CISSP certification

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.