News Stay informed about the latest enterprise technology news and product updates.

New (ISC)2 chairman aims to help membership, boost value of CISSP cert

Interview: New (ISC)2 board chairman Wim Remes intends to better serve current members and increase the value of the CISSP certification.

(ISC)2, a non-profit provider of security training and certificates, is best known for its Certified Information Systems Security Professional (CISSP) designation, viewed as the baseline vendor-neutral certification for information security professionals. In January, Wim Remes was elected as the chairman of the (ISC)2 board of directors, a rapid ascension for an admitted outsider who first ran for the board two years ago on a "platform of change."

In this wide-ranging interview with SearchSecurity, Remes discussed the goals he has set for (ISC)2, the changes he has already seen take root, and the ways he wants the group to better serve its members, including restoring the value of the CISSP.

If I didn't believe in my ability to provide that change, I wouldn't be talking to you as chairman of the board today.

Wim Remes, chairman of the board, (ISC)2

What was your original involvement with (ISC)2, and how have you seen the organization change over the years?

Wim Remes: I got my CISSP in 2006, and like most of the (ISC)2 members, I wasn't really involved in the organization. As I got more and more involved in the security community, I became more aware of what the organization could be. I didn't think it was living up to its promises, and I have to say that more people were thinking the same way.

So in 2011, I ran basically on a whim. Despite being from a small European country and not being well-known in the industry, I was successfully elected. I won a seat based on a platform of change, and in the past few years we've worked hard to turn the perception of (ISC) 2 from what I would call a profit-based organization focused on selling certificates to a more member-focused approach. That's where we are now, as I've been elected as chair: driving this home and creating as much value as possible, not only for (ISC)2 members -- though they are the focus -- but also for the security industry and community.

What has your time on the board been like? What has surprised you, both positively and negatively, about the way (ISC)2 operates?

Remes: First, from a positive perspective, when I joined, the only person on the board I had heard of was Dan Houser. I immediately learned that they were all very positive people that were engaged in getting the organization to the level where I also wanted it to go.

However, I would say the board was too involved with day-to-day management. Any organization that realizes the board is beginning to manage the organization knows it is not on the right track. The board should focus on strategic issues and the goals of the organization; management basically gets paid to run the organization. So we brought consultants in that had experience with non-profit boards. … I think we're at a level now where we can say that the board is no longer managing the organization and can effectively focus on designing and monitoring the implementation of the strategy.

What would you say caused the board to be too active in the day-to-day management of the organization?

Remes: We as a group are mostly coming from a hands-on, problem-solving level. We're not strategic minds per se. And if that is where your core skillset is and that's what you do on a daily basis, you don't necessarily notice that is what you are doing. The consults helped us to understand what our issues were and where we needed to do better.

Many say the industry is facing a severe shortage of qualified IT security professionals -- Executive Director Hord Tipton said a few years ago that millions more are needed. What are your thoughts on those claims? Should (ISC)2 push more professionals to attain the CISSP certification?

Remes: There is a lack of qualified security professionals; I think we can all agree on that. Over the years, I think there has been a growing misconception over what the CISSP actually is. It represents a body of knowledge that should be assumed to be known by anybody that practices information security. You will never hear me say that all CISSPs are fully qualified security professionals, depending on the area of information security in which they are active.

Do I think we need to work towards more qualified security professionals? I definitely believe so. Do they all need to be CISSPs? I'm not convinced of that. When I have discussions about the CISSP and the certification, I believe the CISSP defines what I would call a 'lingua franca' among security professionals, but you will never hear me say the CISSP is the end-all and be-all of security certifications.

You said you weren't overly involved with (ISC)2 after gaining CISSP certification in 2006, and that most members were the same. Is the organization doing anything to drive increased involvement among members?

Remes: We are definitely working on that. In April 2012, we adopted the new (ISC)2 strategy, which is strictly a member-focused strategy. If you look at what we have done during the past two years, more new (ISC)2 chapters have been globally implemented. Local members run their chapters and that allows us to be much more in touch with our membership. Myself and many of my fellow board members are very involved in their local chapters and communities, and that definitely helps us understand the needs of our members.

What is (ISC)2 doing to produce a new generation of infosec talent, which you agreed is needed to meet increased demand?

Remes: We have the (ISC)2 Foundation, which is a separate organization from (ISC)2 itself. That's where we have all of our scholarships and are working to develop more research. We're also working with several universities worldwide to adopt the CISSP and SSCP content into undergraduate and graduate degrees. We also have the Safe and Secure Online, a program that was developed by (ISC) 2 to provide information security knowledge, including how to behave safely and securely online, for those ages 7-14. It is a course that can be given through schools to students, but also to teachers and parents. It gives our members the ability to give back to their local communities, which is something I strongly believe in.

While information security becomes more prominent in education settings, your own security skills were largely self-taught. How would you like to see young people build up that initial security knowledge?

Remes: If I look at the number of sleepless nights I've had trying to solve security, that's not something I would wish on anybody [laughs]. I think it would definitely be helpful in academia if security became part of the core body of knowledge, and that is already underway. Do I believe the system will produce security professionals that are ready to go? I don't believe so. Most of the security professionals I know are very passionate about what they do, and I think self-study is a core aspect of a security professional. Somebody that is in this business needs to have a passion to keep learning and adapting.

In a relatively short period of time, you've gone from campaigning as an outsider to, as chairman of the board, the ultimate insider. What do you think of that transformation? Do you still believe in your ability to provide that needed change to the organization?

Remes: If I didn't believe in my ability to provide that change, I wouldn't be talking to you as chairman of the board today. I started on a platform of change, and if I can't make that change happen, I would step away. I strongly believe in the people I'm working with, people like Dan Houser, Greg Thompson, Dave Lewis and Jennifer Minella. I think we form a very strong team and have good blend of experience and knowledge to make this happen.

Dig Deeper on Information security certifications, training and jobs

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

If you were in charge of (ISC)2 or the CISSP certification, what changes would you make?
Practical, day-to-day challenges (questions) on the exam that a Manager, project lead, and techician would need to know/be aware of, and not simply "filler questions", and by the way, poorly written questions to increase the database of CISSP exam questions.
With expanding security, one could really split up the CISSP into individual security domain specialties. Garnering expertise (via testing) in a specific collection of these specialties could then grant the CISSP itself. From my limited experience, no one works in all the domains or maintains expertise in them. Thus the CISSP is somewhat artificially broad in that aspect.
For kevintt...

Remes touched on it a bit in the interview, but he said the view of the CISSP shouldn't be that holders know everything there is to know about information security. Instead, it should serve merely as a general baseline of knowledge.

He drew an analogy to the medical profession. There are many specialties available to doctors, but ultimately, each has to go through medical school and, when they interact, assume that the other picked up that knowledge base through that shared experience.

Take that line of thought for whatever it is worth.
First thing I'd do is create more opportunities for the CISSP's to acquire CPE's without coming out as a money making event for ISC2.
I want to see a merger between security association like ISACA , ISC2 and Comptia certification so as to reduce the cost of certification by applicates and confusion by hiring companies.  There too many certifications being asked for by hiring managers.