Information Security

Defending the digital infrastructure


Certification requirements could change role of CSOs/CISOs

A new certification program by Risk Analysis Group sparked debate among infosecurity leaders about the credentials necessary for the role of CSO and CISO.

A Los Angeles consulting firm is betting that the growing emphasis on infosecurity as part of overall business risk management will fuel interest in its plan for a new CSO/CISO certification program. However, infosecurity analysts and existing certification organizations say the certification would be redundant and are skeptical about its prospects.

Bill Gillespie, president of Risk Analysis Group, likens the certification to "a Ph.D. in security," with an emphasis on business continuity, including heavy stress on compliance with the Sarbanes-Oxley Act.

In the wake of corporate disasters like Enron and WorldCom, Gillespie says CEOs are looking for the right mix of skills to manage corporate risk and compliance. So, he sees the new CSO requiring skills in risk assessment and business continuity planning, and to be the go-to person for Sarbanes-Oxley compliance. Risk Analysis Group has no date for launching the certification program.

The program faces many challenges. For starters, there's a credibility issue.

You have to ask yourself what's happened that's different today than when these other certifications were created.
James Wade(ISC)2 president and CEO

"I would never pursue it, because it's by a for-profit consulting firm," says Michael Rasmussen, an analyst at Forrester Research.

Another obstacle is competition from existing security certifications, particularly the Certified Information Systems Security Professional (CISSP), administered by the International Information Systems Security Certification Consortium [(ISC)²] and the recently introduced Certified Information Security Manager (CISM), by the Information Systems Audit and Control Association.

"For a CISO certification, I don't think there's any more confusion needed to muddy the waters that are already out there," says Rasmussen, a CISSP. "I'm very much in favor of the CISSP being the CSO certification."

James Wade, (ISC)² president and CEO, says that the CISSP reflects a constantly changing body of knowledge.

"In my role as the chief information security officer," says Wade, who's also the CISO of KeyCorp., "what's my expectation of what other information security professionals should know?"

Few CSOs are responsible for managing risk continuity, he says. If this changes, (ISC)² would adjust the CISSP body of knowledge accordingly.

"You have to ask yourself what's happened that's different today than when these other certifications were created," Wade says.

On the other hand, maybe there's just a new job here, says Rasmussen. Perhaps the industry needs a "chief risk officer certification," especially in the financial sector.

"A lot of these CSOs and CISOs are turning into the chief risk officer," he says. "So the CISSP doesn't really apply to risk management, in the broader term."

Article 10 of 17
This was last published in September 2003

Dig Deeper on Information security certifications, training and jobs

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All