News Stay informed about the latest enterprise technology news and product updates.

(ISC)2 at a crossroads: CISSP value vs. security industry growth

Should the (ISC)2 look to grow the pool of CISSPs to meet demand, or boost CISSP value for those who already have it? Eric B. Parizo looks at both sides.

(ISC)2 wants to dramatically swell its CISSP ranks in the next few years. That plan does not sit well with some CISSPs, who say their numbers are already growing too fast and putting CISSP value in question, even though the organization itself believes it’s not growing nearly fast enough.

Following my conversation with (ISC)2’s Executive Director W. Hord Tipton at this week’s (ISC)2Security Congress, it became clear the organization’s top priority -- funneling as many qualified information security professionals to employers as it can -- is at odds with some CISSPs who fear their hard-earned certification is being watered down by a bevy of inexperienced applicants.

Unfortunately, the chasm between those two divergent points of view may only be growing.

The international Information Systems Security Certification Consortium Inc., or (ISC)2, formed as a non-profit in 1988 to standardize the process of certifying information security professionals. The idea was a security pro who earned a certification like the Certified Information Systems Security Professional, or CISSP, could easily use that certification to demonstrate a minimum standard of knowledge and experience to potential employers.

Most would agree that, over the years, the (ISC)2's work and the CISSP certification in particular has helped not only raise the profile of the infosec community, but also provided an easily recognizable benchmark: The certification can help CISSPs get job interviews.

Must See

Video: (ISC)2’s Tipton on CISSP test transparency, board of directors election process
Executive Director W. Hord Tipton discusses several of the hot-button issues surrounding information security certifications in general,  and the popular CISSP certification in particular. (21 Sept. 2011)

Video: Tipton on (ISC)2 training, strategy and women in information security
Executive Director W. Hord Tipton details (ISC)2 training strategy, including the growing demand for information security professionals, and new help advance the cause of women in information security.
(23 Sept. 2011)

In that regard, Tipton believes the (ISC)2’s work is only beginning. Noting that hardly a day goes by without news of another enterprise being breached or losing data at the hands of relentless attackers, Tipton said one reason many companies struggle with information security is because, despite more than 76,000 active CISSPs worldwide and 3,200 who took the test last December, they can’t find enough qualified infosec pros to work for them.

“I’ve yet to get an answer from any security professional that [their companies] had the people they needed to implement the basic security practices that are necessary to slow this onslaught down,” Tipton said.

A strong case can be made that most of the (ISC)2’s high-profile initiatives, such as its Global Information Security Workforce Study, its scholarship program (including new scholarships specifically for women), and its new Global Chapter Program, all serve to support one goal: CISSP growth to keep up with security industry growth.

“I need to find 2 million people in three years to come close to meeting the expected need,” Tipton said in reference to the information security-related job growth his organization forecasts.

But not all CISSPs are on board with (ISC)2's high-growth strategy. Martin McKeay, a CISSP, long-time information security professional and host of the popular Network Security Podcast, said he likes the (ISC)2’s leadership on a personal basis, but doesn’t think it’s doing anything to advance the CISSP certification for those who have already earned it.

“The incessant beating of the drum of the (ISC)2 to add more CISSPs is becoming a bit strident,” McKeay said. “I think they do a disservice to the current CISSPs by really providing little or no value beyond the letters once you have your CISSP. They don’t give back to the group or the community much, and they don’t do a very good job communicating if they are doing things for the community behind the scenes.”

McKeay admitted he does believe more low- and mid-level infosec jobs are becoming available. He said as an increasing number of companies recognize the importance of having a security strategy, they're promoting their practitioners into security management roles, thus opening up more entry-level roles for new or potential CISSPs.

“But the CISSP doesn’t really meet that need because it’s not training per se for any particular discipline,” McKeay added. “It’s simply a way of registering people who have learned enough to pass a test, not necessarily learned enough to do a particular job or even be successful.”

Tipton, however, defended the stringency of the testing process. He said each of the certification’s 10 domains is reviewed on an ongoing basis to validate its continued relevancy, and that the entire exam is torn down every 12-18 months to ensure it covers contemporary skills and emerging technologies.

“It’s not like a college exam where the professor makes it up the night before over a good bourbon,” Tipton said. “It’s fair to say the CISSP exam gets harder every quarter. People tell me that. If people don’t keep up with existing technology, they’ll miss enough questions that they won’t pass.”

Wim Remes counts himself among those who believe the CISSP certification – and the (ISC)2 as a whole – needs an extreme makeover. Remes is an IT security pro for a Big 4 consulting firm in Belgium, and is running for a seat on the (ISC)2 board of directors under what he calls “a campaign of change.”

“When I got my CISSP certification back in 2006, it was regarded as the gold standard in security certifications,” Remes said. “By (ISC)2 focusing on the CISSP as a brand, I think it has in the last few years lost a lot of its shine.”

As of late Thursday, Remes was awaiting word of whether his name would appear on the November ballot, but if elected he would like to overhaul the CISSP certification requirements to add more technical components, soft skills and perhaps a written essay. His fear is, without a drastic change of course by the (ISC)2, CISSPs will no longer feel it’s worth the investment of an annual $85 renewal fee and 20 CPE credits per year to maintain.

“I want to know for myself that I tried to change what (ISC)2 is doing wrong,” Remes said. “Even if I don’t succeed, at least I know I’ve tried.”

It’s clear the (ISC)2 is at a crossroads, and the organization’s direction will be influenced by the success of independent candidates like Remes and others hoping for a spot on the November ballot, and whether the 76,000-plus CISSPs are content with their organization’s direction or are willing to clamor for change. Still, there seems to be little question that, in the eyes of its many CISSPs, (ISC)2 would be well served to better recognize those who take pride in placing five letters after their names.

“They’re concentrating more on reaching out to new people than serving the people they’ve already got,” McKeay said. “Hopefully, that can change.”

Eric B. Parizo is Senior Site Editor for the TechTarget Security Media Group. His rants can also be heard each month on’s Security Squad podcast.

This was last published in September 2011

Dig Deeper on CISSP certification