Revamping credentials is key to ensuring that they remain inclusive and represent the best people.

Speaking to SC Magazine, (ISC)2 executive director W. Hord Tipton said that revamping and improving credentials and certifications was a part of what (ISC)2 was trying to do. After some criticisms that CISSP is not representative of modern, changing skills, and that some professionals have chosen not to keep their CISSP certification, I asked Tipton where he sees the future of the standard.

He said: “We've been looked at as the gold standard, particularly with the CISSP for several years now, and the reason for that is that we constantly revamp that credential, as we do all of our credentials. Having more credential holders in the CISSP with the demand to keep it updated and to keep the credential inclusive of all of the current technology as quickly as it changes [is difficult].”

Asked if there is a need to keep updating things so they are very current, Tipton said that it was a very delicate balance as "no one credential does it all".

“We do have to constantly explain and communicate that as broad as the CISSP is, for example, and as well adapted it is to all of the things that security professionals have to touch in one way or the other, in some ways deeper in certain areas than others, it found the right fit from the very beginning of its development in the beginning and that's why I think it rose to the top,” he said.

“The jobs that security people have to do constantly change; you may be doing access controls one day, configuring firewalls the next and you may be setting up a telecommunications network the following day. There are not enough people to go around, to begin with.

“Our research estimates we need about 300,000 additional people around the world for 2013, so you need people that are very versatile and you need people who can demonstrate that they're capable of being trained. Training is expensive. You want to be sure you invest in the right people, because, as I say, no one certification has all the answers.”

Tipton said that as a global standard, in some developing countries, the CISSP is simply too difficult, and the better need is for the systems practitioner credential (SSCP) that requires less experience and is more hands on.

Talking about the skills gap, I asked Tipton if CISSP can be seen as an entry standard to get a job – a way of proving your capabilities. He said the problem is that computer science graduates are still missing the security piece.

He said: “We will feel successful when we start getting some kids say ‘I want to be a digital forensics expert'. What we don't want to hear is ‘I want to be a hacker'. So part of that programme of getting a foot into the door is to make kids aware that you can get in trouble very, very quickly on the net. We just think education is the key to solving a very, very serious problem.”

Tipton said that when it comes to attracting the right people, this industry does attract people who are well-rounded, but they have to be more prepared at a much earlier age; where they go into the industry with a full set of skills, and not just a partial set.


I asked Tipton if the problem with CISSP was that everyone who has it is not at the same level of capability. He said that it is not a matter of just getting it, but that CISSP establishes and prescribes a minimum level of experience and knowledge that you have to have, not the maximum.


“We don't give the actual passing scores or the results of people who pass. It's like the law, the Bar exam, in the US at least, whereas if you pass your law or if you don't pass, then you have to take the test again,” he said.


“Only do we provide the results of the exam to people who have not passed it. We tell them areas where they need more work and where they need to study. We do the same thing with people who do pass, in terms of getting their continuing professional educational (CPE) credits, which is another vitally important part of this, to make sure that the 2004 CISSPs stay up to speed with the change in the technology.


“They need 120 CPDs every three years, and I consider this part of the revamping; we constantly look at ways to make our members stronger, and those members that we have, to keep them stronger, and to lead them, prepare them for the next generation of technologies.”


Tipton said that as well as re-evaluating CISSP holders every three years, it was considering additional things to give its members help along that way and get the exact right type of CPDs that they need. "So we constantly have a number of areas of potential improvement, but then within a now already rigorous system [the challenge is] to try to stay current and relevant," he added.


I asked if people are getting the right amount of professional development to make sure they're keeping up, because otherwise you have the ratio balancing out and not the right people coming in, and those who are there are not at the right level of experience.


Tipton said that (ISC)2 is ‘probably' the only security certification organisation that had a pretty rigorous scheme for demanding CPEs in the first place, and then secondly, sorting out the types of CPEs that would be acceptable for research certifications.


He commented that (ISC)2 was seeing other certifying bodies now emulate its CPE process, and other international accreditations have been more insistent that all certifications have a CPE requirement tied to them.


“There have been a number of certifications that once you pass the exam, it's like a college degree, you have that credential for life, and that's not the case in our world,” he said.


Does CISSP have a future? Of course it does, it is the recognised standard for information and IT security professionals and if you were to hire someone with a CISSP you know that at some point they passed the exam and to keep the certification, they have done the CPD requirement.


The dilemma (ISC)2 and other accreditation companies face is making their certifications appear worthwhile having. If it seen as too expensive or too cumbersome to keep up with or even if employers do not see it as a crucial CV entry, the number of more experienced CISSP members may begin to decline.