Chief Information Security Officer (CISO) Certified?

Sunday, September 09, 2012

Jayson Wylie


EC-Council is currently offering to grandfather, for their new CISO certification, security professionals with around 10 years experience in a related role.  

This is essentially being done to create a reputable base of certification holders to show better value and increase interest, in the industry, for demand.

The requirements and the content involved with obtaining a certification past September 30th 2012 may not be beneficial for a CISO, but I do not know how applicants going for a these positions with this new certification will stand apart from those with graduate degrees in their understanding of security solutions or other compliance and framework qualifications.

There may be a myriad of people whose career ambitions is to become a CISO and with the way the CISSP has been working they may think HR, hiring managers and recruiters will not look much further than the paper qualifications.

I have seen and tend to believe more than a few individuals exaggerate their experience or are deceptive with the required background needed to obtain the likes of the CISSP.  EC-Council’s CISO’s certification may require 10 years relevant experience but what does that mean?

It may just mean they need an EC-Council’s CISO certified sponsor and the investigations into the quality and quantity of the alleged experience may not be extensive.  How can they?

Talent and insight of any industry certification holder without really understanding more than the buzzwords and basics reflects ineffectiveness and it is ultimately a disservice to the organizations that pay them and the Industry as a whole. 

I feel if companies start looking for CISO certified security management candidates, the overall posture of security will be depreciated.

Hiring quality security professionals requires lengthy interviews with very difficult and in-depth questions about their knowledge, experience and abilities. 

A CISO is an Officer and there is not any way in my mind that any certification beyond frameworks and compliance will show definitive proof for being effective in the role or even add value.

Organization’s that have CISOs are typically large and far and few between so we will see how this plays out in the future of requirements for security's top spots.   

Possibly Related Articles:
Certification CISSP Training CISO Education EC-Council
Post Rating I Like this!
Michael Johnson Interesting news, and my main question is why is yet another certification needed? If another reputable base is needed for CISOs, it kind of suggests the current batch are lacking in something important, or at the very least businesses aren't confident in their ability to protect whatever assets. A certification couldn't fix this, if there's still a relatively short supply of qualified professionals.

On the subject of candidates being a little deceptive in order to obtain a CISSP, I wouldn't hold that against them. If ISC2 is claiming most employers won't hire without a CISSP, and five years' security experience is required to get one in the first place... A little deception could be excused if the applicant has the enthusiasm, attitude and talent, but has to game the system a little to get a foot in.
Johnny Hernandez I absolutely would "hold it against them." The Code of Ethics Canons are quite clear....

"Act honorably, honestly, justly, responsibly, and legally."
Michael Johnson Two problems with that argument:

* Ethics are something personal each of us develops over time, not a ready-made set of arbitrary rules. Strictly speaking, the 'canons' are a code of conduct.

* 'Legally' and 'ethically' are two different things. It's possible to act illegally but entirely ethically, and vice versa.

* The 'code of ethics' (canons, etc. etc. whatever) mean nothing if the vast majority of young hackers aren't members of ISC2. If the young hackers outnumber the CISSPs, your 'code of ethics' becomes a set of rules a minority signed up to.

* If you are a CISSP, aren't you already in breach of the 'code of ethics' every time you 'associate professionally' with a 'non-professional'? Feel that guilt creeping in?

I could go on, highlighting various points of doctrine, logical flaws, implications and so forth, but I've had a little (quite a lot actually) to drink. That is all.
Johnny Hernandez Your attempt at dancing around the obvious only further proves my point. The Information Security and Risk Management Practice has zero need for those who cannot conduct themselves at the highest of standards in the effort of furthering both the profession and the Security/Risk stance of the organizations and customers they serve as practitioners. Rather then your dancing act, indulge us with your argument and concrete justification for "candidates being a little deceptive in order to obtain a CISSP." Deception is deception, regardless of how you'd like to wax isn't.
Michael Johnson No it doesn't, and I'm not sure how my little prose came across as poetic or a 'little dancing act'.
Firstly, I've addressed an issue that should have been obvious to ISC2 itself: if it's claiming most employers are demanding a CISSP, and you need five years' experience to get one, that was bound to cause issues from the start. It leaves us with a load of talented people who potentially can't get through the recruiting process - what then?
People are going to find ways around it, and maybe they were ethically justified in doing so under the circumstances.
Besides, it takes far more than a cert to become a pillar of the community.
Ian Tibble CISSP is more pertinent to manager level positions than analyst type positions - but even then it's not really a decent fit for the role. I agree, a new cert is needed, preferably one that demonstrates prior competence as an Analyst after at least 5 years in the role.

Anyway - "ethics". In terms of how this weapon is wielded in infosec circles - it's extremely unethical. Why? Because you are creating your own private little world as a framework for judging others outside of the law. I always believed in "innocent until proven guilty" myself.

One may have their own ideas on what is ethical or not, but one should keep it to themselves - better. When it's used to judge a person's professional capacity, use of ethics is really vile and obstructive. You're judging someone based on your conscience rather than the words on their CV.

The typical usage of Ethics in infosec is to exclude the more technically gifted people from the field so as to serve a private agenda e.g. if one spoke at a Black Hat event, then one is unethical according the private framework of ethics of the individual, and therefore "unsuitable" for "white hat" roles. The fact that the unethical, but legally innocent candidate would make the other analysts (and more importantly - the interviewer) look like turkeys is neither hither nor thither.

Johnny Hernandez What ISC2 claims or doesn't claim has little relevance to my point of contention. In fact its another topic altogether. There is no "ethical justification" for deception or falsehood with requirements. In fact it does not support an important pillar of this profession, honesty. Ultimately what you are describing is an issue with hiring process. That simply presents a challenge to be addressed by yet another common exercise in the Security/Risk When I read/discuss an employers requirement for ANY cert I immediately red flag them and ask the most important question...."Why do you believe a CISSP (insert cert of the month here) is required?" The responses have ranged from the very amusing to the poorly educated on Security/Risk as a whole. A recent conversation on a hiring opportunity comes to mind. The hiring manager required a CISSP and was seeking an "Application Security Expert." After a few additional questions it became more than apparent what they were actually seeking and needing was an individual with a significant development and application background who had experience in properly applying Security/Risk practice to the previous. As practitioners we are afford many opportunities for educating and mentoring those around us. There is no easy route.
Frank Steele "* Ethics are something personal each of us develops over time, not a ready-made set of arbitrary rules. Strictly speaking, the 'canons' are a code of conduct." You are right Ethics are NOT a ready-made set of "Arbitrary" rules. They are a ready-made set of rational rules.

What you are speaking of is moral relativism. and your comment on hanging out with 'non-professionals' is too stupid to provide a real comment on.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.