Thursday, September 8, 2011

About certification and certifying bodies

Although I admit that I am not entirely sure why, I am one
of those people who enjoys obtaining professional certifications. I am brave
enough to admit that ego might have something to do with it ;)

At the time of writing the post, I hold CISSP, GCIH, GCFA,
CISM, CISA, and OSCP certifications and all of them are in good standing. That
means that I have paid the annual dues, maintain my continuing professional
education, and live up to audit standards.

However, staying in good standing takes efforts, and the
more time I spend thinking about it, the more I am considering dropping the
CISM and the CISA. The CISM was helpful when I took responsibility for a
complete information security program, but now that I have a few years under my
belt, I don't think it adds much value anymore. 
The same is more or less true for the CISA certification. While studying
for the certification has been tremendously helpful to better understand how audit
processes work, I don't ever expect to be an auditor.

So, at this point, CISM and CISA do not add much value to
me, and I believe that I am at a point in my career that I don't need to
distinguish myself by maintaining a laundry list of professional
certifications. While ISACA (the certifying body for CISM and CISA) organizes local
chapter meetings, I don't really feel drawn to them.

SANS certifications appeal to my inner geek; they
demonstrate a level of technical understanding and, in some cases, may
demonstrate some hands-on skills. The SANS certs also allow me to teach, which
is one of my passions. Keeping them active is pricey, but I guess all hobbies
have their cost.

That leaves the CISSP. The one thing that I have benefited
from with the CISSP was that it helped me to develop an understanding of the
width of the information security field. And, as sad as it is, CISSP
certifications are too often a prerequisite to make it past HR filters. As the
certifying body, (ISC)2 has never delivered anything of value to me.

Will dropping my CISSP make it harder for me to transition
to another job, if I would ever want to do so? I don't know, but I am afraid it

Could (ISC)2 be doing a better job? You bet! But, in order
to do so, it will need to change. Change is hard, and often needs new blood.
Maybe it is time for (ISC)2 to shake things up a bit and appoint a new generation
of leadership. Not coincidentally, (ISC)2 is currently in the process of
electing their new board, and I believe that one candidate especially would be
a very good choice to play an important role in that change.

It is for that reason that I endorse Wim Remes to run as
candidate for the (ISC)2 board of directors. Please check out Wim's platorm at If you are a CISSP in good standing, and
if you also believe that (ISC)2 could do a better job at serving the community,
please head over and consider Wim's platform.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.