Truth: I used to think (ISC)2 was one of the most useless organizations on the planet.
They never seemed to listen to the people who had invested in their CISSP training. A couple years ago, people even started to brag about letting their certifications expire.
But something happened that gave me renewed faith in the organization.
A bunch of talented, well-known security professionals started running for seats on the (ISC)2 board, and now we have powerful voices for improvement, including Wim Remes, Jennifer Minella and Liquidmatrix’s own Dave Lewis.
I also got to know Executive Director W. Hord Tipton, and admire how he addresses the critics head-on. I’ve seen a lot of executives take the duck-and-cover approach when the tough questions come. But Hord goes for the throat. In an interview I did with him while I was managing editor of CSO Magazine, I asked about those who were flaunting their expired cert status. His reply:
What irks people is that certs are job requirements and some folks don’t feel they need a certification to be validated. It’s often the same people who are fussing.
Bam!
In light of all this, I have a renewed interest in what the organization is doing, and am happy to see that it has launched a new Web Application Security Council. From the press release:
The Advisory Council was established to evangelize for the adoption of secure software development best practices through professional certification. The council consists of 15 software security professionals in senior roles at leading business and government agencies around the world, including:Â
• Tony Vargas, CSSLP, CISSP-ISSAP, Security +, technical leader, Engineering, Cisco; co-founder, chairman & president,(ISC)² Sacramento Chapter; chair, (ISC)² Application Security Advisory CouncilÂ
• Anthony Lim, CSSLP, CISSP, FCITIL, Asia-Pacific director, WhiteHat Security Inc., vice-chair, (ISC)² Application Security Advisory CouncilÂ
• David Kennedy, CISSP, OSCP, OSCE, GSEC, MCSE, ISO 27001, founder & principal security consultant, TrustedSecÂ
• David O’Berry, CSSLP, CISSP-ISSAP, ISSMP, CRISC, worldwide strategic technologies, Office of the CTO, McAfeeÂ
• Erin Jacobs, CEH, CISA, QSA, managing partner, Urbane SecurityÂ
• Glenn Leifheit, CSSLP, CISSP, ACS, principal security architect, MicrosoftÂ
• Jacob West, CTO, Enterprise Security Products, HPÂ
• Joe Jarzombek, CSSLP, PMP, director, Software & Supply Chain Assurance, SECIR/CS&C/NPPD, U.S. Department of Homeland SecurityÂ
• Joshua Corman, CTO, Sonatype; founder, “Rugged Software†and “I am The Cavalryâ€Â
• Katie Moussouris, chief policy officer, HackerOneÂ
• Mano Paul, CSSLP, CISSP, GWAPT, GSSP-.Net, MCAD, MCSD, CompTIA Network+, ECSA, founder and CEO, SecuRisk Solutions and Express Certifications; founder, HackFormersÂ
• Mikko Varpiola, security researcher, CodenomiconÂ
• Sean Mason, CSSLP, CISSP-ISSMP, CCFP, CISA, CISM, PMP, executive incident response leader, CSCÂ
• Tom Brennan, CISSP, founder, proactiveRISK and CyberTOOLBELT; global vice chairman, OWASP FoundationÂ
• Zachary Tudor, CISSP, CISM, CCP, program director, Computer Science Lab, SRI InternationalÂ
“We’re pleased to have some of the most prestigious names in the realm of application security on our new council,†said W. Hord Tipton, CISSP, executive director, (ISC)2. “Our Certified Secure Software Lifecycle Professional (CSSLP) certification was developed with the mindset of changing the way the world looks at developing software, by building security in from the onset to help avoid the outrageous cost of bolting on security later. We must increase the level of awareness in this area, and I’m confident that this group will spearhead the cause to make software more secure throughout the entire development life cycle.â€Â
The first ASAC meeting will take place on Friday, August 1 in Las Vegas, Nevada, prior to the Black Hat USA Conference.Â
I know most of the people on this new council, and they are the real deal. They are security rock stars. Together, they will do big things.
Congrats to all involved.
I wish ISC would audit more applications. When you hear of a Geek Squad guy getting a CISSP you have to wonder what domain covers fixing broken PCs?
As someone with a CISSP number that’s 57,XXX, I’ve been at this game for a bit. While there have been positive changes over the years, there is still some more to do that will keep the value of the certification and not water it down.
Andy – Every endorsement is reviewed for the experience, the audits just involve contacting the listed employers directly for confirmation. If you are concerned, you can always file an ethics complaint.
I am interested in looking in to this to improve our process though, so please feel free to send me the details of the person you referenced.
I am also interested in hearing your ideas on keeping the value of the certification as well. As a CISSP-ISSAP and an HCISSP, I’ve got skin in the game too.
If you email membersupport@isc2.org and tell them to forward the message to me, they will get it to me.
Sincerely,
Erich Kron
Director of Membership Relations and Services
(ISC)2