07:39 PM
Connect Directly

(ISC)2 Election Puts New Blood On Its Board Of Directors

The security certification group has faced criticism from its members regarding the CISSP certification

The new year will be bringing some change to the board of directors of the International Information Systems Security Certification Consortium (ISC)2.

The board's recent election has resulted in a mix of old and new blood coming to the board, which come January will include former board member Diana-Lynn Contesti, Hiroshi Yasuda, incumbent board member Corey Schou -- and Dave Lewis, one of agroup of candidates nicknamed the "Four Horsemen" that started petitions to be placed on the ballot and were not endorsed by the board. Of the four, only Lewis garnered enough signatures to be included.

Contesti was also not among the candidates endorsed by the board and got on the ballot after launching a petition for support.

"I was one of those people where I was sitting there going, 'I'm not entirely understanding what the value of the certification is at this point, what am I getting for my annual dues'," Lewis tells Dark Reading.

Not wanting to sit on the sidelines, he decided to run, he says.

(ISC)2 has faced criticism from some its members, particularly in regards to the administration of a certification known as CISSP (Certified Information Systems Security Professional), with some members complaining that the certification is out of touch with the practical realities of the security world. Others have called the organization out regarding issues of transparency.

According to Hord Tipton, executive director of (ISC)2, the CISSP exam has to be constantly updated to reflect changes in technology, threat concerns, and realities such as the boom of mobile devices.

"Each quarter we have workshops that look at the questions ... and each of those are analyzed with respect to success on those questions, the level of difficulty, their relevance, are they current and ... [add] new relevant questions and delete those that become obsolete," Tipton says. "That's an ongoing process of maintaining credentials."

In January, Tipton plans to address some of the issues surrounding testing by bringing a few new ideas before the board for consideration. For example, he says, the fact that tests are now fully computer-based allows the organization to structure questions differently.

"Although the exams currently contain scenario-based questions to test for application of knowledge, additional virtual depictions can test deeper into ones hands on abilities through what we call innovative questions," he explains.

Tipton says there are plans in the works to add new technical credentials and to expand the outreach efforts of the chapters.

"Our chapters will broaden community outreach including security awareness and direct involvement in educational activities in our schools and universities," he says. "Our scholarship program has proved to be very appreciated when awarded to deserving aspiring security professionals and cyber competition winners. These programs will grow with our increasing membership."

Lewis, who works at Advanced Micro Devices and founded Liquidmatrix Security Digest, says there is a disconnect between the organization and some of its members, and that the "shine had gone off the diamond for quite a lot of people."

"I think part of the reason, too, is that the organization as a whole may not have done the best job reaching out to the user base that they could have done, or a very good job of publicizing effectively what programs are going on, and things to that effect," he says.

Though he did not lay out specific plans for any reforms he would push for, Lewis says that part of the reason he was elected was because people want to see some positive change.

"A lot of people voted for me, a lot of people put their trust in me, so I'm going to be on there, and hopefully do a good job for them," he adds.

*This story has been updated.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/28/2013 | 4:45:04 PM
re: (ISC)2 Election Puts New Blood On Its Board Of Directors
If used in the proper way, it's great. That is, if you took someone with a CISSP and thought "this person has a great foundation in security knowledge" the test would be hugely helpful. The problem is that the security field has made it into this end-all-be-all judge of qualification. It's not.
User Rank: Strategist
12/12/2012 | 4:00:23 AM
re: (ISC)2 Election Puts New Blood On Its Board Of Directors
Applause to the folks who choose to get involved, rather than just stand on the sidelines and complain. What do you readers think about the CISSP and other security certifications out there?
--Tim Wilson, editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.