'Four horsemen' posse: This here security town needs a new sheriff
Body which issues CISSP tin stars set for shakeup?
As the overpriced beers flowed and dusk approached in central London pubs surrounding the venue of RSA Europe last week, talk often turned towards the (ISC)2 security certification body.
(ISC)2, which administers the widely recognised Certified Information Systems Security Professional (CISSP) qualification, was "a waste of money" and its board of directors "filled with a bunch of out-of-touch boobs" who are unaware of the practical issues in the working life of an infosec professional, we heard.
Membership fees for the organisation are $85 a year. But what do the 80,000 (ISC)2 members get in return?
A cursory search reveals that the beer-fuelled criticism is matched by a series of critical blog posts by respected members of the security community, including Jack Daniel, co-founder of the BSides security conference, and other security honchos such as Rob Graham.
Many of these blog posts note that upcoming (ISC)2 elections in late November offer a chance to make a change.
(ISC)2 directors are elected for a three-year term. Four of the 13 seats on the board are up for re-election this time around. As well as the six candidates on the approved slate there will also be a chance to vote for two alternative (unendorsed) candidates, one standing on a reform ticket. Eligible (ie, fully paid-up) members of (ISC)2 also have the opportunity to cast their vote for a write-in candidate. More details on the (ISC)2 board election process can be found here.
Now it seems that a group of radicals wish to infiltrate the group. The "Four Horsemen of the Impending Infosec Apocalypse" - prospective candidates for the (ISC)2 election who not included on the official slate - have put themselves forward for election. Only one of the four - Dave Lewis (@gattaca) - made the cut. Scot Terban, Boris Sverdlik and Chris Nickerson all fell short. Another candidate, Diana-Lynn Contesti, will appear on the official ballot papers. Contesti was previously on the board but is not an incumbent.
Manifestos for members of the loosely formed "freak ticket" alliance can be found by searching for (ISC)2 on infosecisland.com. There's also a CSOonline article on Lewis's candidacy and desire to restore the integrity of the CISSP exam. Both Lewis and Contesti are Canadian residents.
The two successful unendorsed candidates managed to get 500 nominations from (ISC)2 members, via emails in support of their candidacy from registered accounts, before a 17 September deadline. Pulling off this not-inconsiderable feat means that their names will appear on the ballot for the upcoming election. Signing the petition to get someone on the ballot does not commit members to vote for them in the actual election.
Of the two unendorsed candidates, only Lewis represents reform. The lack of choice among the rest is likely to irk critics of the organisation, who are not difficult to find.
"I think (ISC)2 and the CISSP just need to go away, be put on an ice floe and sent out to sea - but since that seems unlikely, I’ll support folks who want to make a change," writes Daniel, in characteristically caustic style. "Wim Remes made it to the board last year from a write-on candidacy, let’s see if we can get more - at least on the ballot."
Another critic, NovaInfosec.com (an association of infosec professionals in the Washington DC area) writes: "Keeping the same old guard on the board will simply result in a certification that continues to be disconnected from the day-to-day practical aspects of today’s security professionals. The first step to reconnect the ISC2 board with the practical aspects of today’s infosec pro is to get more community representation."
And there's more along the same lines from Rob Graham of Errata Security, who writes: "The best known professional certification in cybersecurity is the 'CISSP' (by the (ISC)² organisation), but it’s horrible. The test givers are incompetent. The organization is corrupt. Its ethics are unethical. It’s a typical example of rent-seeking behavior rather than a badge of quality. These problems have only gotten worse over the last decade as the organization has resisted reform."
Graham, like Daniel, praised the election of Wim Remes to the board last year as part of a much-needed reform process. Remes is is a manager in risk and assurance practice at Ernst & Young in Belgium. But what really appeals to those who dislike the stuffed shirts is his work organising the well-regarded BruCON security conference and presenting at BlackHat.
Remes told El Reg that he might have joined in with the criticism last year himself but 10 months on the (ISC)2 board has shifted his opinion. The board of (ISC)2 is made up of representatives from academia, industry and internet committees. Unlike critics, Remes doesn't think the group is out of touch.
"We need fresh blood but we don't want to throw our history away," he said. "The present board are a diverse bunch who are well in touch with what's happening in security, and knowledgeable."
"They're not stuffy types... and not on the board just to be on the board. (ISC)2 is less bureaucratic than I thought it would be," he added.
CISSP certification helps people to get or retain jobs in information security but it's not mandatory to have any qualification to have a job in the profession.
Remes cites the fact that the 80,000 membership of (ISC)2 is going up as evidence that the organisation is still relevant and focused on the needs of its members. The (ISC)2 board meets face to face quarterly in diverse and sometimes exotic locations as well as taking part in more regular teleconferences.
Although the board is in charge of governing (ISC)2, the day-to-day running of the organisation is left to a management team.
John Colley, managing director for EMEA and co-chair of the European advisory board for (ISC)2, said members get two broad categories of benefit.
The first is "continuing professional education opportunities", he said. "We do this by staging online and face to face events with the (ISC)2 Secure series and Think Tank sessions and by negotiating concessions and discounts at major industry events around the region," Colley explained.
The second major benefit cited by Colley is that "(ISC)2 provides a voice for the community, develops recognition for the profession itself and facilitates opportunities to give back to society."
The latter, in particular, sounds a bit woolly. Against this Colley said that (ISC)2 member volunteers will be presenting to an audience of over 3,000 schoolchildren in the UK during Get Safe Online Week (22-26 October). (ISC)2 is also developing an application security challenge for Cybersecurity Challenge UK, a government-backed scheme aimed at filling the growing security skills gap by attracting newcomers to the infosecurity profession, he said.
Remes highlighted networking opportunities organised by local chapters and the ability to share best practice as a key benefit of remaining a CISSP.
Colley added that the thorny issue of what members get for their $85 (£53) membership fees crops up every year, normally around the time of board elections. "To understand the value received for AMFs [annual membership fees], we made a concerted effort to ask the members in this region what they are looking for from (ISC)2," he said.
A light-hearted look at the benefits of being a CISSP can be seen in a video by security blogger Javvad Malik (below).