Feeds

'Four horsemen' posse: This here security town needs a new sheriff

Body which issues CISSP tin stars set for shakeup?

Remote control for virtualized desktops

As the overpriced beers flowed and dusk approached in central London pubs surrounding the venue of RSA Europe last week, talk often turned towards the (ISC)2 security certification body.

(ISC)2, which administers the widely recognised Certified Information Systems Security Professional (CISSP) qualification, was "a waste of money" and its board of directors "filled with a bunch of out-of-touch boobs" who are unaware of the practical issues in the working life of an infosec professional, we heard.

Membership fees for the organisation are $85 a year. But what do the 80,000 (ISC)2 members get in return?

A cursory search reveals that the beer-fuelled criticism is matched by a series of critical blog posts by respected members of the security community, including Jack Daniel, co-founder of the BSides security conference, and other security honchos such as Rob Graham.

Many of these blog posts note that upcoming (ISC)2 elections in late November offer a chance to make a change.

(ISC)2 directors are elected for a three-year term. Four of the 13 seats on the board are up for re-election this time around. As well as the six candidates on the approved slate there will also be a chance to vote for two alternative (unendorsed) candidates, one standing on a reform ticket. Eligible (ie, fully paid-up) members of (ISC)2 also have the opportunity to cast their vote for a write-in candidate. More details on the (ISC)2 board election process can be found here.

Now it seems that a group of radicals wish to infiltrate the group. The "Four Horsemen of the Impending Infosec Apocalypse" - prospective candidates for the (ISC)2 election who not included on the official slate - have put themselves forward for election. Only one of the four - Dave Lewis (@gattaca) - made the cut. Scot Terban, Boris Sverdlik and Chris Nickerson all fell short. Another candidate, Diana-Lynn Contesti, will appear on the official ballot papers. Contesti was previously on the board but is not an incumbent.

Manifestos for members of the loosely formed "freak ticket" alliance can be found by searching for (ISC)2 on infosecisland.com. There's also a CSOonline article on Lewis's candidacy and desire to restore the integrity of the CISSP exam. Both Lewis and Contesti are Canadian residents.

The two successful unendorsed candidates managed to get 500 nominations from (ISC)2 members, via emails in support of their candidacy from registered accounts, before a 17 September deadline. Pulling off this not-inconsiderable feat means that their names will appear on the ballot for the upcoming election. Signing the petition to get someone on the ballot does not commit members to vote for them in the actual election.

Of the two unendorsed candidates, only Lewis represents reform. The lack of choice among the rest is likely to irk critics of the organisation, who are not difficult to find.

"I think (ISC)2 and the CISSP just need to go away, be put on an ice floe and sent out to sea - but since that seems unlikely, I’ll support folks who want to make a change," writes Daniel, in characteristically caustic style. "Wim Remes made it to the board last year from a write-on candidacy, let’s see if we can get more - at least on the ballot."

Another critic, NovaInfosec.com (an association of infosec professionals in the Washington DC area) writes: "Keeping the same old guard on the board will simply result in a certification that continues to be disconnected from the day-to-day practical aspects of today’s security professionals. The first step to reconnect the ISC2 board with the practical aspects of today’s infosec pro is to get more community representation."

And there's more along the same lines from Rob Graham of Errata Security, who writes: "The best known professional certification in cybersecurity is the 'CISSP' (by the (ISC)² organisation), but it’s horrible. The test givers are incompetent. The organization is corrupt. Its ethics are unethical. It’s a typical example of rent-seeking behavior rather than a badge of quality. These problems have only gotten worse over the last decade as the organization has resisted reform."

Graham, like Daniel, praised the election of Wim Remes to the board last year as part of a much-needed reform process. Remes is is a manager in risk and assurance practice at Ernst & Young in Belgium. But what really appeals to those who dislike the stuffed shirts is his work organising the well-regarded BruCON security conference and presenting at BlackHat.

Remes told El Reg that he might have joined in with the criticism last year himself but 10 months on the (ISC)2 board has shifted his opinion. The board of (ISC)2 is made up of representatives from academia, industry and internet committees. Unlike critics, Remes doesn't think the group is out of touch.

"We need fresh blood but we don't want to throw our history away," he said. "The present board are a diverse bunch who are well in touch with what's happening in security, and knowledgeable."

"They're not stuffy types... and not on the board just to be on the board. (ISC)2 is less bureaucratic than I thought it would be," he added.

CISSP certification helps people to get or retain jobs in information security but it's not mandatory to have any qualification to have a job in the profession.

Remes cites the fact that the 80,000 membership of (ISC)2 is going up as evidence that the organisation is still relevant and focused on the needs of its members. The (ISC)2 board meets face to face quarterly in diverse and sometimes exotic locations as well as taking part in more regular teleconferences.

Although the board is in charge of governing (ISC)2, the day-to-day running of the organisation is left to a management team.

John Colley, managing director for EMEA and co-chair of the European advisory board for (ISC)2, said members get two broad categories of benefit.

The first is "continuing professional education opportunities", he said. "We do this by staging online and face to face events with the (ISC)2 Secure series and Think Tank sessions and by negotiating concessions and discounts at major industry events around the region," Colley explained.

The second major benefit cited by Colley is that "(ISC)2 provides a voice for the community, develops recognition for the profession itself and facilitates opportunities to give back to society."

The latter, in particular, sounds a bit woolly. Against this Colley said that (ISC)2 member volunteers will be presenting to an audience of over 3,000 schoolchildren in the UK during Get Safe Online Week (22-26 October). (ISC)2 is also developing an application security challenge for Cybersecurity Challenge UK, a government-backed scheme aimed at filling the growing security skills gap by attracting newcomers to the infosecurity profession, he said.

Remes highlighted networking opportunities organised by local chapters and the ability to share best practice as a key benefit of remaining a CISSP.

Colley added that the thorny issue of what members get for their $85 (£53) membership fees crops up every year, normally around the time of board elections. "To understand the value received for AMFs [annual membership fees], we made a concerted effort to ask the members in this region what they are looking for from (ISC)2," he said.

A light-hearted look at the benefits of being a CISSP can be seen in a video by security blogger Javvad Malik (below).

®

Intelligent flash storage arrays

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.