'Four horsemen' posse: This here security town needs a new sheriff

Body which issues CISSP tin stars set for shakeup?

Top three mobile application threats

As the overpriced beers flowed and dusk approached in central London pubs surrounding the venue of RSA Europe last week, talk often turned towards the (ISC)2 security certification body.

(ISC)2, which administers the widely recognised Certified Information Systems Security Professional (CISSP) qualification, was "a waste of money" and its board of directors "filled with a bunch of out-of-touch boobs" who are unaware of the practical issues in the working life of an infosec professional, we heard.

Membership fees for the organisation are $85 a year. But what do the 80,000 (ISC)2 members get in return?

A cursory search reveals that the beer-fuelled criticism is matched by a series of critical blog posts by respected members of the security community, including Jack Daniel, co-founder of the BSides security conference, and other security honchos such as Rob Graham.

Many of these blog posts note that upcoming (ISC)2 elections in late November offer a chance to make a change.

(ISC)2 directors are elected for a three-year term. Four of the 13 seats on the board are up for re-election this time around. As well as the six candidates on the approved slate there will also be a chance to vote for two alternative (unendorsed) candidates, one standing on a reform ticket. Eligible (ie, fully paid-up) members of (ISC)2 also have the opportunity to cast their vote for a write-in candidate. More details on the (ISC)2 board election process can be found here.

Now it seems that a group of radicals wish to infiltrate the group. The "Four Horsemen of the Impending Infosec Apocalypse" - prospective candidates for the (ISC)2 election who not included on the official slate - have put themselves forward for election. Only one of the four - Dave Lewis (@gattaca) - made the cut. Scot Terban, Boris Sverdlik and Chris Nickerson all fell short. Another candidate, Diana-Lynn Contesti, will appear on the official ballot papers. Contesti was previously on the board but is not an incumbent.

Manifestos for members of the loosely formed "freak ticket" alliance can be found by searching for (ISC)2 on infosecisland.com. There's also a CSOonline article on Lewis's candidacy and desire to restore the integrity of the CISSP exam. Both Lewis and Contesti are Canadian residents.

The two successful unendorsed candidates managed to get 500 nominations from (ISC)2 members, via emails in support of their candidacy from registered accounts, before a 17 September deadline. Pulling off this not-inconsiderable feat means that their names will appear on the ballot for the upcoming election. Signing the petition to get someone on the ballot does not commit members to vote for them in the actual election.

Of the two unendorsed candidates, only Lewis represents reform. The lack of choice among the rest is likely to irk critics of the organisation, who are not difficult to find.

"I think (ISC)2 and the CISSP just need to go away, be put on an ice floe and sent out to sea - but since that seems unlikely, I’ll support folks who want to make a change," writes Daniel, in characteristically caustic style. "Wim Remes made it to the board last year from a write-on candidacy, let’s see if we can get more - at least on the ballot."

Another critic, NovaInfosec.com (an association of infosec professionals in the Washington DC area) writes: "Keeping the same old guard on the board will simply result in a certification that continues to be disconnected from the day-to-day practical aspects of today’s security professionals. The first step to reconnect the ISC2 board with the practical aspects of today’s infosec pro is to get more community representation."

And there's more along the same lines from Rob Graham of Errata Security, who writes: "The best known professional certification in cybersecurity is the 'CISSP' (by the (ISC)² organisation), but it’s horrible. The test givers are incompetent. The organization is corrupt. Its ethics are unethical. It’s a typical example of rent-seeking behavior rather than a badge of quality. These problems have only gotten worse over the last decade as the organization has resisted reform."

Graham, like Daniel, praised the election of Wim Remes to the board last year as part of a much-needed reform process. Remes is is a manager in risk and assurance practice at Ernst & Young in Belgium. But what really appeals to those who dislike the stuffed shirts is his work organising the well-regarded BruCON security conference and presenting at BlackHat.

Remes told El Reg that he might have joined in with the criticism last year himself but 10 months on the (ISC)2 board has shifted his opinion. The board of (ISC)2 is made up of representatives from academia, industry and internet committees. Unlike critics, Remes doesn't think the group is out of touch.

"We need fresh blood but we don't want to throw our history away," he said. "The present board are a diverse bunch who are well in touch with what's happening in security, and knowledgeable."

"They're not stuffy types... and not on the board just to be on the board. (ISC)2 is less bureaucratic than I thought it would be," he added.

CISSP certification helps people to get or retain jobs in information security but it's not mandatory to have any qualification to have a job in the profession.

Remes cites the fact that the 80,000 membership of (ISC)2 is going up as evidence that the organisation is still relevant and focused on the needs of its members. The (ISC)2 board meets face to face quarterly in diverse and sometimes exotic locations as well as taking part in more regular teleconferences.

Although the board is in charge of governing (ISC)2, the day-to-day running of the organisation is left to a management team.

John Colley, managing director for EMEA and co-chair of the European advisory board for (ISC)2, said members get two broad categories of benefit.

The first is "continuing professional education opportunities", he said. "We do this by staging online and face to face events with the (ISC)2 Secure series and Think Tank sessions and by negotiating concessions and discounts at major industry events around the region," Colley explained.

The second major benefit cited by Colley is that "(ISC)2 provides a voice for the community, develops recognition for the profession itself and facilitates opportunities to give back to society."

The latter, in particular, sounds a bit woolly. Against this Colley said that (ISC)2 member volunteers will be presenting to an audience of over 3,000 schoolchildren in the UK during Get Safe Online Week (22-26 October). (ISC)2 is also developing an application security challenge for Cybersecurity Challenge UK, a government-backed scheme aimed at filling the growing security skills gap by attracting newcomers to the infosecurity profession, he said.

Remes highlighted networking opportunities organised by local chapters and the ability to share best practice as a key benefit of remaining a CISSP.

Colley added that the thorny issue of what members get for their $85 (£53) membership fees crops up every year, normally around the time of board elections. "To understand the value received for AMFs [annual membership fees], we made a concerted effort to ask the members in this region what they are looking for from (ISC)2," he said.

A light-hearted look at the benefits of being a CISSP can be seen in a video by security blogger Javvad Malik (below).


Combat fraud and increase customer satisfaction

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Burnt out on patches this month? Oracle's got 104 MORE fixes for you
Mass patch for issues across its software catalog
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
Oracle working on at least 13 Heartbleed fixes
Big Red's cloud is safe and Oracle Linux 6 has been patched, but Java has some issues
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.