RE: CISSP Question

["Craig Wright" <Craig.Wright () bdo com au>]

I have to state that I can see no way that you could have ever run your own company. If you have, I am amazed. You have 
no comprehension of finance. The first thing you need to do is look at the members financial statement.
 
ISC2 has audited accounts. They do not hide their finances.
 
However, even if your assumptions where even in the ballpark mathematically with the assumptions that have all people 
being charged the same at all times in all countries, the amounts are nothing great. You are assuming they are 'greedy' 
for making $24 million over 17 years. I have known local fish and chip shops that make $5-6 million pa gross. 
 
I know individual consultants and professionals who gross over $3milion pa. You are assuming that:
1 A million dollars (gross) is a huge sum of money 
2 That personal references to funds reflect business and the world.
 
Please that the time to read the financial statement of one of these organisations. You are all too happy to sit here 
and categorically announce that they are all doing it for greed. Before you blast everyone for all that they are doing, 
please - PLEASE show us all a little respect by taking a few minutes to read a financial statement and please base your 
rant on some facts.
 
ISC2 has audited accounts. They have nothing to hide and they do not make a hell of a lot as you suspect. I think that 
if you took the time to demonstrate a level of professionalism in reading what they do and where they spend their money 
that you might not be stating the same things. All that matters is Net funds.
 
You are right. I am busy and I have tried to help you understand things, but I do not intend to do this if you will not 
open your eyes. Again I state, look at the financial statement and stop making assumptions when the information is 
there!
 
As I stated earlier, $500 is petty cash in the scheme of things. I would suggest that you take the time to think this 
through. Look at the income and earning potentials sans and with certification and you will quickly note the value. 
Please compare this to a $20-30k post grad degree and you will note that the cert offers more "bang for the buck"
 
Again, and before you rant on how much we are being taken to the cleaners by greedy capitalist dogs, take the time to 
show us that you can use rational judgement and read the financial statements of one of the organisations that you are 
lambasting.
 
Regards,
Craig
 
PS - many CISSPs have also CAP and SSCP's...



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497
www.bdo.com.au

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains.  If you have 
received this message in error, please notify the sender by return email, destroy all copies and delete it from your 
system. 

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls.  
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls.  It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects.  BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached.  A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and entities.

________________________________


From: listbounce () securityfocus com on behalf of Simmons, James
Sent: Sat 12/05/2007 5:03 AM
To: david.a.harley () gmail com
Cc: security-basics () securityfocus com
Subject: RE: CISSP Question



David,
I would like to start out by saying that I enjoyed this post. You addressed the issues with your research and provided 
links. I decided to respond to this e-mail as Craig's e-mail seems to state the same thing, just with less research. 
(No harm intended, I am sure Craig is a busy man, plus we have been going at this for awhile now, and even I am getting 
wary of this.)

So I will start with the SANS Argument for reference.
To enforce my claims, I would like to first pose a question to the community. What is the purpose of certifications? 
Any certifications, not just IT, or CISSP, but in general?
I will pull my definition from Google, as:

        "a valued credential awarded in several fields that proves competency upon      satisfactory demonstration of 
particular knowledge and skills."

I like this definition, and I believe that no one should be able to argue that this is an acceptable definition to use. 
But I will dive more into what a certification is used for in relation to the hiring process. I believe that everyone 
here can agree that a certification is implying to the hiring company that the holder of this certificate is in 
possession of at least a minimum level of skill and knowledge. That the employer can reasonably expect that the holder 
of this certificate will be able to perform to this minimum level without any extra training, or otherwise expenditure 
incurred upon by the company.

The GIAC, SANS Institute and SANS Technology Institute are different Trade name as is pointed out in the link you 
provided. http://www.Sans.edu The problem is that it is equivalent to different products. They are all the same company 
with the same concerns about profit.
Plus, more interestingly enough, SANS is an alias for another corporation called Escal Institute of Advanced 
Technologies, INC.
I cannot link to the documents for what ever reason but you can find it.
http://Sdatcert3.resiusa.org/ucc-charter/charterSearch_f.asp (This is Maryland Department of Assessments and Taxation - 
corporation search)
The department ID's you are looking for is T00178185 (Trademark listing) and Z11476587
or just search for SANS Institute in the name search and you will find them both.
The SANS LLC was formed in 2006, with no record when the trademark was created, just updated.
(F06140420 is the department ID to look up Escal if anyone is interested.)
Here is a map link between where Escal claims to be using the trademark SANS Institute, and where the registrar is 
listing its admin location. http://Tinyurl.com/2tsee5

Sorry I didn't mean to go on a tangent there, just that this looked really odd to me, and I was just adding the info to 
share while I was doing my research.

Anyways, In light of all this new information raises another question of how much do you trust your certification 
bodies? What do you know about them? (by the way, I challenge anyone to lookup any sort of website on Escal? I found a 
Bizwiz.com entry -really old pre-sans the email is sans () clarke net but mailing address add up and everything. Not 
really reputable- plus an old write up about 97 SANS Conference telling how the conference is hosted by Escal. 
http://staff.washington.edu/dittrich/misc/sans97)

But this just raises the point about how to look at companies. I am not sure how many people knew all this about SANS. 
They surely do not make it public knowledge. (You cannot find a mention about Escal on any SANS webpage.)
So to rebut your statement David, there may be a separation between SANS Institute, SANS Technology, and GIAC, but 
there is obviously a separation between SANS, and... well SANS. (If we can get them to say their name backwards, will 
they cease to exist? Sorry, nerd humor there)

Moving on, certification prices. They are more expensive then they need to be. That is my view, though some believe 
that it is a fair and decent price. I believe that it can be much cheaper, and the only reason that it isn't is because 
of obvious greed, and not out of operating costs.
The best example is of course to go after the big dog on the block ISC2.
Since I will have to send off and wait for the tax information for I cannot say much at this time in the way of where 
the money is going.
I can say however that it is not a true non-profit organization 501(c)(4). But a non-profit "commercially-orientated" 
organization 501(c)(6) (http://www.isc2.org/download/Bylaws_20040717.pdf). The only other 506(c)(6) that I know of is 
the NFL. In fact that is the reason 501(c)(6) was created was for the NFL. 
(http://www.irs.gov/pub/irs-tege/eotopick03.pdf) Is the business itself profitable, it could be, but it cannot divvy 
out it shares. Does that mean that a 501(c)(6) is immune from greed like traits? Hardly.

So lets start with projected income.
Total CISSP Count 48598 members @ $499
Total  SSCP Count   589 members @ $369
Total   CAP Count   313 members @ $369
-------------------------------
Grand Total       51235 members

Now for arguments sake I announce my assumptions now. Will be using the US pricing across the board. Now if anyone has 
a problem with this I would just like to point out that in the US the CISSP test is $499 for early registration, while 
in Europe it is roughly $610 for early registration. This obvious rounding issue is really in my opponents favor, but 
it will not matter in the end. We are assuming that everyone has registered early, and that no one failed the test, let 
alone were current and let their certification lapse. I am doing this so that if anyone wants to complain about my 
numbers, I am under-quoting myself to give my opponents the benefit of the doubt.

So taking the grand total members and I am assuming that the due are $80 across the board. (I cannot seem to find the 
membership dues on the site, for any of the certs.)
There annual gross is $4,098,800. In membership dues alone. Now what have they made on the tests themselves. 
$24,583,240 was made off of the given numbers and assumptions just for test registration alone. Of course I remind you 
that these are the absolute minimum amount, the real numbers are drastically larger. Not to mention that ISC is a 
mostly federal tax exempt 501(c)(6) so a very tiny portion of that money is going towards taxes.

$24 million dollars (at least) total over the 17 years they claim to be administrating any test. With roughly $4 
million dollars annually. That is more then enough to pay for administrative costs, office rental, legal 
representation, and exam research and development. Plus add on anything they get from consulting, review classes, the 
concentration exams, exam failures, exam cancellations (at least $100 each cancellation), etc. How do they justify the 
cost of this test?

Regards,

Simmons

-----Original Message-----
From: David Harley [mailto:david.a.harley () gmail com]
Sent: Friday, May 11, 2007 2:50 AM
To: Simmons, James
Cc: security-basics () securityfocus com
Subject: RE: CISSP Question

> A point is that it can be cheap to run these certifications.
> It is currently being done, with better results, and with a smaller
> pool of customers.

I'm not sure what you mean by this. That there are cheaper certs that you rate more highly? There are more expensive 
certs that I rate less highly. :)

> Which is why I do have an inherent
> distrust of certification companies.

I think we'd noticed. :)

> It is the difference between a $400 cert and a $50 cert. If everyone
> can actually have the chance to obtain the certification without any
> adverse financial hardships, then you will have a cert that will be
> closer to actually representing a baseline.

The baseline that I'm talking about is the level of a cert-holder's knowledge of the field being tested, not the ratio 
of potential to actual cert holders. The cert costs what it costs. (ISC)2 is a not-for-profit
organization: it charges, I presume, what it thinks will cover its costs. I wouldn't have said it was particularly 
expensive for the cert, or to maintain it. The cost of a bootcamp is a different issue. You don't have to do that 
through (ISC)2, or at all.

> Right now there are too many people out there that can easily pass
> these tests, but do not take them for one reason or another. (Usually
> price is a big motivation.)

There you go again. You're assuming that (a) the test is easy (2) that the cert is a matter of passing the test. I'm 
sorry if there are people who
-could- earn the cert but don't because they literally can't afford it, but I doubt if there are many of them. Not 
doing the cert because you have other uses for the money, or because you think your employer should bear some or all of 
the cost, is another issue entirely.

> -To supply training for the certs? This is very counter productive to
> a certification. Are you going to teach the people, what they need to
> know, to pass a test to prove that they do indeed have experience and
> training in this skill (As is the case in SANS certs and boot camps)?

The SANS approach is quite a lot different. Not invalid, just different.

The CISSP test is not a test of experience, or even of skill, IMHO. It's a test of knowledge of the CBK, which means 
that it's fairly abstract. I don't think it's meant to prove conclusively that you have in-depth knowledge all across 
ten domains: only that you can demonstrate reasonable understanding through a long and fairly exhaustive test. I 
reiterate: passing the test does not qualify you as a CISSP, any more than 4 years experience in the field does. It's 
the combination of an objective test and proven experience, plus a commitment to an ethical standard, that makes up the 
certification.

I'm not saying it's impossible to do an intensive course and get through the test with no prior knowledge, but that 
wouldn't make you eligible for the cert. wo I

> I can understand
> offering a review class or something of the sort, just to go over
> broadly what is covered and who the test is laid out.
> That is test prep work and that is more understandable then an actual
> class covering what they are already suppose to know.

Actually, that's pretty much how I'd regard the CBK review. And, in fact, the review and the test aren't particularly 
tightly coupled. You don't have to go through (ISC)2 to do the review: in fact, you don't have to do the review at all.

https://www.isc2.org/cgi-bin/content.cgi?page=806

In particular:

"Q: What is a CBK Review Seminar? Will it help me with the examination? Why should I take the CBK Review Seminar? Is it 
required?
A:  The CBK Review Seminars are voluntary and provide an intensive review of the knowledge, skills and abilities 
necessary for competent practice of the relevant professional role (CISSP®, SSCP®, CAPCM, etc.). While these intensive 
reviews cannot substitute for years of experience, they have proven to be effective methods for re-familiarizing and 
updating candidates in the major domains of competence necessary for successful practice. The seminars are not designed 
to "teach" information security or certification and accreditation, as attendees are assumed to already be practicing 
professionals. Rather, the intent is to provide a solid base of information for supplementing and refreshing the 
candidate's knowledge. The CBK serves as the basis for the curriculum, while the test specifications serve as the basis 
for the examination. For more information, go to CBK Review Seminar; and for more information about the examination 
specifications, go to the free Study Guides/Candidate Information Bulletins."

I think we've seen too much extrapolation from singular cases to generalities in this thread, but I'll tell you this 
anyway. At around the same time I did the CISSP exam, I also did an ITIL cert and 7799 lead auditor certification. For 
ITIL and 7799 I did an intensive course with an exam at the end. For CISSP, I did the test about a year after I did the 
review. Which means, by your criteria, that CISSP was the only -valid- cert I hold from that period. (In fact, most of 
the other And, actually, you're right. Without real-life experience behind them, those other certs prove only 
theoretical knowledge, not practical skill, and in many contexts that simply isn't enough. The bone of contention here 
is that you're still assuming the same applies to CISSP, whereas CISSP indicates a measure of experience and 
theoretical knowledge. I wouldn't claim that it's perfect, but it's a lot less imperfect than some of the IT certs I've 
sat through.

> -And finally man hours for administrating the tests. I can understand
> this cost, but then after taking the test, what is the purpose of the
> annual maintance fee?

https://www.isc2.org/cgi-bin/content.cgi?category=84:

"Q: Does (ISC)² collect fees from certified individuals?
A:  Individuals credentialed by (ISC)² pay annual maintenance fees (AMF) to maintain their certifications. The fees are 
used to recover the costs for administering the continuing education and recertification processes and to maintain 
individual records. AMFs are not used to support (ISC)² general operations.
 
Q: Where does (ISC)² get the revenue to develop its programs? 
A: (ISC)² is wholly funded through the collection of examination, seminar, and annual maintenance fees. (ISC)² does not 
receive grants or other financial support from any government or outside agency."

> Now SANS is all messed up. I can understand the use of certifications,
> and I think they are more credible them most since they started as a
> repository for various Security related information. But then they
> also run these boot camps that teach you what they are trying to prove
> that you have a skill set in. That is just backwards. No other company
> I have found, blatantly offers a crash course in their certifications.
> That just reeks of a money making scam.

I think that's a little harsh. There are certainly arguments for separating the teaching, testing, and certification 
functions. But in fact, there is a degree of separation between SANS, GIAC and the SANS Technology Institute.

http://www.sans.edu/

--
David Harley CISSP, Small Blue-Green World Security Author/Editor/Consultant/Researcher
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html