Security Cert Provider Cries Foul

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,718175,00.asp

By Jeff Moad 
November 21, 2002 

The non-profit owner of the leading professional certification program
for security managers has charged that a rival group's plan to offer a
comparable certification will confuse the market and force security
professionals to obtain multiple credentials.

Officials from the ISC2 (International Information Systems Security
Certification Consortium Inc.) posted a statement on the
organization's Web site Tuesday criticizing plans by the ISACA
(Information Systems Audit and Control Association) to launch a new
certification targeting information security managers. The new ISACA
certification, to be called the Certified Information Security Manager
and due to launch in June, could compete with the well-established
CISSP (Certified Information Systems Security Professional )  
certification from ISC2.

In its unsigned online challenge to ISACA's plan to roll out the new
certification, ISC2 officials say the CISSP certification already
"meets or exceeds the areas the CISM professes to address." The
statement also questions the qualifications of ISACA to move into the
security practitioner certification space. Currently ISACA offers a
certification focused on security auditors.

"Traditionally, ISC2 and ISACA have respected each other's
complementary missions that address the different accountabilities of
the information security profession," the ISC2 statement reads.  
"However, ISACA has recently announced a new certification outside of
its recognized leadership in the audit community."

In an interview with eWEEK, ISC2 officials denied the statement was
simply an attempt to derail a potential competitive certification.  
"There's nothing wrong with competition, providing it adds value,"  
said Bob Johnston, CISSP and manager of credentialing services at
ISC2, in Framingham, Mass. But, said Johnston, by addressing the same
audience and body of knowledge already targeted by the CISSP, the new
certification would confuse the marketplace.

"The vast majority of people we've talked to were dismayed … because
they believe they'll now be expected to pay fees to two organizations
to get and maintain certifications in order to satisfy their clients,"  
said Johnston. Currently it costs CISSP candidates $450 to take the
exam plus an $85 annual maintenance fee. Optional preparation courses
would cost more.

In a written response to the ISC2 statement, Leslie Macartney,
chairman of the CISM certification board, said her organization's new
certification will be "unique among and complementary to existing
security credentials." Macartney said the ISACA certification will be
different from the CISSP because, to obtain it, candidates will be
required to document security management experience, not just pass a
test. This, she said, "ensures that only those who manage and oversee
an enterprise's information security effort can earn it."

Macartney declined to directly answer ISC2's charges that the CISM
will confuse the market.

Although ISACA officials have said the CISM has been in development
for two years, ISC2's Johnston said his organization was not consulted
about it prior to its public unveiling in August. Nor, said Johnston,
have ISC2 and ISACA had direct discussions since then about resolving
potential overlaps between the two certifications.

The public sniping between ISC2 and ISACA is unusual in the normally
refined, quasi-academic world of professional IT certification. ISC2's
willingness to publicly criticize ISACA "indicates they're on the
defensive and that the CISSP may be perceived as vulnerable to a new
competitor," said David Foote, president and chief research officer at
Foote Partners LLC, a management consultancy and IT workforce research
firm located in New Canaan, Conn. Foote said the CISSP is widely
prized and the leading credential for security managers. Currently it
delivers a median bonus pay of 10 percent of base pay, and that rate
has risen by 25 percent over the last year, Foote said. According to
ISC2, by the end of this year, 15,000 security managers will have
obtained the CISSP credential.

"If a company is doing a search at the security management level, they
will demand the CISSP," said Foote. "If you don't have it, you'd
better have a lot of experience."

Still, said Foote, ISC2 has done a relatively poor job of offering
education and training courses to help candidates prepare for the
CISSP exam. This, he said, is an area where ISACA, with its new
credential program, could do better.

Ironically, ISACA currently offers continuing education classes for
current CISSP holders. CISSP holders must take a minimum number of
classes per year in order to maintain their certificates. ISC2 decides
which classes qualify for credit.

ISC2's Johnston said his organization will be reviewing whether the
ISACA classes will qualify for continuing education credit.

"No question, at this point we are revamping [the] program slightly,
and there will be a point at which ISACA, like every other
organization, will have to reapply."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.