Are you a CISSP?

[InfoSec News <alerts () infosecnews org>]

Forwarded from: security curmudgeon <jericho (at) attrition.org>

If you are, you should be aware that ISC2 board elections are coming up. 
Last year, Wim Remes decided to run a petition to get his name added to 
the ballot, and ultimately joined the board. He did so seeking to help 
change ISC2 for the better, to begin to tackle the many criticisms 
leveled against the organization, and their CISSP certification.

This year, four more people are looking to join the board. Each of them 
are going through the petition process, which requires 500 signatures 
from current CISSP holders. This will get their name on the ballot, 
where they hope to get elected to the board to bring more change.

I have been an outspoken critic of ISC2 in the past. This includes one 
published article on the Code of Ethics [1], countless Tweets, dozens of 
mails to ISC2's general counsel, and more. Recently, I also did a guest 
bit for a presentation on "Why You Should Not Get a CISSP" at DEFCON 20 
[2]. The presentation was done by Timmay, and the most revealing part 
was exposing how the CBK had barely been updated the last 15 years.

Personally, I think the current ISC2 board is stale and needs a refresh. 
I think the same people are frequently re-elected and have little 
motivation to make real change within the organization. Since it is 
ridiculously profitable, there may not be much incentive to do so for 
some of them. On the other hand, look at what ISC2 has done in terms of 
community outreach and supporting non-ISC2 security projects or 
initiatives. It was only a few months ago that ISC2 finally made an 
appearance at BlackHat, after Remes helped push for more public 
interaction from the organization.

So, if you are an active CISSP holder, consider the value of your 
certification. Consider what ISC2 does, especially with the money you 
have given them. Remember that with around 100,000 CISSPs, frequently 
obtained by non-security people, that the value of the certification is 
slowly dwindling. It is NOT a measure of security knowledge; it is a 
punch line to many jokes. I believe you should be concerned about this, 
and look to change it. That starts with having a more active, outspoken, 
and driven board.

Please read these petitions and consider alternative board members this 
year:

(1) Boris Sverdlik (@JadedSecurity) [http://jadedsecurity.net/2012/08/22/isc2-bod-vote-2012/]
(2) Dave Lewis (@gattaca) [http://www.liquidmatrix.org/blog/vote-for-dave/]
(3) Chris Nickerson (@indi303) [http://change.isc4thepeople.com/]
(4) Scot Terban (@krypt3ia) [http://krypt3ia.wordpress.com/2012/08/23/isc2-board-candidacy/]

This summary of candidates and more perspective comes from Robert Graham 
(@ErrataRob) and a blog post he wrote about the subject [3].

Thanks for your consideration,

- jericho



[1] http://attrition.org/security/rants/cissp_convenient_ethics/
[2] http://attrition.org/security/conferences/
[3] http://erratasec.blogspot.com/2012/08/these-guys-want-to-reform-isc2cissp.html