[ISN] Security Cert Provider Cries Foul

From: InfoSec News (isnat_private)
Date: Thu Nov 21 2002 - 23:09:48 PST

  • Next message: InfoSec News: "[ISN] Alcatel leaves LAN switch software back door wide open"

    By Jeff Moad 
    November 21, 2002 
    The non-profit owner of the leading professional certification program
    for security managers has charged that a rival group's plan to offer a
    comparable certification will confuse the market and force security
    professionals to obtain multiple credentials.
    Officials from the ISC2 (International Information Systems Security
    Certification Consortium Inc.) posted a statement on the
    organization's Web site Tuesday criticizing plans by the ISACA
    (Information Systems Audit and Control Association) to launch a new
    certification targeting information security managers. The new ISACA
    certification, to be called the Certified Information Security Manager
    and due to launch in June, could compete with the well-established
    CISSP (Certified Information Systems Security Professional )  
    certification from ISC2.
    In its unsigned online challenge to ISACA's plan to roll out the new
    certification, ISC2 officials say the CISSP certification already
    "meets or exceeds the areas the CISM professes to address." The
    statement also questions the qualifications of ISACA to move into the
    security practitioner certification space. Currently ISACA offers a
    certification focused on security auditors.
    "Traditionally, ISC2 and ISACA have respected each other's
    complementary missions that address the different accountabilities of
    the information security profession," the ISC2 statement reads.  
    "However, ISACA has recently announced a new certification outside of
    its recognized leadership in the audit community."
    In an interview with eWEEK, ISC2 officials denied the statement was
    simply an attempt to derail a potential competitive certification.  
    "There's nothing wrong with competition, providing it adds value,"  
    said Bob Johnston, CISSP and manager of credentialing services at
    ISC2, in Framingham, Mass. But, said Johnston, by addressing the same
    audience and body of knowledge already targeted by the CISSP, the new
    certification would confuse the marketplace.
    "The vast majority of people we've talked to were dismayed  because
    they believe they'll now be expected to pay fees to two organizations
    to get and maintain certifications in order to satisfy their clients,"  
    said Johnston. Currently it costs CISSP candidates $450 to take the
    exam plus an $85 annual maintenance fee. Optional preparation courses
    would cost more.
    In a written response to the ISC2 statement, Leslie Macartney,
    chairman of the CISM certification board, said her organization's new
    certification will be "unique among and complementary to existing
    security credentials." Macartney said the ISACA certification will be
    different from the CISSP because, to obtain it, candidates will be
    required to document security management experience, not just pass a
    test. This, she said, "ensures that only those who manage and oversee
    an enterprise's information security effort can earn it."
    Macartney declined to directly answer ISC2's charges that the CISM
    will confuse the market.
    Although ISACA officials have said the CISM has been in development
    for two years, ISC2's Johnston said his organization was not consulted
    about it prior to its public unveiling in August. Nor, said Johnston,
    have ISC2 and ISACA had direct discussions since then about resolving
    potential overlaps between the two certifications.
    The public sniping between ISC2 and ISACA is unusual in the normally
    refined, quasi-academic world of professional IT certification. ISC2's
    willingness to publicly criticize ISACA "indicates they're on the
    defensive and that the CISSP may be perceived as vulnerable to a new
    competitor," said David Foote, president and chief research officer at
    Foote Partners LLC, a management consultancy and IT workforce research
    firm located in New Canaan, Conn. Foote said the CISSP is widely
    prized and the leading credential for security managers. Currently it
    delivers a median bonus pay of 10 percent of base pay, and that rate
    has risen by 25 percent over the last year, Foote said. According to
    ISC2, by the end of this year, 15,000 security managers will have
    obtained the CISSP credential.
    "If a company is doing a search at the security management level, they
    will demand the CISSP," said Foote. "If you don't have it, you'd
    better have a lot of experience."
    Still, said Foote, ISC2 has done a relatively poor job of offering
    education and training courses to help candidates prepare for the
    CISSP exam. This, he said, is an area where ISACA, with its new
    credential program, could do better.
    Ironically, ISACA currently offers continuing education classes for
    current CISSP holders. CISSP holders must take a minimum number of
    classes per year in order to maintain their certificates. ISC2 decides
    which classes qualify for credit.
    ISC2's Johnston said his organization will be reviewing whether the
    ISACA classes will qualify for continuing education credit.
    "No question, at this point we are revamping [the] program slightly,
    and there will be a point at which ISACA, like every other
    organization, will have to reapply."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 02:21:42 PST