In the last year, I've had a number of friends not renew their CISSP certification. At RSA, I got one of those badge flags saying "ISC2 Member". More than a few people asked "How did you get that?" Then before I could answer they would retort in a disgruntled tone "Oh you must have put your CISSP number in at registration. The CISSP doesn't matter anymore anyway". Shrugging shoulders; Well, OK, thanks for your kind words, I guess?

The CISSP doesn't matter anymore.

I hear this comment a lot. Where did this data originate? Personally, I think it stems from the CPE process and requirements. Those who value the certificate will put in the work to obtain and record the CPEs. Those who don't probably couldn't care much about the certificate anyway. They were probably "incentived" by their employer to go take the test. While they may have seen value in it at one time, the motive wasn't personally driven. I remember attending college right out of high school. I found school boring, but always noticed how the 30+ something's in class really enjoyed it. They were there to learn, to fill that personal drive. I, on the other hand, just wanted to get this part of life over with.

CPEs for Free

When I obtained the CISSP, I made a personal goal. I shall obtain all CPEs each cycle for free. That means no mega payments for online webinars and classes. It also means that I haven't joined any associations requiring yearly dues. So just how have I obtained CPEs for free? Here are some ideas:

• Submit ideas for speaking engagements. I attended RSA 2007 for free as a speaker and was proud to both be an attendee learning and an active contributor.
• Get a paper published. I did and it meant I also got to tick off a personal life goal.
• Read books.
• Vendor presentations. Almost all of the SANS WebCasts qualify.
• Seek out associations without membership dues. I'm an Infragard member.
• Volunteer. Offer to provide a free seminar at your local chamber of commerce regarding PCI.

I believe the CPE process to be a self-weeding mechanism. Those who value and desire the certification will continue. Those who don't can happily exit. There will be no shame and no throwing of stones. I respect your choice, but next year at RSA when you see my ISC2 flag, please don't turn the topic to one of belittling my achievements.

In a press release yesterday, (ISC)2 announced new, stricter requirements for the CISSP.

* The minimum professional experience requirement for CISSP certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. The current requirements for the CISSP call for four years of work experience in one or more of the 10 domains of the CISSP CBK, or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list.

* Candidates for any (ISC)2 credential will be required to obtain an endorsement of their candidature exclusively from an (ISC)2-certified professional in good standing. The professional endorsing the candidate can hold any (ISC)2 certification - CISSP, SSCP or CAP. Currently, candidates can be endorsed by an officer from the candidate's organization if no CISSP endorsement can be obtained. The board believes that only an (ISC)2-credentialed professional bound by its Code of Ethics should provide a candidate endorsement.

As I recall the requirements were last changed about 4 years ago. Obviously, the board is working to maintain the high level of respect of the CISSP and the other (ISC)2 certifications by increasing the education/experience requirement. In particular, I like the second new endorsement requirement. By having to be endorsed by a CISSP, this means the candidate must actually interact with other people - attend conferences, meetings and shake some hands. Lets face it, people skills aren't always the top rated skills of a security professional. While on the other hand, so many security issues could be more easily alleviated with people skills early on in any process. Not everything has to be fixed by a new policy, network device or software.

--S