topic Re: Tiering the SSCP and CISSP in Member Support

Tiering the SSCP and CISSP

Baechle — Wed, 28 Mar 2018 22:00:50 GMT

I would like to propose a change to the prerequisite for qualifications:

I propose that the “Associate” status is dropped completely, and that a 3 or 4-year SSCP in good standing requirement be implemented prior to being qualified to sit for the CISSP.

The CISSP concentrations already follow this model. It also provides a model where more technical and less experienced folks will experience a greater level of exam success.

This tiered model is similar to the Professional Engineer (“PE”) qualification that requires the applicant to pass a general engineering exam and serve as an Engineer In Training for a period of time before being qualified to earn the PE.

I believe that this would have several benefits for the community.

First, it would re-elevate the CISSP prestige to a credential that is distinct in this industry but similar to other professions (Engineering, Accounting, etc.) as one that requires accumulating verifiable successful experience through passing an entry level test (through the SSCP) first, and then working in the field for a mandatory number of years before pinning on the flagship credential.

In my opinion and in my observations, the Associate CISSP qualification has diminished the relevance of the SSCP. By dropping the Associate CISSP and making the SSCP a pathway to the CISSP would make the SSCP relevant both on its own again, and as a career pathway toward the CISSP.

Third, in my opinion and observation management and human resources professionals do not fully appreciate the difference in experience between the Associate CISSP and the full CISSP. Both of these credentials appear to lay-persons as "the CISSP". This sets up the CISSP for failure when Associate CISSPs, with significant CBK knowledge but not necessarily the experience, fail to perform to the level expected of CISSPs with years of experience. Dropping the Associate CISSP would start a course correction for business and human resources leaders in how they view the capabilities and relevance of CISSPs.

Respectfully,

Eric Baechle

Re: Tiering the SSCP and CISSP

Shannon — Thu, 29 Mar 2018 07:00:55 GMT

@Baechle I wasn't aware of the fact that there's an 'Associate CISSP' status one can attain, so please send me a link of this to check out the same.

To my knowledge, anyone can take the CISSP exam without meeting experience pre-requisites, but clearing the exam only entitles you to the status of 'Associate of (ISC)2' & not 'CISSP.' If someone simply clears the CISSP exam but doesn't get certified, he can't state 'CISSP' on a resume; just 'Associate of (ISC)2.' Even if a CISSP is claimed, it would be negated when a potential employer attempts to validate it on the (ISC)2 site.

However, if there is indeed an 'Associate CISSP' status, then yes, it can cause confusion, so (ISC)2 should address this as you suggested.

Re: Tiering the SSCP and CISSP

Baechle — Thu, 29 Mar 2018 14:49:19 GMT

@Shannon,

Shannon,

I appreciate your input. I apologize for not tailoring my initial message more toward this audience. So, please allow me a moment to clarify.

I fully understand that what I stated before is not a construct currently offered by (ISC)^2. What I was offering was my observations about how (ISC)^2’s current construct is understood by people outside of the community, and how it is being both abused and causing confusion about the skill sets of CISSP holders and folks that “just passed the exam”.

Let’s start with some definitions.

Associate of (ISC)^2. This is the official title conferred on someone who passes an exam of any caliber from (ISC)^2 but lacks the requisite experience to qualify for that certification (assuming that they don’t have some other (ISC)^2 certification that they were previously conferred).

CISSP. This is the official title conferred on someone who passes the CISSP exam, the experience audit, with the required number of endorsements.

Associate CISSP. This is what a non-(ISC)^2 affiliated Human Resources or organizational executive thinks is conferred upon someone who passed the CISSP exam and then chooses to be conferred the Associate of (ISC)^2.

I can give you a direct example from the DoD’s 8570 requirements for certification. They posit in their structure that someone at various levels must possess a CISSP certification, or based upon your points here be an “Associate of (ISC)^2” either by passing the SSCP, CCSP, or any other lesser or irrelevant exam without the experience to qualify for the CISSP. In fact, this misunderstanding encourages people to take easier exams and fail to certify their experience so that they can attain the Associate of (ISC)^2 status to be equivalent to a CISSP.

https://iase.disa.mil/iawip/Pages/iabaseline.aspx

You’ll note that it also indicates the SSCP, but doesn’t say “or Associate”. This confounding is prevalent both in the federal government and among folks in private business that are looking for certified people.

There is a problem with your conjecture that this is all solved by having an independent verification process. You are assuming that the Human Resources person doing that validation has some formal knowledge of the (ISC)^2 construct. Let met give you a scenario that is in my opinion quite a bit more accurate:

Applicant lists "Associate CISSP" on their resume or something to the effect of, "Associate of (ISC)^2 (CISSP)".
Human Resources goes to validate the applicant's status which shows, "Associate of (ISC)^2".
Human Resources asks the applicant to provide proof of their CISSP status.
Applicant forwards their exam results.
Human Resources, not understanding the intracacies of CISSP vs. Associate of (ISC)^2, assumes this means that the person has the requisite experience and endorsements.

The thing is here, you can pass the CISSP exam - but you can be so bad at your job that nobody would endorse you even if you have the years of experience. That's part of the reason why I think there should also be an apprenticeship portion of the qualification process, where you work under an already-qualified CISSP for a number of years.

Re: Tiering the SSCP and CISSP

Shannon — Thu, 29 Mar 2018 18:24:47 GMT

Wow. Frankly, I wasn't aware of this. It definitely degrades the CISSP certification, & adversely impacts the holders.

(ISC)2 could go about addressing this on multiple ways, including :

Making the entitlement specific, so that instead of just 'Associate of (ISC)2' it says 'Associate of (ISC)2 for CISSP' or 'Associate of (ISC)2 for SSCP' to make it very clear.
Adding a note on the validation page, clearly stating something like: The Associate of (ISC)2 has cleared the exam for the corresponding certification, but the required experience for it has not been not been confirmed by us.
Removing the (Associate of ISC)2 status entirely.

They can make use of 1, 2, 1 AND 2, or 3 for this. I'm not sure about whether the Associate of (ISC)2 is already specific. If it is, then 1 can be ignored.

(On the side of recruiters, it's up to them to do their homework; unfortunately that rarely happens.)

I wouldn't want to see the SSCP becoming a mandatory prerequisite for the CISSP, because someone who's already got relative experience shouldn't have to take an SSCP exam ---- the subject knowledge is confirmed once you clear the CISSP exam.

Instead, the option to use other certifications to waiver experience should be amended by (ISC)2, so as to properly assign 'weights' to each certification. (In the current system, someone holding an MCSA can waiver 1 year just as easily as someone with an SCP, which I feel is very strange.

The requirements can be amended so that the number of certifications acceptable for a waiver varies with their weight, something like this: -

At least 1 of the following certifications: SSCP, CASP, CISM, CCSP

At least 2 of the following certifications: MCITP, CCNP Security, CWSP

At least 3 of the following certifications: MCSE, MCSA, CCNA Security, Security +, CEH

(I've just listed a few certifcations, obvously (ISC)2 will have to thoroughly review what's already on the list and assign the weights to them)

Re: Tiering the SSCP and CISSP

Baechle — Thu, 29 Mar 2018 18:40:21 GMT

Shannon,

I agree with your point that Human Resources and Hiring Managers should be on the hook to do their research of an applicant. I would also like to make the following point:

Who is the Certification for?

I believe the Certificate is for the Human Resources and Hiring Managers, and the certification construct should be such that benefits their ability to properly evaluate and select applicants; or reward existing employees.

The certificate holder obviously benefits because they have a badge of authority on a subject matter. But a knowledgeable person could easily engage in a discussion to prove their knowledge. So, the real benefit to the certification is to show lay-persons that their subject of scrutiny has actually achieved some level of recognition and authority. We should make that easier on folks… otherwise WE are the ones devaluing the CISSP and making it an anecdotal item to flash around (ISC)^2, ISSA, and the like Chapter Meetings.

Re: Tiering the SSCP and CISSP

Shannon — Thu, 29 Mar 2018 18:46:21 GMT

Yes, that's very true, Eric. I suppose all we can do for now is hope that (ISC)2 will do the needful.

Re: Tiering the SSCP and CISSP

mgoblue93 — Thu, 29 Mar 2018 19:25:17 GMT

> Wow. Frankly, I wasn't aware of this. It definitely degrades the CISSP certification

How?

They passed the test!!!

CISSP is degraded for other reasons.

Re: Tiering the SSCP and CISSP

mgoblue93 — Fri, 30 Mar 2018 14:41:25 GMT

I think there's some good rationale in what is written but not so sure if the targets aren't misplaced

> propose that the “Associate” status is dropped completely

Why? That just hurts otherwise qualified people as they work to gain professional experience. Case in point. I hired a computer science college grad. He took the CISSP within 6 months of graduation. He passed. He earned it. Why shouldn't he be allowed to be called an "Associate" until he can get more time getting paychecks?

> re-elevate the CISSP prestige to a credential that is distinct in this industry

I've been critical the CISSP process -- the cert certainly isn't distinct from where me and my peers sit according those around us and who are more experienced.

What got me to reply to your post though is the rationale stated -- "this tiered model is similar to the Professional Engineer (“PE”)"

If a "PE" tier is your model, then CISSP wouldn't be your target. It's NOT an engineering certification. Hasn't been for a while (if it ever was pre-8570.1) either. I think it's certainly debatable that a significant sample size of CISSP holders use their computers professionally just for the internet and email (which is the root of a lot of my criticism).

If you want to re-establish CISSP as something more meaningful, why not make programmatic changes rather than organizational ones (re: eliminating the associate):

1. Industry and the certifying authority needs to clearly communicate just exactly what is the CISSP for? 8570.1, for example, implies it's a technical cert. I'll pick on 8570.1 because it's a good example of what caused membership to skyrocket. Part of the cert is having demonstrable domain experience to earn it. But the reality of it is just the opposite.

2. There's no accountability in the community for this cert. You mention other professionals as models for what the CISSP should be. But there's no transparency in the testing and certification process like there is in other industries where professionals have to be licensed or boarded. But the only method for accountability in this realm is a self-signed ToS and a completely unknown endorsement from another member.

3. Is the board of a certifying authority composed of industry, knowledgeable, folks or is it business and marketing people?

I don't know -- just my $0.02 worth. I'd like the see the CISSP get some of its cachet back. I just didn’t think the root causes (RE: re-elevate the CISSP prestige) were previously addressed.

Re: Tiering the SSCP and CISSP

Baechle — Thu, 29 Mar 2018 21:18:52 GMT

Christopher,

Thanks for your comments!

I think dropping the Associate makes sense from a consumer perspective, because the SSCP is a full certification vs acknowledgement you've passed a test.

Instead of paying annual maintenance fees based on the exams we took, I think Associate status should be something you get by paying flat membership dues. I think it should grant the Associate access to these forums where they can engage with certified members. I also think there should be distinct forums here based upon the lines of certifications - so a Forum for Healthcare IT Security Matters a Forum for Cloud IT Security Matters, etc. based around the certification lines - where noncertified Associates can correspond with the community of certification holders relevant to their specializations. And this basic Associate membership should be somewhat of the basis for getting the journal either electronically or in print. I think that a flat membership fee should then turn around and grant discounts on official (ISC)^2 products like the CBK books and the like. Finally, I think that Associate status should be the starting point - and that a certification candidate have their work experience and endorsements evaluated before they are authorized to sit for one of the exams - a process that the Associate dues pay for.

But, that is getting a little off topic.

🙂

Re: Tiering the SSCP and CISSP

Baechle — Wed, 25 Apr 2018 20:55:22 GMT

Shannon (@Shannon);

I know it's been a while since we moved this conversation along, but I wanted to point something out here.

This was the title of a post in another thread about someone asking for advice about which certification path to pursue: CISSP Associate or SSCP

As you can see the perception problem is there.

Sincerely,

Eric B.

Re: Tiering the SSCP and CISSP

denbesten — Thu, 26 Apr 2018 02:28:40 GMT

Perhaps when one passes the exam, they ought to be titled "CISSP apprentice". Once they have attained the necessary experience, they gain the title "CISSP". If they let their certificate lapse, they get the title "CISSP emeritus".

Re: Tiering the SSCP and CISSP

Shannon — Thu, 26 Apr 2018 05:23:13 GMT

@Baechle

Yes Eric, I read it. If employers are likely to give preference to an Associate of CISSP over an SSCP, it's indeed a cause for concern.

Honestly, I'm still a bit shaken by it all, so I would rather not reply to that post --- hopefully someone from (ISC)2 will provide guidance, with an assurance that they are in the process of addressing this.

Re: Tiering the SSCP and CISSP

Baechle — Thu, 26 Apr 2018 18:04:15 GMT

William,

I'm not in favor of confusing the titles at all. If we are going to do this, I would like to see a specific title that isn't confusing a full certification for someone that has passed a test For example, the engineering community uses "Engineer In Training" as a first step.

So, "Security Professional In Training" would be a good title for someone who has only passed any of the exams.

A title like this is unambiguous even if someone swapped their certification goal:

SSCP In Training

CISSP In Training and so forth.

Sincerely,

Eric B.

Re: Tiering the SSCP and CISSP

Steve-Wilme — Tue, 01 May 2018 12:55:53 GMT

I think there are other more concerning issues; like parties claiming to have CISSP when they don't or putting a vague statement like CISSP (studying) on their resume, when they've not paid their fee, studied for, entered the exam, taken the exam, got a pass etc. And they can still get hired!

Re: Tiering the SSCP and CISSP

Baechle — Tue, 01 May 2018 13:51:24 GMT

Steve,

I understand that the problems you brought up are certainly frustrating issues. Now we have to figure out in the equation or chain of events that leads to the scenarios you brought up, what do we as a community have the power to change or influence?

Unfortunately, we can’t change the behavior of people that are intent on fraudulently representing their qualifications.

We can change the names of various distinctions so that they are less confusing about status to a lay-person. For example, “Associate of (ISC)^2” or what many people call themselves, “Associate CISSP” is extraordinarily confusing, while “Security Professional in Training” or “CISSP in Training” is very much less so.

There has also been a steadily increasing call for licensing of system security professionals separate from the CPA, PE, and Investigator licenses (for Audit, Forensics, and potentially incident response that may be quasi-LE). We as a community should be evaluating if we want to structure the credential to be a baseline in the event states begin to require licensing. That would also increase the potential penalty for representing one’s self as qualified if they are also presenting themselves as licensed.

Re: Tiering the SSCP and CISSP

Steve-Wilme — Tue, 01 May 2018 19:26:53 GMT

Fraudulent misrepresentation of qualifications/competence is a criminal matter in the UK already.

It won't stop some organisations hiring someone that they suspect is unqualified if their motivation is to have a fall guy whom they can blame for providing bad (unqualified) advice in the event of a breach.

Re: Tiering the SSCP and CISSP

Baechle — Wed, 02 May 2018 14:00:00 GMT

Steve,

I appreciate your feedback, but I think our conversation is off target on the desired purpose and intent for this suggestion.

@Steve-Wilmewrote:
Fraudulent misrepresentation of qualifications/competence is a criminal matter in the UK already.

In the U.S., there are also criminal anti-fraud laws but I would venture to say that law enforcement aren’t the “fraud police.” Instead, fraud is typically handled as a civil matter in the U.S. except in cases of extremely high dollar amounts and numbers of victims; or fraud that involves the financial organizations, telecommunications, or mail.

@Steve-Wilmewrote:

It won't stop some organisations hiring someone that they suspect is unqualified if their motivation is to have a fall guy whom they can blame for providing bad (unqualified) advice in the event of a breach.

You’re right, but that’s not the intent with this suggestion. The goals are:

to eliminate a confusing professional title of “Associate of (ISC)^2” that is abused, sometimes unwittingly, as “Associate CISSP”; and
provide a credential that can stand as the basis of some future professional licensing program for technology-security specialists.

I understand that #2 may be less of a concern in the U.K. exiting the E.U., but Europe is already on this path and there has been a steadily rising call for it in the U.S. as well. In fact, in the U.S. many features of information technology security have already been litigated in court as requiring a license of some kind. For example, many States in the U.S. require those performing the collection of digital forensic evidence to require a Private Detective/Investigator license. Additionally, some court decisions apparently lean toward those performing IT-security services “for hire” have State licensing as a Security Guard.

While it may seem silly requiring CISSPs to have a “Security Guard” license, the reasoning presented by State licensure boards is not unreasonable. In older organizations of the CISSP Domains, “Physical Security” and “Law” were actual distinct topics in the CBK. Even today, but buried under other Domains such as Access Management and Security Operations, we still require folks to consider and provide input into physical access. In many States, the design, specification, conduct of security surveys, and establishing of physical security requirements leads to a requirement for licensure as a “Security Guard” service or as an individual if providing those services “for hire”. So, in a couple of places this has bled over into our world already.

Sincerely,

Eric B.

Re: Tiering the SSCP and CISSP

nancy_perez — Thu, 23 Aug 2018 05:28:51 GMT

The CISSP certification is designed for Chief Information Security Officers, Security Managers, Consultants and Analysts, as well as, Directors of Security. In short: information security professionals working in senior managerial security roles.

The SSCP is aimed at those who want to build and prove their essential cyber security skills and are currently in a hands-on information security role. The SSCP is a great certification for Network Security Engineers, Security Administrators and Systems Engineers.