Re: I’ve been asked to endorse someone…

theblurr · ‎01-18-2020

Hi everyone,

I’ve been asked (for the first time) to endorse someone who recently passed their CISSP exam. I used to work with this person at a company where I was the InfoSec Officer, and they were a DBA. They are not currently employed in Information Security, but want to make a career move, hence taking the CISSP exam.

I know this person to be a good and decent human being, and I can attest to their good standing within the technical community. He tells me that he has the necessary experience, however, that is where it gets tricky – I believe him, but I did not work with him at the companies where he got his security experience, nor did I know him at that time. I have asked him to give me a list of the jobs where he gathered the necessary experience, a description of what he did, and to give me a list of persons that can vouch for the work he did (I think he’ll need this anyways for the endorsement process.)

I take our code of ethics seriously and want to do the right thing by the profession.

Could I get some opinions about this situation? I was not present, nor did I know this person at the time when they got their cybersecurity experience (I met them and worked with them at a later date.) If I can find prior colleagues and managers to vouch for their work, is it enough to believe that they are honest, have a good character, and will be a good security professional? Or did I have to know the person at the time they were doing cybersecurity work in order to endorse them?

Thanks for your opinions!

me_shail · ‎01-18-2020

Simple ans is if you cannot vouch for his experience then ISC2 might be his best choice. You personally can neither confirm nor deny his experience as he might have gained it when not working with you. If you cannot personally validate his experience and need references to validate his experience then I believe let ISC2 do that instead. Otherwise he can go for associate cert.

AlecTrevelyan · ‎01-19-2020

Yes, there is always the option to have ISC2 provide the endorsement.

However, it's perfectly fine if you want to do this yourself even if you don't have first hand experience covering 5 years of working with him.

To give a couple of examples:

I endorsed someone I worked with for a year. However, our boss's boss (someone who I respected tremendously) had worked with him previously and vouched for the remainder of the required experience and that was good enough for me.
I endorsed someone I met on a training course. I never worked with him before so contacted each and every one of his references by email and phone where required to verify his length of service, his job title and the duties he used to carry out - I spoke with an ISC2 representative on their booth at one of the trade shows about the process I had followed and was told I had been more thorough than they would have been!

CraginS · ‎01-19-2020

@theblurr wrote:
Hi everyone,
I’ve been asked (for the first time) to endorse someone who recently passed their CISSP exam. I used to work with this person at a company where I was the InfoSec Officer, and they were a DBA.

Javier,

I have been asked to endorse an applicant only one time that I could not personally verify their experience. He worked for my company, but at a different location, so I did not know him personally. I asked for his resume, and called his references to confirm the experience claim and also checked on his claimed degree. His work experience checked out, but his degree claim did not, so I did not endorse him.

I recommend you ask your colleague for an abbreviated resume to let you double check his experience claim. Call the company HR or better a former supervisor to ask about his assigned duties. HR will usually, for legal reasons, only tell you whether he was employed there during the claimed period, but they my be willing to confirm assigned duties. An informal supervisor may be willing to confirm duties. Be sure to tell both you re not looking for any form of performance evaluation or recommendation or commentary, only confirmation of duties. In any company with an HR and legal department, all employees have been told to refer all reference inquiries to HR.

You might explain to your colleague that thisi s a required part of your ethical responsibilities as a CISSP, and he will experience the same upon certification. He should not be offended if you handle that conversation in a positive manner.

Good luck!

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

AlecTrevelyan · ‎01-19-2020

@CraginS wrote:
...
...
I recommend you ask your colleague for an abbreviated resume to let you double check his experience claim.
...
...

The online endorsement form requires applicants to enter all the details an endorser would require to verify their experience. In effect, applicants end up creating a resume/CV but in a standardised format, so there's no need to ask for one:

Obviously, applicants need to enter one of these job history forms per job they're claiming as cover for their experience requirement.

ericgeater · ‎01-20-2020

Patience should win out for this new provisional CISSP. I waited a total of six weeks for (ISC)²'s endorsement, which they approved in the end. Even the person who talked me into studying for the exam didn't know me well enough to stand up on my behalf.

-----------
A claim is as good as its veracity.

AppDefects · ‎01-20-2020

Makes me wonder how the whole process could be automated...

theblurr · ‎01-29-2020

Thank you to everyone who took the time to give me your opinion!

@AlecTrevelyanand @CraginS thank you, in particular for sharing prior experiences that are similar to the one I find myself in. Super helpful. I will proceed to help my acquaintance get certified, but not before personally vetting everything he says he has done.

Thanks again!

J