cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Help Shape the Next (ISC)2 Cybersecurity Certification

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Help Shape the Next (ISC)2 Cybersecurity Certification

Re: Help Shape the Next (ISC)2 Cybersecurity Certification

AndreaMoore
Community Manager

Group_JTA_Certification.jpg(ISC)² is excited to share with you that we are initiating an important step in our exam development process, and we need your help!

 

We are looking for cybersecurity professionals to take our newest Job Task Analysis (JTA) survey. Typically, we will reach out to you to take a JTA survey for the certification that you hold, but this time it’s a little different. (ISC)² is working on developing our first new certification since the CCSP, and it’s aimed at helping cybersecurity career hopefuls get started in the field!

 

To fill the cybersecurity workforce gap, we need to address the workforce shortage facing the industry, especially among entry- and junior-level positions. A foundational certification will help (ISC)² build a path for professionals around the world to a rewarding, successful career in cybersecurity.

 

Regardless of what certification you hold (even if you don’t hold one at all), your experience level, your specialty, your industry, your organization size … we want to hear from you! This survey is open to take until October 20, 2021. If you’re an (ISC)² member, you can provide your name and ID # when taking the survey and you’ll earn 5 CPE credits. We’ll add them to your member account by November 12, 2021. If you’re not an (ISC)² member, we still welcome your input and appreciate your participation.

 

The outcome of this survey will be an exam outline for a new (ISC)² examination to help validate the necessary fundamental skills and abilities cybersecurity deem necessary for those just setting out on their career journey. You can access the survey here: https://www.surveymonkey.com/r/EntryLevel-JTA2021

 

Please feel free to share the survey with any of your colleagues and peers. Thank you for helping us build a path to cybersecurity success and taking one crucial step toward addressing the workforce gap!

 

Stay connected for exciting developments on this front in the weeks and months to come. 

11 Comments
dcontesti
Community Champion

 

Why?  The SSCP was developed as an entry level certification.  I question why the organization needs another entry level certification.

 

I am asking a few folks that were around for the development of the SSCP to chime in here.

 

It seems the organization is spending money on recreating the wheel when Money could be well spent on other much needed certification.

 

@TrickyDicky 

 

I am also asking the new board members their thoughts?

 

@dhouser @JP 

JP
Newcomer III

Hi Diana,

 

I can't comment on the reason for this direction (yet - I'm not formally in post until January), but from my view, a true entry level exam is less demanding than the current SSCP. Also the SSCP focuses on technical knowledge hence the "Systems" part of the title, but aspiring security pros may not be wanting to explore the technical route. 

 

I know its not exactly a direct comparison but when I compare SSCP with other popular tech certifications, Microsoft for example, their fundamentals exams are 40-60 questions over 85 mins rather than 125 over 3hrs and $99 rather than $249. 

 

I'm not privy to the decision to explore another exam, vs updating the SSCP (albeit I would expect hesitation to change the SSCP drastically due to the impact on existing SSCP certified members), but I do see the need for something super accessible. And I agree with you, there are other certification avenues needing to be explored also. 

 

Best

James

tmekelburg1
Community Champion

@dcontesti I didn't develop the SSCP exam but I have that cert and CompTIA's Security+ cert. While some of the domains between the two are different, they are definitely comparable in a lot of ways (at least in 2018). I view Security+ as an entry level cert with the only difference being you don't have to have the one year experience to get the full cert. CompTIA did add a fundamentals cert that's supposed to be taken before the A+ so that could be what they are trying to do here.   

 

I have a few guesses but that's all they are at this point.

  • Business decision because there is a bigger market for entry level rather than current experienced professionals seeking certs.
  • Trying to focus on the "what" and "why" we do certain things rather than "how" a particular process works, e.g., cryptography. OJT can help fill in the gaps or studying for higher level certs.
  • The SSCP, while entry level, is rather broad for the necessary knowledge needed for an entry level SOC 1 analyst.

All this being said, I hope it helps alleviate the shortage but my cynical side thinks this is more of an issue with employers not being realistic with their job requirements for entry level staff. 

  

josephjreuter
Viewer

Just my 2 cents. The CompTia A+, Net+, and Sec+ fill this niche and I'm not sure whether ISC2 needs an entry-level certification. It probably won't dilute the value of our existing certifications but battling for novice level shelf space with EC Council and CompTia may not be the best return on investment. 

nkeaton
Contributor I

I think that this is very exciting.  First for anyone that brought this up, the SSCP is NOT an entry level certification.  You need documentable work experience for it but not nearly as much as the CISSP.  I would hope that this could create a path with this new certification, SSCP, and CISSP.  The SSCP is superior to Security+ and is much more affordably priced.  The SSCP's numbers have not been good compared to Security+, but CompTIA does not require work experience.  So I hope that I can be part of the development of this new certification.  We should all help if we can.  

TrickyDicky
Contributor II

OK, so I think I now have a handle on this, and I genuinely don't think this is me being cynical.

 

Currently a member has to have at least one years practical experience in InfoSec to be a member of (ISC)2 (they join as an Associate without that experience, but they don't have full membership rights until such time as they gain the experience). Therefore, we can easily describe (ISC)2 as a membership organisation that is limited to "Information Security Professionals and Practitioners". BTW, I'm really proud to be included in that cohort, and proud of my membership as a practitioner, and as a professional. 

 

What's going to happen with the new certification is that anyone e.g. the finance guy, the sales guy, the office manager or the plumber, electrician, or carpenter, can become a FULL member of (ISC)2. They don't have to be working in the industry, or even have any intention of working in the industry. They just have to pass an easy test to ensure they know the "fundamentals" of infosec.

 

With this initiative, (ISC)2 will no longer be a membership organisation that represents my "tribe". I'll need to search elsewhere for that.

So why would they open membership to non-professionals? Because (ISC)2 reckons that there's a huge un-tapped revenue stream of people that don't currently qualify for membership (=Annual Maintenance Fees) because they don't work in the infosec space. 

 

So - Board Members that have approved opening up our membership organisation to non-professionals and amateurs, have you really thought through the potential impact on those of us that are proud to be part of a PROFESSIONAL consortium (where membership really means something, and can be worn as a badge of pride)? 

 

If anyone can recommend to me an organisation for security professionals, then please reach out. I don't think (ISC)2 is going to tick that box anymore. 

 

N.B.  I'm entirely open to rebuke if anyone thinks I'm reading this all wrong. As a former Board Member, I'm seriously trying to help the organisation recover from what I see as a serious mistake, and an opening of Pandora's Box. 

nkeaton
Contributor I

TrickyDicky, I respectfully disagree with your assessment.  I am very excited about this certification as a pathway to bringing people into the profession.  I work with our cybersecurity workforce and with others such as aspiring cybersecurity individuals in Women in Cybersecurity (WiCyS) and other groups.  As professionals we need to give back to the profession, and I work at this every day.  I want to be part of this and have been passing my enthusiasm on to others, including my fellow CISSPs and non (ISC)2 members.  We have a very unique opportunity here.  I hold 4 (ISC)2 certifications including the SSCP and CISSP.  I also hold a Security+, and the SSCP is similar but superior in many ways.  So help the profession, and sign up for the pilot.  Help make this a great entry level certification.  We are not too elite to help others to achieve success and improve our profession. 

dcontesti
Community Champion

Unfortunately, I agree with TrickyDicky on this one.

 

There are too many unknowns with this certificate/certication.  Are there AMF's required, what about CPEs?  Do these folks becoming members of the organization?

 

Is the cert really for the Newbee?  I looked at the JTA information and do not think that someone without experience will know anything about BCP/DRP (remember in many organizations (larger) this may be an entirely different department) but this Cert is asking for the candidate to have that knowledge.  Additionally some of the other domains may be well past the knowledge of that new person.

 

Of course, we do not know how many domains the candidate can actually fail and still be able to pass the exam.

 

In my mind, this addition while on the surface seems to be helping the profession, my have been better done using training courses to that end

 

Additionally, you will now have a cert that requires NO experience and one that requires a minimum of ONE year experience (of no experience with a degree).  Maybe it's time that the standard for the SSCP to changed?

 

My view, we are quickly becoming a paper mill and the value of the certs are at stake.

 

d

 

TrickyDicky
Contributor II

@nkeaton The fact that we can disagree is part of what makes us professional. 

Just to clarify my earlier point (and thanks @dcontesti for the clarification), I'm not against supporting and encouraging new entrants to the profession (my understanding is that Diana was the instigator of the Women's Scholarship Programme that encouraged women to educate themselves and train in the field); we were both involved in setting up the Foundation, which later became the Centre for Cybersafety & Education; and again both involved in setting up the Associate programme for those new to the profession who had the required knowledge but not yet the experience to be considered professionals. 

 

The word "professional" is really the crux of my argument. When I sit down a table at Congress, or at my local Chapter, or at a regional Member Seminar (I remember those well), I want to be able to speak with the member sitting beside me about security (as a fellow professional). 

 

If I want to talk to an accountant, a nurse, an engineer, a lawyer, there's lots of opportunities to do so. These professions all have their own membership bodies, and membership of those bodies are restricted to members of those respective professions.

So the argument that I'm making is, in simple terms, is: Is CyberSecurity a profession? Because if it's not, I've been kidding myself for the past 30+ years. The reason that I sat my (ISC)2 exam back in the late 1990s, was that I wanted to be recognised (by fellow security professionals, by my employers, by other professions) as a professional. I've maintained my membership since then (It's never been a requirement of my employment), and volunteered for more than 20 years to make (ISC)2 a better organisation for serving it's members. 

 

I fully agree with most of what you say.  I also believe that "As professionals we need to give back to the profession" and "We are not too elite to help others to achieve success and improve our profession". My argument is that by opening up full membership of our professional body to non-professionals is not something that I think benefits the current membership (or the profession). There are other mechanisms that we can employ to help new entrants to the industry, and when they have sufficient knowledge and experience, and demonstrate this through passing their exam and gaining endorsement for their experience, I'll be at the front of the queue to welcome them into the profession as fellow members. 

 

I hope this helps clarify, and apologies for the long-winded response. 

 

 

nkeaton
Contributor I

I am sorry that not everyone shares my enthusiasm about this new certification.  I looked at the objectives when they were first posted.  I think that it is a good measure of entry level knowledge.  Yes, they will have to read and understand, but I have never taken a certification exam without some studying ever.  I did do the JTA when it was offered and have volunteered to be part of the process of building this certification and have encouraged others of all levels to do so also especially since (ISC)2 asked for that.  I hope that I am selected.  I have participated in other exam development workshops and taken some beta exams.  I work with groups where people want to take the CISSP with zero experience, and I am not a fan of that option at all for many reasons.  So I look at this as a possible start of a pathway to becoming an actual professional and CISSP.  We all started somewhere to be where we are now.  My job is with our cybersecurity workforce.  Not to speak badly of CompTIA, but well over 500 of them have Security+.  We only have about 80 CISSPs.  I have a couple of CompTIA certifications but will admit that I am kind of tired of Security+ being the benchmark.  It is very similar to SSCP in many ways and have wished for a long time that it was what people would strive for and have often suggested it as a step towards the CISSP.  I agree that we do not really know what the requirements will be to get and keep it, but then we only guess now at what the expected results are for our other (ISC)2 exams.  I think that zero experience for Certification X (IX certifications are on the books), one year for SSCP, and five for the CISSP seems like a good pathway to me. 

 

TrickyDicky, thank you for acknowledging that it is alright for us to have different thoughts and explaining yours.  I had a Spanish teacher years ago that told us to never go down to anyone else's level but make them come up to ours.  Unfortunately his words worked completely the opposite on me.  I feel as a professional that it is good to be able to communicate at their level but also to make them better and help them to grow.  I also have well over 30 years in IT, the last 13 in cybersecurity.  I encourage people at work and in other groups.  I hope to help people become their best.  I do like to talk with people at the level I have learned, but I don't want to exclude those who are not there yet.  Your accomplishments sound awesome to me, and you have every right to be proud.  I don't really ever talk about this, but I don't use my lengthy alphabet soup after my name mostly because I want to engage people without them thinking that I might think that I am at a higher level than them.  I am very proud of my accomplishments, but then maybe I am just good at taking exams.  Who knows?  In the last few months I have had a couple of pentesters criticize me because I am not a "real" professional because I can talk the talk but not walk the walk.  True, I can't hack my way out of a paper bag, but I know that they can't see the big picture.  Our profession needs all of these different skillsets.  I definitely don't want the mechanics flying the airplanes as an analogy. 

 

Best wishes for all of us and hoping the best at building an World class entry level certification.

Kaity
Community Manager

Thank you for your questions and comments, everyone! Please continue to share feedback with us.

 

This new entry-level certification is still in its pilot phase, so there are still many details being finalized. We look forward to sharing answers with you about the program in the new year. We can all agree that we need more people to enter the field, and employers need to have confidence in those just starting out that they will be strong candidates for future growth and development, and are worth investing in and nurturing.