Re: Retired CISSP Problematic Requirement

CraginS · ‎01-26-2019

Last year I retired from active full time employment, but continue to stay current in the field, try to contribute where I can, and accept a small stipend for assisting a university in academic efforts in cybersecurity.

The distressingly steep in increase in AMF costs just announced has me considering a change to CISSP - Retired status at the end of my current three-year certification period, on October 31, 2020.

However, one of the requirements for CISSP Retired status is the following:

No longer practicing or employed as an information security professional (including consulting, private and public sector work)

The phrase "practicing or employed" leads me to interpret the requirement so I cannot even advise students in cybersecurity work, whether paid or not, and hold the status of CISSP Retired.

As I read the (ISC)2 statement on use of the trademarked term CISSP, it appears that once I am neither CISSP nor CISSP Retired I am not allowed to to use statements such as former CISSP, 2002-2020.

This is a disturbing situation.

For now, it appears that after 10/31/2020 my only option is to declare, "previously professionally certified in information security, 2002-2020."

Others thoughts, especially @rslade and @Caute_cautim, on my interpretation and the situation?

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

wimremes · ‎01-26-2019

I do not think that teaching/mentoring even in an official capacity at a college/university would prevent you from being able to use the retired status.

Sic semper tyrannis.

rslade · ‎01-26-2019

> CraginS (Advocate I) mentioned you in a post! Join the conversation below:

> Last year I retired from active full time employment, but continue to stay
> current in the field, try to contribute where I can, and accept a small stipend
> for assisting a university in academic efforts in cybersecurity. The
> distressingly steep in increase in AMF costs just announced has me considering a
> change to CISSP - Retired status at the end of my current three-year
> certification period, on October 31, 2020. However, one of the requirements
> for CISSP Retired status is the following: No longer practicing or employed as
> an information security professional (including consulting, private and public
> sector work) The phrase "practicing or employed" leads me to interpret the
> requirement so I cannot even advise students in cybersecurity work, whether paid
> or not, and hold the status of CISSP Retired.

Huh. Interesting point. About employment, anyway.

"Practicing" usually means paid. I suspect that the "practicing" is just in there to
cover contractors and such who are not employees. I advise people, usually
candidates for the exam, but I don't get paid for it, so I would definitely say I'm
not practicing. You might be sailing close to the wind with the stipend, but I'd say
it fits in with pretty much the run of the mill as far as "retired" status in most
fields.

(However, I'd go with the code of ethics on it, and say that the minor violation of
contractual wording was more than overcome by the benefits to the profession,
and to society.)

ISC2 might want to revisit the wording of that section of the retired status. (It's
looking less and less useful the more I hear of it.)

> As I read the (ISC)2 statement
> on use of the trademarked term CISSP, it appears that once I am neither CISSP
> nor CISSP Retired I am not allowed to to use statements such as former CISSP,
> 2002-2020. Â This is a disturbing situation. For now, it appears that after
> 10/31/2020 my only option is to declare, "previously professionally certified in
> information security, 2002-2020."

I'd say that, as long as you don't claim a current CISSP, you can still use those
letters somewhere in your CV without running too far afoul of trademark law.
Legal cases are always iffy, but lots of people use those letters in lots of articles in
the press every single day and don't get sued by ISC2. They'd have a hard time in
court as long as you only say what is true.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
The Internet may promise to improve the way we educate and learn,
but so did early television. TV technology has instead reduced
our attention spans, reduced intellectual conversations to sound
bits, and left us with the impression that in order to be
informed, we must first be entertained. - Lew Platt, of HP
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Caute_cautim · ‎01-26-2019

@CraginSTechnically you are still contributing to the community and therefore you have not formally retired, from my perspective of the situation. Given the world is calling out for more experienced security practitioners by 2020 approximately 1.5 million shortage is forecast.

I would hasten to forecast even from where I reside in New Zealand, that many professionals continue to the ripe old age of 70 years old, which is often the case.

It would appear by contributing to the University or even teaching would earn you CPE's and technically you contributing to the profession and the community as a whole.

I have a colleague who went into formal retirement this year, yet technically he is still contributing to the community and earning CPE's and has not as yet formally retired from ISC(2) - currently he is visiting other ISC(2) groups and supporting them and encouraging them due to the lack of CISSP certified professionals in the area he is visiting etc.

I think once again this is another area, which out of step with reality, which those of us in the private sector, see every day and appreciate the dilemma that many organisations have at present.

Regards

Caute_cautim

Early_Adopter · ‎01-27-2019

Personally I think the CISSP retired is just the wrong solution to the issue of security professionals who may be on a reduced income because of retirement and it doesn’t address study, time off for illness disability, family etc.

It’s also age discriminatory, and I’d figure retired folks would like to keep up and keep submitting CEUs etc. Unless of course they are loaded an spending all their time in Vegas and Swimming with the dolphins - and then they can probably well afford the membership fees.

Mf feeling is that for folks who can demonstrate a low income is that membership fees should be lowered to perhaps 30-50 USD per annum(self certified code of ethics applies, honour bar etc). Most of us are down with the cooperation side of prisoners dilemma in any case so properly audited it wouldn’t be an issue. if you’re paying reduced fees and folks are verifying you CISSP or other certification maybe ISC2 could ask if you got the job a month later...

In cases of extraordinary hardship maybe we should have a reveiwed membership waiver in place.

rslade · ‎01-28-2019

> Early_Adopter (Advocate I) posted a new reply in Career on 01-27-2019 08:36 AM

> Personally I think the CISSP retired is just the wrong solution to the issue of
> security professionals who may be on a reduced income because of retirement and
> it doesnâ€™t address study, time off for illness disability, family etc.
> Itâ€™s also age discriminatory, and Iâ€™d figure retired folks would like to
> keep up and keep submitting CEUs etc. Unless of course they are loaded an
> spending all their time in Vegas and Swimming with the dolphins - and then they
> can probably well afford the membership fees. Mf feeling is that for folks
> who can demonstrate a low income is that membership fees should be lowered to
> perhaps 30-50 USD per annum(self certified code of ethics applies, honour bar
> etc).

I'd be down with that: I could probably get a rebate on most of my AMFs for the
past couple of decades ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
[He] had met decent men and fools and people who'd steal a penny
from a blind beggar and people who performed silent miracles or
desperate crimes every day behind the grubby windows of little
houses, but he'd never met The People - Night Watch, Terry Pratchett
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Batman-15 · ‎01-07-2020

Good Morning:

I am thinking about retiring as a 10 year CISSP. However, after reading the ISC2 requirements and this exchange, I am wondering, outside of having access to ISC2 meetings and materials, what good is the designation of CISSP Retired? What does one list on a resume regarding their 10 years of credentialed history if one wanted to take on part time Information Assurance and Security work after retiring? In addition, if I do take on part time work, what is the impact to my CISSP Retired credentialed standing?

Here is a different perspective. A standard four year college degree in Information Assurance requires 160 - 180 credit hours. Once completed, there is no requirement to continue your education to keep your degree status or list it on a resume. A 10 year CISSP will have put in 400 plus hours of continuing education after having passed the CISSP exam and apparently must continue to do so in order to list CISSP on their resume. This hardly seems fair or equitable to those of us who have paid our dues and kept in good standing for 10 years or more.

Another thought moving forward is that the CompTIA Advanced Security Practitioner (CASP) exam costs $379.00, the annual fee is $49.00 and the required CEUs are 75 for a three year period. The DoD has been accepting the CASP certification for meeting the 8570.01 IAT-3 requirement. If ISC2 is not careful in dealing with this issue, more people will elect to go with the CASP certification.

I am not sure what if anything I can list on my resume if I want to take part time work without violating the rules for being a retired CISSP. ISC2 should allow those of us who qualify to retire in good standing after 10 years to list it on our resume as such and not penalize us should we decide to take on consulting or part time work so long as we do not state that our CISSP is current.

Finally, it would be very helpful if an official representative from ISC2 would address these concerns.

Respectfully;

Mark Khan

CISSP (for now)

rslade · ‎01-07-2020

> Batman-15 (Viewer) posted a new reply in Career on 01-07-2020 12:29 PM

> Good Morning: I am thinking about retiring as a 10 year CISSP. However, after
> reading the ISC2 requirements and this exchange, I am wondering, outside of
> having access to ISC2 meetings and materials, what good is the designation of
> CISSP Retired?

The advantage, for ISC2, is that it ensures you have paid up all you AMFs, and it gives them an extra $100.

Oh, the advantage for you, you mean? Hmmmm. Tough one. I simply stopped paying ...

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

Caute_cautim · ‎01-07-2020

@Batman-15A colleague of my own in New Zealand has done the same thing. He has retired, but he carries on attending ISC2 chapter meetings and he shows the CISSP Retired designation on his e-mail signature. He even has his own business cards printed, indicating CISSP Retired, so he is being up front. However, he still goes out and consults and provides advice for a couple of days a week to keep the brain going. As he stated to keep it in learning mode, rather than going into a fixed mode, where the synapses are no longer challenged and firing and learning - which is exactly what the brain needs to keep it active.

He has been upfront, but he uses his experience, and he actively participates locally, and still a valuable asset to the community and the area he has retired too.

The advantage from his perspective, is he still has access to courses, especially short courses and this keeps his skills up, and access to research and knowledge as a member.

As we have seen in 2020 already, the world is moving so far, it is important to keep up to date or one quickly falls behind with the speed and agility of changes and the associated understanding of its implications.

Does other examination bodies provide same opportunities and access to membership courses even though they are short, keeps you up to date and relevant?

My own thoughts, given the fundamental issues we are facing right now with AI, Data, digital IDs and self Sovereignty, IoT, IIoT, OT and communications connectivity issues at speeds with devices being interconnected and along with this the issue of Deep fakes - many cannot tell the difference between what is real or what is no real - and now Forbes is stating that one needs to be a Home CISO in your own home to keep up with issues coming at us. It is important to keep in contact, via the community, by association and with access to learning material so you can keep relevant.

Regards

Caute_cautim

CraginS · ‎01-10-2020

@Batman-15 wrote:
...
Here is a different perspective. A standard four year college degree in Information Assurance requires 160 - 180 credit hours. Once completed, there is no requirement to continue your education to keep your degree status or list it on a resume. A 10 year CISSP will have put in 400 plus hours of continuing education after having passed the CISSP exam and apparently must continue to do so in order to list CISSP on their resume. This hardly seems fair or equitable to those of us who have paid our dues and kept in good standing for 10 years or more.

Mark,

Degrees and certifications are widely understood as different types of credentials. Showing you have a degree (or certificate of training) is a sign you completed a specific program successfully. There is no indication of experience or currency in the degree; that assurance would come from your subsequent work experience and other training. Showing you hold a particular certification is an indication you are currently capable in a specific skill set. The aspect of currency is critical, whether in medicine or automotive repair or cybersecurity.

This is the very reason that the US Defense Department set up the 8570 (now 8140) requirements to use approved certifications and ignored any degree requirements.

@Batman-15 wrote:
Good Morning:
...
What does one list on a resume regarding their 10 years of credentialed history if one wanted to take on part time Information Assurance and Security work after retiring?
...
I am not sure what if anything I can list on my resume if I want to take part time work without violating the rules for being a retired CISSP. ISC2 should allow those of us who qualify to retire in good standing after 10 years to list it on our resume as such and not penalize us should we decide to take on consulting or part time work so long as we do not state that our CISSP is current.

As I indicated in my post to start this thread, when the time comes I an considering phrasing along the lines of

Professionally certified in infosec [or cybersecurity], 2002 - 2021

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

Retired CISSP - Problematic Requirement