cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Champion

Re: Tiering the SSCP and CISSP

Perhaps when one passes the exam, they ought to be titled "CISSP apprentice". Once they have attained the necessary experience, they gain the title "CISSP".  If they let their certificate lapse, they get the title "CISSP emeritus".   

Community Champion

Re: Tiering the SSCP and CISSP

@Baechle

 

Yes Eric, I read it. If employers are likely to give preference to an Associate of CISSP over an SSCP, it's indeed a cause for concern.

 

Honestly, I'm still a bit shaken by it all, so I would rather not reply to that post --- hopefully someone from (ISC)2 will provide guidance, with an assurance that they are in the process of addressing this.

 

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Advocate I

Re: Tiering the SSCP and CISSP

William,

 

I'm not in favor of confusing the titles at all.  If we are going to do this, I would like to see a specific title that isn't confusing a full certification for someone that has passed a test  For example, the engineering community uses "Engineer In Training" as a first step.

 

So, "Security Professional In Training" would be a good title for someone who has only passed any of the exams.

 

A title like this is unambiguous even if someone swapped their certification goal:

SSCP In Training

CISSP In Training and so forth.

 

Sincerely,

 

Eric B.

Contributor III

Re: Tiering the SSCP and CISSP

I think there are other more concerning issues; like parties claiming to have CISSP when they don't or putting a vague statement like CISSP (studying) on their resume, when they've not paid their fee, studied for, entered the exam, taken the exam, got a pass etc.   And they can still get hired!

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP M.Inst.ISP
Advocate I

Re: Tiering the SSCP and CISSP

Steve,

I understand that the problems you brought up are certainly frustrating issues. Now we have to figure out in the equation or chain of events that leads to the scenarios you brought up, what do we as a community have the power to change or influence?

Unfortunately, we can’t change the behavior of people that are intent on fraudulently representing their qualifications.

We can change the names of various distinctions so that they are less confusing about status to a lay-person. For example, “Associate of (ISC)^2” or what many people call themselves, “Associate CISSP” is extraordinarily confusing, while “Security Professional in Training” or “CISSP in Training” is very much less so.

There has also been a steadily increasing call for licensing of system security professionals separate from the CPA, PE, and Investigator licenses (for Audit, Forensics, and potentially incident response that may be quasi-LE). We as a community should be evaluating if we want to structure the credential to be a baseline in the event states begin to require licensing. That would also increase the potential penalty for representing one’s self as qualified if they are also presenting themselves as licensed.
Contributor III

Re: Tiering the SSCP and CISSP

Fraudulent misrepresentation of qualifications/competence is a criminal matter in the UK already.

 

It won't stop some organisations hiring someone that they suspect is unqualified if their motivation is to have a fall guy whom they can blame for providing bad (unqualified) advice in the event of a breach.   

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP M.Inst.ISP
Advocate I

Re: Tiering the SSCP and CISSP

Steve,

 

I appreciate your feedback, but I think our conversation is off target on the desired purpose and intent for this suggestion.

 


@Steve-Wilmewrote:

Fraudulent misrepresentation of qualifications/competence is a criminal matter in the UK already.

In the U.S., there are also criminal anti-fraud laws but I would venture to say that law enforcement aren’t the “fraud police.”  Instead, fraud is typically handled as a civil matter in the U.S. except in cases of extremely high dollar amounts and numbers of victims; or fraud that involves the financial organizations, telecommunications, or mail.

 


@Steve-Wilmewrote:

 

It won't stop some organisations hiring someone that they suspect is unqualified if their motivation is to have a fall guy whom they can blame for providing bad (unqualified) advice in the event of a breach.   

You’re right, but that’s not the intent with this suggestion.  The goals are:

 

  1. to eliminate a confusing professional title of “Associate of (ISC)^2” that is abused, sometimes unwittingly, as “Associate CISSP”; and
  2. provide a credential that can stand as the basis of some future professional licensing program for technology-security specialists. 

I understand that #2 may be less of a concern in the U.K. exiting the E.U., but Europe is already on this path and there has been a steadily rising call for it in the U.S. as well.  In fact, in the U.S. many features of information technology security have already been litigated in court as requiring a license of some kind.  For example, many States in the U.S. require those performing the collection of digital forensic evidence to require a Private Detective/Investigator license.  Additionally, some court decisions apparently lean toward those performing IT-security services “for hire” have State licensing as a Security Guard. 

 

While it may seem silly requiring CISSPs to have a “Security Guard” license, the reasoning presented by State licensure boards is not unreasonable.  In older organizations of the CISSP Domains, “Physical Security” and “Law” were actual distinct topics in the CBK.  Even today, but buried under other Domains such as Access Management and Security Operations, we still require folks to consider and provide input into physical access.  In many States, the design, specification, conduct of security surveys, and establishing of physical security requirements leads to a requirement for licensure as a “Security Guard” service or as an individual if providing those services “for hire”.  So, in a couple of places this has bled over into our world already.

 

Sincerely,

 

Eric B.

Highlighted
Newcomer II

Re: Tiering the SSCP and CISSP

The CISSP certification is designed for Chief Information Security Officers, Security Managers, Consultants and Analysts, as well as, Directors of Security. In short: information security professionals working in senior managerial security roles.

 

The SSCP is aimed at those who want to build and prove their essential cyber security skills and are currently in a hands-on information security role. The SSCP is a great certification for Network Security Engineers, Security Administrators and Systems Engineers.