Re: Tiering the SSCP and CISSP - Page 2

Baechle · ‎03-28-2018

I would like to propose a change to the prerequisite for qualifications:

I propose that the “Associate” status is dropped completely, and that a 3 or 4-year SSCP in good standing requirement be implemented prior to being qualified to sit for the CISSP.

The CISSP concentrations already follow this model. It also provides a model where more technical and less experienced folks will experience a greater level of exam success.

This tiered model is similar to the Professional Engineer (“PE”) qualification that requires the applicant to pass a general engineering exam and serve as an Engineer In Training for a period of time before being qualified to earn the PE.

I believe that this would have several benefits for the community.

First, it would re-elevate the CISSP prestige to a credential that is distinct in this industry but similar to other professions (Engineering, Accounting, etc.) as one that requires accumulating verifiable successful experience through passing an entry level test (through the SSCP) first, and then working in the field for a mandatory number of years before pinning on the flagship credential.

In my opinion and in my observations, the Associate CISSP qualification has diminished the relevance of the SSCP. By dropping the Associate CISSP and making the SSCP a pathway to the CISSP would make the SSCP relevant both on its own again, and as a career pathway toward the CISSP.

Third, in my opinion and observation management and human resources professionals do not fully appreciate the difference in experience between the Associate CISSP and the full CISSP. Both of these credentials appear to lay-persons as "the CISSP". This sets up the CISSP for failure when Associate CISSPs, with significant CBK knowledge but not necessarily the experience, fail to perform to the level expected of CISSPs with years of experience. Dropping the Associate CISSP would start a course correction for business and human resources leaders in how they view the capabilities and relevance of CISSPs.

Respectfully,

Eric Baechle

denbesten · ‎04-25-2018

Perhaps when one passes the exam, they ought to be titled "CISSP apprentice". Once they have attained the necessary experience, they gain the title "CISSP". If they let their certificate lapse, they get the title "CISSP emeritus".

Shannon · ‎04-26-2018

@Baechle

Yes Eric, I read it. If employers are likely to give preference to an Associate of CISSP over an SSCP, it's indeed a cause for concern.

Honestly, I'm still a bit shaken by it all, so I would rather not reply to that post --- hopefully someone from (ISC)2 will provide guidance, with an assurance that they are in the process of addressing this.

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz

Baechle · ‎04-26-2018

William,

I'm not in favor of confusing the titles at all. If we are going to do this, I would like to see a specific title that isn't confusing a full certification for someone that has passed a test For example, the engineering community uses "Engineer In Training" as a first step.

So, "Security Professional In Training" would be a good title for someone who has only passed any of the exams.

A title like this is unambiguous even if someone swapped their certification goal:

SSCP In Training

CISSP In Training and so forth.

Sincerely,

Eric B.

Steve-Wilme · ‎05-01-2018

I think there are other more concerning issues; like parties claiming to have CISSP when they don't or putting a vague statement like CISSP (studying) on their resume, when they've not paid their fee, studied for, entered the exam, taken the exam, got a pass etc. And they can still get hired!

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

Baechle · ‎05-01-2018

Steve,

I understand that the problems you brought up are certainly frustrating issues. Now we have to figure out in the equation or chain of events that leads to the scenarios you brought up, what do we as a community have the power to change or influence?

Unfortunately, we can’t change the behavior of people that are intent on fraudulently representing their qualifications.

We can change the names of various distinctions so that they are less confusing about status to a lay-person. For example, “Associate of (ISC)^2” or what many people call themselves, “Associate CISSP” is extraordinarily confusing, while “Security Professional in Training” or “CISSP in Training” is very much less so.

There has also been a steadily increasing call for licensing of system security professionals separate from the CPA, PE, and Investigator licenses (for Audit, Forensics, and potentially incident response that may be quasi-LE). We as a community should be evaluating if we want to structure the credential to be a baseline in the event states begin to require licensing. That would also increase the potential penalty for representing one’s self as qualified if they are also presenting themselves as licensed.

Steve-Wilme · ‎05-01-2018

Fraudulent misrepresentation of qualifications/competence is a criminal matter in the UK already.

It won't stop some organisations hiring someone that they suspect is unqualified if their motivation is to have a fall guy whom they can blame for providing bad (unqualified) advice in the event of a breach.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS

Baechle · ‎05-02-2018

Steve,

I appreciate your feedback, but I think our conversation is off target on the desired purpose and intent for this suggestion.

@Steve-Wilmewrote:
Fraudulent misrepresentation of qualifications/competence is a criminal matter in the UK already.

In the U.S., there are also criminal anti-fraud laws but I would venture to say that law enforcement aren’t the “fraud police.” Instead, fraud is typically handled as a civil matter in the U.S. except in cases of extremely high dollar amounts and numbers of victims; or fraud that involves the financial organizations, telecommunications, or mail.

@Steve-Wilmewrote:

It won't stop some organisations hiring someone that they suspect is unqualified if their motivation is to have a fall guy whom they can blame for providing bad (unqualified) advice in the event of a breach.

You’re right, but that’s not the intent with this suggestion. The goals are:

to eliminate a confusing professional title of “Associate of (ISC)^2” that is abused, sometimes unwittingly, as “Associate CISSP”; and
provide a credential that can stand as the basis of some future professional licensing program for technology-security specialists.

I understand that #2 may be less of a concern in the U.K. exiting the E.U., but Europe is already on this path and there has been a steadily rising call for it in the U.S. as well. In fact, in the U.S. many features of information technology security have already been litigated in court as requiring a license of some kind. For example, many States in the U.S. require those performing the collection of digital forensic evidence to require a Private Detective/Investigator license. Additionally, some court decisions apparently lean toward those performing IT-security services “for hire” have State licensing as a Security Guard.

While it may seem silly requiring CISSPs to have a “Security Guard” license, the reasoning presented by State licensure boards is not unreasonable. In older organizations of the CISSP Domains, “Physical Security” and “Law” were actual distinct topics in the CBK. Even today, but buried under other Domains such as Access Management and Security Operations, we still require folks to consider and provide input into physical access. In many States, the design, specification, conduct of security surveys, and establishing of physical security requirements leads to a requirement for licensure as a “Security Guard” service or as an individual if providing those services “for hire”. So, in a couple of places this has bled over into our world already.

Sincerely,

Eric B.

nancy_perez · ‎08-23-2018

The CISSP certification is designed for Chief Information Security Officers, Security Managers, Consultants and Analysts, as well as, Directors of Security. In short: information security professionals working in senior managerial security roles.

The SSCP is aimed at those who want to build and prove their essential cyber security skills and are currently in a hands-on information security role. The SSCP is a great certification for Network Security Engineers, Security Administrators and Systems Engineers.