ISC2, Certifications and the Future of Security Education
Is the CISSP a silver bullet for security certification?
As security threats in the modern world continue to grow, so too does the need for security professionals. One of the ways to meet need is by way of training and certification.
The International Information Systems Security Certification Consortium (ISC)2 is one such security education and certification body, with some 80,000 certified members. (ISC)2 is also home to the Certified Information Systems Security Professional (CISSP) program, which is one of the leading security certifications in the industry today. This week, (ISC)2 launched a new charitable foundation and the formation of a global chapter program as part of their overall goal of improving and expanding security education.
"We have a dire need for more security professionals in our space," Hord Tipton, executive director of (ISC)2 told InternetNews.com. "Our research shows that we will be two million professionals short of what we will need by 2015."
By 2015 there will need to be 4.25 million professionals to address basic information security needs and, currently, there is zero percent unemployment in the IT security space, which leads to the question of where the next generation of professionals will come from.
"Our schools are just not putting out the types of people that are suitable to hit the ground running," Tipton said. "So we're trying to do our part by making opportunities for our members to go into schools and teach our kids how to be safe and secure online."
Additionally, the goal of (ISC)2's outreach is to let kids know there are career opportunities in the IT security space that pay well. Through the Foundation, (ISC)2 is providing scholarships to help further security education and training. (ISC)2 is also aiming to grow the number of women in IT security -- currently, a male-dominated profession.
The new chapter component of (ISC)2 is all about creating local points of community for security professionals. Tipton said members will now have the opportunity to gain educational credits and bring new members into the (ISC)2 system.
Another focus for Tipton is to help people understand what security certification is all about. Currently, there are a number of myths and misconceptions about what (ISC)2 and the CISSP certification in particular, actually represent. A common problem is that HR folks don't have in-depth knowledge about security certifications and what they mean. As such, they tend to hire based on the most popular certification; thinking that certification can be a magic bullet for security problems. This is not the way the system works.
"Each of the credentials that are out there have a purpose and one needs to be thoughtful in the interview process to not only hire a CISSP, but a CISSP that has experience in the area the company wants them to concentrate on," Tipton said.
Tipton noted that (ISC)2 members have expertise levels in anywhere from 15 to 20 different technical areas. That said, Tipton said that he was not aware of any one CISSP that had expertise in all 20 areas. "Sometimes people expect a CISSP to have big Superman cape on their back and that sets the expectation bar way too high. The myth that CISSP's can do everything needs to be set aside. As their leader, I'm telling you that no certification is a silver bullet for anything."
Overall, the goal of (ISC)2 is to continue to help make it clear to people that there is nothing that happens around us that is not digital in nature. As such, there needs to be a level of understanding and security education in the community at large.
"We cannot expect our IT professionals to always keep us out of trouble," Tipton said. "There has to be a holistic approach that involves everyone from the grade school kid all the way to the NASA scientist and the people at NSA with classified systems, to have the right expertise and knowledge to do their job."