Endorsement - changed?

jonwinterburn

A friend has asked me to endorse him for SSCP, and I have no hesitation in doing so. However, his form looks different to the ones I submitted for my SSCP & CISSP. His asks for employment history (mine did not, I had to include my CV) and the statements I have to agree to tell me I have to phone his employers and verify his claims. What? That's for ISC2 to do, surely? If they wish to audit him. What are ISC2 thinking, asking me to phone his employers? I think it's unethical. Have they made a recent change?

Any thoughts? Thanks.

mjsinhsv

I think it's unethical not to verify a candidates experience if you don't know them personally.

How else can someone verify a candidates experience if they haven't known them for 5 years?
Thought that was already the normal process.

jonwinterburn

mjsinhsv wrote: »

I think it's unethical not to verify a candidates experience if you don't know them personally.

How else can someone verify a candidates experience if they haven't known them for 5 years?
Thought that was already the normal process.

I do know him personally. But I've never worked with him.

beads

The endorsement process has had to change due to the proliferation of recent "fibbing" about ones background. Jennifer Minella (ISC2 Secretary) has lead the fight to change if not drop the member endorsement requirement.

Sounds like a compromise.

-b/eads

mjsinhsv

beads wrote: »

The endorsement process has had to change due to the proliferation of recent "fibbing" about ones background. Jennifer Minella (ISC2 Secretary) has lead the fight to change if not drop the member endorsement requirement.

Sounds like a compromise.

-b/eads

b/eads is plugged in.

If they drop the member endorsement requirement, is ISC going to perform the endorsement?

Chuzpah

SO if I understand correctly you need to work with the endorser for 5 years?

beads

@Chuzpah;

You could advertise in the Help Wanted ads for a CISSP endorsement these days and likely get endorsed doing so. More like 5 minutes than five years. When the peer endorsement first came out CISSPs were still rare where it would have been difficult outside of a major city to find an endorser. I am still the only CISSP-anything here at work on a team soon growing to a dozen.

No, the idea of the endorsement was to have a CISSP, or higher, go through your background and resume in order to give the final endorsement. Self enforcement is a critical rule of a professional organization, by the way. We fall woefully short on such a goal. Self enforcement means that peer review can get you tossed from the profession. Doctors, Lawyers, CPA even the professional bowlers association have been enforcement than the ISC2.

Unfortunately, the real effect has been more of a sieve of new candidates that haven't lived up to the expectation that they have been completely honest about there candidacy. Much like resume stretching it reflects poorly on both the candidate and the certifying organization as a whole. Then again, you have to expect that whenever there is the promise of money around, so that's hardly a new concept.

A renewal cycle ago, for myself that is, there was a push to do away with the peer endorsement requirement and just have the ISC2 do the final. A compromise was probably reached or never went anywhere. Wasn't in any meeting minutes to be conclusive. My personal gripe here has been consistent: We as an organization of certification holders want all the prestige and respect of being a professional organization but cannot organize ourselves into enforcing such. Its called organizational hypocrisy. Do as I say but not as I do.

- b/eads

justjen

I didn't realize how fortunate I was, that I work with a friend/colleague who is a CISSP in good standing and has agreed to endorse me. We have worked together on the enterprise security team for 6.5 years, so he has first hand knowledge of my skills and experience for that timeframe.

Wow, bullet dodged.

Khaos1911

Not to hijack the thread, just want to ask for some advice.

I recently passed CISSP exam and a senior colleague at work agreed to endorse me, but he is dragging his feet. Keeps telling me in passing he's going to do it, this is like the 4th day in a row he was like "oh yeah, I gotta do that. I'll get it done today." I'm really not that stressed, I think he'll do it (eventually) but I wanted to beat the rush of you mofos who passed in the last few days How long should I give him before I move on to another endorser, he's on my team and I have alot of respect for him. Just don't want to step on any toes or ruin a relationship, yet I also want my friggin cert. I studied too hard and put into much time just to let somebody essentially waste my time.

beads

From a practical standpoint it really depends on how many other CISSPs your likely to be introduced? Sounds like this person is a bit reluctant to do a sign-off on ordering lunch - let alone the CISSP. If your in a major market and can afford the time to find a back up resource to do your sign-off then I would start. Otherwise, try to sit down with your endorser over coffee or whatever and have a discussion as to why the reluctance. See if there isn't some common ground or build some more confidence in your candidacy.

Then again, some people never want to take any responsibility for anything, anytime, anyhow.

Wishing you good luck with the endeavor.

-b/eads

Robertf969

The Endorsing (ISC)2 Endorser doesn't have to know the Candidate for 5 years to endorse them for CISSP, but they are ethically bound to verify the experience put on the resume. My endorser was my Advanced Networking Instructor and he knew me for a month. But he did call my references. And if you are that concerned you can have (ISC)2 do the endorsement for you, but I hear it takes a couple weeks longer, but hey you probably wont get audited.

Khaos1911

ISC2 endorsing you, that is you being audited, lol.

No worries about the work experience, I have that. I also know another guy on the applicaton security team ( I'm network Security) who is certified and he's my back up. Really wish I had asked him first, but the guy on my team was so supportive and...On my team, lol. We have a team outing tomorrow, will see if I can get something out of him or atleast let him know that I "know you're a busy guy, I can get another endorser and our working relationship will still be fine, no biggie." Or something to that effect. Thanks for your replies.

Chuzpah

Thanks for the clarification Beads. I do have someone I can use as an endorser but I have only worked with them for 3 years.

beads

Endorsements would have come to a standstill the first time someone had to meet the requirements otherwise. LOL!

I live in Chicago and had a hard time finding someone as worked for myself for 15 years in a small office, stopped going to BurbSec or ChiSec meetings, etc. years beforehand. Too many recruiters pestering us about jobs no one was going to take in the first place, etc.

The unfortunate part is that the endorsement process has become a bit too loose at times as well.

- b/eads

sponge2

I routinely get asked by members of my (ISC)2 Chapter for endorsement as they do not have anyone to help them. As I am a chapter officer I consider this a part of my volunteer duties.
I reach out via email and verify the work experience. Once I get the verification I complete the form explaining that I am a chapter officer and have verified experience via email.
This has worked for many candidates.

kleecksj

I completed my CEH last month and EC-Council has no problem reaching out to employers to verify the candidate's experience (required two years in at least two security domains within an enterprise/corporate environment). Both the candidate and the employer fill out a form and submit to them for review during the application process. I don't understand why (ISC)2 couldn't do the same. (Except that relying on the community eliminates a level of logistical administration on their parts.)

jonwinterburn

kleecksj wrote: »

I don't understand why (ISC)2 couldn't do the same. (Except that relying on the community eliminates a level of logistical administration on their parts.)

That's the crux of it, I think. They want to save time and money by pushing the verification on to members. Considering the high cost of exams, official books (which thus far have proven to be utterly shoddy workmanship) and inflated membership fees, together with the fact you can't use CPEs on both SSCP & CISSP even though some of the time they overlap perfectly, I think asking members to essentially audit aspiring members is too much. If I received a call from someone purporting to be associated with one of my former employees - and it wasn't another employer or official body like ISC2, but an individual - I'd immediately assume it was social engineering.

Whichever way, my friend has gone down the ISC2 application route. Let's see if they contact his employers. I highly doubt it!

kleecksj

jonwinterburn wrote: »

...the fact you can't use CPEs on both SSCP & CISSP even though some of the time they overlap perfectly...

What?! Really? This was a big question for me as I'm strongly considering (ISC)2 and wasn't sure if I should ease in with SSCP before my CISSP. If I went that route I'd have my ECE Units and two sets of (ISC)2 continued education hours to get in. I will probably just wait a bit longer and sit the CISSP.

jonwinterburn

Unless I've misunderstood their policy. But it certainly looks that way. They specifically say that CISSP concentration CPEs will be counted towards CISSP, but don't offer the same option for SSCP and CISSP. And when I go to manage my CPEs, I have to specify which one I am applying the CPEs to.

I may just let my SSCP expire, as it was only ever a way of preparing myself for the CISSP. I never see it required in any job application.

JoJoCal19

Rather than fudge around with the whole endorser thing I decided to just let (ISC)2 just do my endorsement. I didn't personally know anyone with a CISSP, and the only person I had connections to at my employer at the time with a CISSP was this airhead manager who took weeks between emails and I didn't feel like dealing with them during the process, potentially dragging it out longer. It probably did take a week or two longer to let (ISC)2 do it, but I also felt more comfortable giving them my manager and employers contact info and my resume for them to verify everything.

dave0212

jonwinterburn wrote: »

Unless I've misunderstood their policy. But it certainly looks that way. They specifically say that CISSP concentration CPEs will be counted towards CISSP, but don't offer the same option for SSCP and CISSP. And when I go to manage my CPEs, I have to specify which one I am applying the CPEs to.

I may just let my SSCP expire, as it was only ever a way of preparing myself for the CISSP. I never see it required in any job application.

I haven't done any self submit ones for a while, but the auto allocated ones from things like SC Mag webcasts are applied to both CISSP and SSCP

Also my SSCP rollover credits appeared on my CISSP as Group B credits

beads

Most of my group A credits appear on both my CISSP and ISSAP. Otherwise I'd be looking at 80 or 120 credits a year of CPEs. OK the current 40 still feels nuts until I stopped and took real notes and organized my CISSP audit folder in my email. Now, I can safely say I have 100s of CPEs just waiting for the opportunity to be audited.

- b/eads

mjsinhsv

Can we use time spent on this forum for CPE's?