CISSP Sponsor and Requirements

kerx

Hi all,
It says on the requirements list to achieve the CISSP you must have someone with an existing CISSP sponsor you. Does anyone have suggestions on what route I could take to accomplish this? I doubt that everyone who goes after the CISSP has a pre-existing CISSP sponsor them.

Thanks!

cyberguypr

Some people try to find a random CISSP to endorse them, which goes against the rules since the whole point is to get someone who knows your career history. It aggravates me seeing those requests pop up on LinkedIn all the time. The alternative is to have ISC² endorse you.

Per ISC2:

If You Do Not Have a Credentialed Endorser and Need Assistance
If you cannot find a certified individual to act as an endorser, (ISC)² will act as an endorser for you in consideration of which, (ISC)² will require the same documentation that is submitted by a candidate who is randomly selected to be audited.

https://www.isc2.org/endorsement-form.aspx

JoJoCal19

cyberguypr wrote: »

Some people try to find a random CISSP to endorse them, which goes against the rules since the whole point is to get someone who knows your career history. It aggravates me seeing those requests pop up on LinkedIn all the time. The alternative is to have ISC² endorse you.

https://www.isc2.org/endorsement-form.aspx

Odd you say that because ISC2 says to do exactly what you are saying goes against the rules.

Per ISC2:

Use this form only if you are unable to secure a qualified (ISC)2 certified professional to endorse you. Endorsement by (ISC)2 maytake up to 6 weeks. Please consider finding a qualified member to endorse you by using any of the following resources: (ISC)2 MemberDirectory, ISSA chapters, LinkedIn, Facebook, and Twitter.

RTmarc

cyberguypr wrote: »

Some people try to find a random CISSP to endorse them, which goes against the rules since the whole point is to get someone who knows your career history. It aggravates me seeing those requests pop up on LinkedIn all the time. The alternative is to have ISC² endorse you.

This is nonsense. As stated by JoJoCal, this is exactly what the (ISC)2 recommends before restorting to them doing it.

I have endorsed several people I had not previously met for their CISSP after verifying their experience.

cyberguypr

I think JD has touched on this before. I know he has endorsed people so hopefully he'll add his comments soon. My personal view is that I fail to see how someone can randomly vouch for someone else's qualifications. How would that conversation go? "Hi Mr. CISSP, I am CyberGuyPR. I just passed the test and need someone to endorse me." By endorsing you are certifying that you know a person and his professional qualifications. Don't get me wrong, it s totally doable if the endorser is willing to invest time verifying what the candidate claims, but I wonder how many will actually perform due diligence.

RTmarc

cyberguypr wrote: »

My personal view is that I fail to see how someone can randomly vouch for someone else's qualifications. How would that conversation go? "Hi Mr. CISSP, I am CyberGuyPR. I just passed the test and need someone to endorse me."

As opposed to the random (ISC)2 employee endorsing someone?

cyberguypr wrote: »

By endorsing you are certifying that you know a person and his professional qualifications. Don't get me wrong, it s totally doable if the endorser is willing to invest time verifying what the candidate claims, but I wonder how many will actually perform due diligence.

There is nothing that says I have to "know" the person to endorse them. The verification phase is to verify the person actually has the experience he or she claims to have. Nothing more, nothing less. If the endorser does not complete the due dilligence necessary to properly vett the candidate, it becomes an issue of ethics adherence of that person. I see no issue with anyone endorsing a candidate provided they meet the requirements set by (ISC)2 and they complete the necessary level of due dilligence.

TBRAYS

I agree with Cyberguypr, if you don't know someone how can you vouch for their experience, anyone can put anything on paper or on (ISC)2 MemberDirectory, ISSA chapters, LinkedIn, Facebook, and Twitter. C'mon people, its simple, find someone that can attest to your experience e.g. co-worker, personal friend, previous supervisor whom carries the credential. Its just like social engineering, I can tell you what you want to hear or show you what you want to see just to get you to endorse me. Its the same as cheating. Most people that try to get some random person to endorse them rather than having ISC2 endorse them most likely don't have the required experience per ISC2 so therefore trying to get around the system. You are right there is nothing that says you have to "know" the person to endorse them, but use common sense are you going to take the time and audit the person yourself, to verify their experience, you're not. Act honorably, honestly, justly, responsibly, legally and have ISC2 endorse you plain and simple. For the CISSP holders protect the profession, advise the potential candidates if they can't find someone to attest to their experience to request it from ISC2. See the bolded items.

Code of Ethics Canons:

• Protect society, the commonwealth, and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally. (Again)
• Provide diligent and competent service to principals.
• Advance and protect the profession.

JDMurray

The point of peer-endorsement to expedite the process of certifying people and to get their certification completed sooner. In the past, having only the (ISC)2 perform the endorsement checks (audits) was a bottleneck that slowed the process and people frequently complained about.

Your endorser should be someone who is familiar with your professional InfoSec work. A complete stranger would need to act like a hiring manager verifying the past 4-5 years) of your resume information, which few people have the time, skill, or desire to do (including me). In lieu of a manager of co-workers who is (ISC)2-certified, you must ask the (ISC)2 to audit you the old fashion way.

RTmarc

TBRAYS wrote: »

Most people that try to get some random person to endorse them rather than having ISC2 endorse them most likely don't have the required experience per ISC2 so therefore trying to get around the system.

Because everyone knows or works with someone that is (ISC)2 certified, right? I didn't realize they were so common that they were a dime a dozen. Additionally, you are making a broad-stroke generalization to support your point. You can no more say that most people provide false information than I can say most people don't.

You all act as if verifying someone's experience is some monumental task. The last person I endorsed is actually a member on this site. We exchanged a few email messages, I got contact information for previous employers, and it took less than a handful of quick 5 minute conversations.

TBRAYS

RTmarc wrote: »

Because everyone knows or works with someone that is (ISC)2 certified, right? I didn't realize they were so common that they were a dime a dozen. Additionally, you are making a broad-stroke generalization to support your point. You can no more say that most people provide false information than I can say most people don't.

You all act as if verifying someone's experience is some monumental task. The last person I endorsed is actually a member on this site. We exchanged a few email messages, I got contact information for previous employers, and it took less than a handful of quick 5 minute conversations.

I agree with Cyberguypr and JD

RTmarc

Who's taking anything personally? You made a generalization that most people are out to defraud the verification and endorsement phase because they attempt to reach out to random people. As I've previously stated, as long as all involved parties abide by the code of ethics and the necessary level of due diligence is completed, there is no issue with endorsing someone you don't "know".

colemic

TBRAYS wrote: »

You are right there is nothing that says you have to "know" the person to endorse them, but use common sense are you going to take the time and audit the person yourself, to verify their experience, you're not. Act honorably, honestly, justly, responsibly, legally and have ISC2 endorse you plain and simple.

Umm... yeah, I would. If someone asked me to be their endorser, I think it's worth 20-30 minutes of my time to verify their background and experience. I don't quite get why you think giving someone time to help them out is beneath you.

I firmly, firmly believe that people like you who say such nonsense to try to 'protect the certification' are the ones doing the most damage to its reputation.

TBRAYS

colemic wrote: »

Umm... yeah, I would. If someone asked me to be their endorser, I think it's worth 20-30 minutes of my time to verify their background and experience. I don't quite get why you think giving someone time to help them out is beneath you.

I firmly, firmly believe that people like you who say such nonsense to try to 'protect the certification' are the ones doing the most damage to its reputation.

I'm doing the most damage to its reputation, now that's funny!

RTmarc

JDMurray wrote: »

In lieu of a manager of co-workers who is (ISC)2-certified, you must ask the (ISC)2 to audit you the old fashion way.

or...

(take it away (ISC)2...)
Please consider finding a qualified member to endorse you by using any of the following resources: (ISC)2 MemberDirectory, ISSA chapters, LinkedIn, Facebook, and Twitter.

colemic

In the sense that you are projecting a very unfavorable image of ISC(2) as a good old boys club, where it's all about who you know, and being uber paranoid about who gets in the 'cool club' yes, I believe you are.

For some people at some locations, finding a fellow CISSP is impossible - I was on an island 3 miles long x 1/4 mile wide 2500 SW of Hawaii, and I was the 2nd CISSP on the island, the first being the DOIM. Outside of that, (at the time) I didn't even KNOW anyone else who was a CISSP.

badrottie

Any member of the (ISC)2 in good standing can endorse you. That being said, they would not be advancing and protecting the profession if they did not do due diligence.

I would gladly endorse anyone that had passed the exam and could not find an endorser, but be certain that I would ensure that the work history was accurate, unembellished and applicable. (Perhaps a comprehensive oral exam would also be good: "What is the difference between a Type I and Type II error and how it is applicable to information security.", "You are on an deserted island in the South Pacific, and you know your exact position in longitude and latitude. You have a bottle, a cork, a piece of blank paper and a pencil. You have no other equipment, but there is sufficient food and water to sustain life until you are rescued. You need to send a message to your superiors so that you can be rescued, but you do not know who will find the bottle with your message therein. Whomever finds it will deliver it to the final destination without question, but will look at the contents of the bottle, including your message but will not alter it. How will you ensure that your message will be unreadable by the courier, but still be able to be addressed to and read by the intended recipient. Please state any and all assumptions in preparing your response.", "Tell me what MAC means and describe where it is used.", etc. No one said I had to be easy )