Do you think ISC2 is over-reaching?

GoodBishop

With all the new certifications that ISC2 is coming out with, forensics, healthcare, and next year probably cloud... do you think that they are over-stepping their boundaries? Are they trying to focus on too much?

stryder144

I don't think they are overstepping, per se. I think it is good to get into the various spaces, so long as they are engaging legit subject matter experts. If not, then yes, they may have swerved too far outside of their lane.

Chivalry1

I don't think they are over-stepping. I think there is a need for such certification as regulations are becoming stricter. Especially when it comes to the HealthCare and the ever growing concerns around privacy.

beads

As far as regulations are concerned here are a couple of quick facts:

- The US Government alone (I do not have a good stat on EU regulations yet) is publishing 2.8 regulatory changes a week.

- On average these regulations are averaging some 938 pages per week.

Source: Regulations.gov

Now, off to compile EU and Asia Pacific. Oh the pain.

- B Eads

redz

I don't think they're overreaching, honestly. I can't think of a cloud security certification accredited under ISO/IEC Standard 17024 right now. If I could name one, I would already have it.

I can't think of healthcare or privacy certifications accredited under ISO/IEC Standard 17024, either (though in fairness, I haven't looked for them; IAPP may be, I don't know).

I may disagree with a lot of what (ISC)2 does... but their new certs? Not so much.

EDIT:

stryder144 wrote: »

so long as they are engaging legit subject matter experts.

I've only been tracking the cloud security certification, but it's being developed alongside the Cloud Security Alliance (also known as "basically the only name in security-centric cloud certifications")

TBRAYS

I don't think they are over stepping it at all, if anything they are catching up. Look at Sans, they cover all branches of IT Security, from Legal to Forensics.

da_vato

I think TBRAYS made a good point, I feel they are catching up too. As long as they are utilizing subject matter experts i think (ISC)2 will maintain their posture and not devalue their status though some feel they have already done so.

beads

GoodBishop wrote: »

With all the new certifications that ISC2 is coming out with, forensics, healthcare, and next year probably cloud... do you think that they are over-stepping their boundaries? Are they trying to focus on too much?

Forensics your probably better off with EnCase or SANS. You might have a point, albeit a small one there.

Healthcare and Privacy (HCISPP) has been beaten to death on other boards but it is a unique certification and one that has a much broader international appeal than the US based/US centric certifications. This is a practitioner level exam that only makes sense if you work in the healthcare or insurance realms. If so, its very good but confuses the daylights out of people who aren't in one of the above fields. This certification, though a good not great start will go a long way to setting some real ground rules for security practitioners to follow. Because of the sheer complexity of this one area of security and the sensitivity of both the operational side and the security side. I see this one field to become its own CISSP level if not a concentration unto itself. In other words: Healthcare much like HR will probably be turned over to lawyers only before too long. Its becoming that complex.

Cloud? Outside of CSA, its the wild west and needs to be reigned in for its own good. Hardly a stretch to see the (ISC)2 to get involved and start to set some legitimate boundaries here. This is long overdue. HIPAA compliance alone is causing way to much confusion from a GRC and security standpoint. If anything this certification is well past due. Current problem being the Omnibus rule and establishing who owns what in the cloud. Answer being you still own both sides of the problem but with a partner who can't take any blame, legally. Blame the lawyers not the (ISC)2 for this delay. At this point in time cloud + security is its own oxymoron and should be treated as such.

- B Eads

paul78

Interesting question...

I am not really surprised to see ISC2 try to expand beyond its comfort-zone. The organization has probably reached a plateau in revenue generation. And I suspect that to find new revenue sources, ISC2 will have to expand their programs.

Do I think ISC2's plans is good? As a member, I would prefer that they stick with the focus on broad but relevant high-value niche of developing highly competent security professionals. The expansion and changes in certification process dilutes it's value IMO. At a recent event, a few industry colleagues had joked that the CISSP was being given out like chotskies at the trade-show.

beads

paul78, have agree with the (ISC)2 argument but also seeing the organization as falling victim to their own marketing success. Take the HCISPP, international in flavor but less security and more healthcare and privacy orientated in nature. I may have had one security related question in 125 on the test itself.

Agree the CISSP is being handed out like swag at a tradeshow but that's due to the CBT being so much more accessible than having to show up at a hotel on a weekend to take the exam. Again, victimized by its own success.

- B Eads

redz

Like cookies and OJ at a blood drive.

JDMurray

paul78 wrote: »

At a recent event, a few industry colleagues had joked that the CISSP was being given out like chotskies at the trade-show.

With nearly three times as many Security+ certs in circulation as CISSPs I'd say that joking is a bit off target.

The rate of CISSP certification seems to have actually slowed quite a bit. At the beginning of 2013 it looked like there would be 100K+ CISSPs by year's end, but with a few weeks to go there now only just over 90K. Maybe the SSCP will hit 1600 certificants by 12/31 (*ouch*).

paul78

Hah - too true. I suspect we discount Comptia certs too easily. Interesting tidbit about the rates - that may explain the plethora of new certs as a way to increase revenue with new product.

beads

The SSCP should be marketed to be a bit more valuable than it currently is, that much I will give you. Right now it appears to be more of a consolation prize like some sort of "lady in waiting" type of thing. I see it as a much more honorable way to go than the "just make something up..." types that go straight to the CISSP without the five year apprenticeship/experience in the field.

- B Eads (For those who are confused: First initial, Last Name).