Today there was a good question asked on linkedin at:

http://www.linkedin.com/answers?viewQuestion=&questionID=358240&askerID=23753864&trk=advq&goback=.hom.mid_836787175

The question from James McGovern was:

What are five things that ISC2 needs to do in order to improve the credibility of the CISSP credential?

CISSP is viewed as an introductory credential that covers the surface of the ten domains. What do you think ISC2 should do to make CISSP even better?

Fees?
Transparency?
Depth?
Others?

I felt compelled to provide an answer to the question.  Unfortunately the LinkedIn comment system does not allow for more than 4000 character which was not enough for my reply.   So see my full comment below:

Good day James,

This is really a great question that should have been asked by ISC2 from their members and other people who are not members a VERY LONG time ago.  However, I am not dreaming.

ISC2 has and still is unable to communicate efficiently.  One day they are a member organization and the next day they are not.  This communication problem is not something new, it has been reported at many occasions and by many people in the past.  However, things does not seems to improve much over the years.  We will see what 2009 reserves for us.

Here are a few things that ISC2 can do to make themselves more transparent and to improve the image of the CISSP certification:

1.  START ACTING LIKE A CERTIFICATION BODY

The relation between ISC2 (the non profit side) and their training arm is dubious at best and as close as you can get to a conflict of interest without getting into one.  When any certification body becomes a training entity often time that entity will loose their focus on what is the most important which is the certification itself. 

Instead of having their sales people talk thrash about other people training offer they should start publishing a clear and transparent process on how a training institution can become a recognized training institution under ISC2 approbation process, the recognition should not be based on the fact they are using the ISC2 courseware and sharing profit with ISC2 but on a fair evaluation of the training material and an evaluation to see how it matches with the exam objectives and how well it is presented and delivered. 

Unfortunately this does not exist and this is why it makes me sad that their sales people are talking thrash about other companies training material when they know nothing about their courseware and the delivery of the material.  I am talking from a very recent experience that happened to me here.  I can challenge any of the salesman at ISC2 to get out of their cubicle and they can sit in my class, then they can judge me and my training.  Until then it does not reflect very well on them, if the only way you can sell seats in your classes is by talking trash about others, your courseware must be in dire need of updates.

EXAM AVAILABILITY

More transparency has to exists on that side as well.  It is often time VERY HARD if not IMPOSSIBLE to get an exam schedule for the students that a training institution has in their classrooms.  Even if the adequate number of students is there to justify running such an exam.  Even if there are plenty of proctors that can supervise it for free.  It does not make sense to face such rebuttal.

Denying or making access to the exam hard this way, only affect the students and the certification as a whole.  It is time to stop playing games.  Why is it possible for ISC2 to deliver exams when it is combined with their own training classes but not when it is a third party training class.  It does not make sense and I cannot see the fair reason as to why some people are getting denied access to the exam.

Lately I receive dozens of messages from people in places such as India where exams are not regularly conducted and they were telling me that the exams coming up are sold out and they must wait until next year to attempt the exam.  This is not what I call customer service. 

If the number of registration and the demand justify having a second exam room for the exam then be it.  Any other business that would act this way would loose their customers and this is what will happen if ISC2 does not start looking after their customers better.  They are the sole choice today but that could change very quickly in the near future.

THE FAMOUS COMMON BODY OF KNOWLEDGE

I have grown sick and tired over the years of hearing about the unseen CBK.  Everyone refer to it but nobody has ever seen the official version of it published as a document by ISC2. 

The current candidate information bulletin is totally useless as a tool to prepare for this exam.  Why can't I get a good guide from ISC2 that will tell the student how to prepare for this exam and what are the exam objectives they will be tested against and to what depth they will be tested.  The student need to know the details of each domains, not a few high level bullets as it is presented in the candidate bulletin. 

It is time that ISC2 start offering copies of the CBK to anyone who wishes to get a copy for free as a PDF file.  DHS has just released their EBK and they are doing the right thing.  A secret CBK has no value as far as I am concerned. 

The DHS CBK will be updated every two years.  How much changes have you seen on the CISSP CBK in the past six years ????

NOBODY should have to register and then be harassed by the sales people in order to get a copy of the CBK.  The CBK has to be publicly available to all in its entirety.  WHY do you need to force people to register for a document that should be PUBLIC anyway.  Collecting only the email address would be more than enough if you wish to let them know about updates.

I agree with keeping the master copy on the ISC2 site but it should not require registration.  The only reason that registration is used at this moment is to pass the info to their sales people which allow them to talk thrash about other being UNOFFICIAL training.  Considering there is no way to get somone courseware authorize then why are they using such tactics.  CompTIA will certified courseware from other training entities and they have a well document process to do so.  Why is ISC2 not doing the same thing.  Thinking only them can produce quality courseware for the CBK is futile at best.

In summary the CBK is in dire needs of an update.  It is time to get the OLD and OUTDATED topics that NOBODY uses today out and make room for some relevant and up to date content.  There is so much happening in security every one year that doing updates only every 3 to 4 years is not enough.

CPE

The acronym CPE has become synonymous with Continuous Payment Econosystem

CPE should not mean $$$$

CPE activities should be offered to the members as a benefit and not as money making activities.  Why can't we get online and live seminars for FREE?  Whey can't I get a conference of great quality for FREE?  If the Defcon, OWASP, and many other organizations that are MEMBER ORIENTED can do it, WHY can't ISC2 do the same?

If our organization had no money in the bank I would understand but with many millions in the bank it is time that some of this money be spent for the benefit of the members as it was gathered in the most part from the members.  A couple of years ago there was over 15 millions in the bank.  Today that number might even be higher.  What for...

I need 20 CPE per year!   WOW, what a challenge!   Half of those can be obtained by subscribing to Security Magazines.  Does this really prove my continuous education, most likely not.

The WHOLE CPE system has to be revised to add value to it, to show that the CPE submitted are in fact related to being a CISSP.  Such a system would be very complex, would require human intervention,  a random audit once in a while is not enough to keep the CPE as a valid gauge of one professional development.

WHAT METRIC DO THEY USE TO GAUGE SUCCESS

Over and over again I hear officials brag about having reach 50K members,  60K members, and even more today.  What does this number prove if we as a group don't impact the security community and influence it.

Gauging success by the total number of people who have received their certification over the past 12 months is certainly NOT a valid matric.  If I remember correctly this is how many of the well respected and valued certifications out there have lost their value. 

You need to show more than number.  You need to be look at as leaders and a community who is playing a very active role in all facets of security.

I am still waiting for an official at ISC2 to come out with some other metrics and the ability to demonstrate the impact that ISC2 has on the security community overall.  What is the support that ISC2 has provided to their membership over the past 12 months.  How they have helped "JOE the security guy" in his daily job after he became certified.

Start giving me significant metrics.

MAINTENANCE FEES

When I first got certified over ten years ago the maintenance fees were 85$ USD back then.  I could understand that with 12 CISSP's in Canada it was necessary to charge that much money to keep the site up and running, to give me acces to the web submission form for my CPE's, etc... etc...

However, today we have over 60,000 members and I do not understand why I still have to pay the same price.

Normally offer and demand will drive prices down.  Does ISC2 need to collect more than 5 Millions dollars in maintenance fees every year to give me that service today. 

The certification world is the ONLY place where I have seen price that never get affected by the offer and demand.  It is the only place where I have seen prices go up as there was more demand.  Exams that used to be $250 are now over $500.  WHY?

Considering the exams are being run by volonteers, considering the production cost per person for the exam greatly decreases as the number of exam offered increases, I fail to understand WHY it cost so much.

If really an organization was concerned about the good of the common wealth and improving security overall, they would also make all effort to ensure the certification path is accessible and affordable.

There is no need to pay that much for a certification.  If at least people were still getting a nice wood mounted plaque with their certificate on it that would justify some of the cost.  However the opposite happened, we are being charged more for less as the volume increases.

I must be in the wrong line of business....

CLEMENT WHY ARE YOU MAD?

First let me tell you that I am not mad at all,  I am writing this with an ironic smile on my face,  I am simply very disappointed to see how much energy is wasted on futility versus being used for us the members and us as a priority.

Will the points above change in the near future, I doubt it.

I think a new organization will see the light before we can turn the current organization around.

I know I am an idealistic with my sharing for free ideas but there are still people out there who REALLY believe in helping others and they also believe in doing it openly without money being their main objective.

Best regards to all

Thanks for reading my rant

Take care

Clement

P.S.  PLEASE CLICK HERE OR ON THE comments LINK BELOW TO LET US KNOW YOUR OPINION AS WELL