[attrition] Are you a CISSP?

[security curmudgeon]

If you are, you should be aware that ISC2 board elections are coming up. 
Last year, Wim Remes decided to run a petition to get his name added to 
the ballot, and ultimately joined the board. He did so seeking to help 
change ISC2 for the better, to begin to tackle the many criticisms leveled 
against the organization, and their CISSP certification.

This year, four more people are looking to join the board. Each of them 
are going through the petition process, which requires 500 signatures from 
current CISSP holders. This will get their name on the ballot, where they 
hope to get elected to the board to bring more change.

I have been an outspoken critic of ISC2 in the past. This includes one 
published article on the Code of Ethics [1], countless Tweets, dozens of 
mails to ISC2's general counsel, and more. Recently, I also did a guest 
bit for a presentation on "Why You Should Not Get a CISSP" at DEFCON 20 
[2]. The presentation was done by Timmay, and the most revealing part was 
exposing how the CBK had barely been updated the last 15 years.

Personally, I think the current ISC2 board is stale and needs a refresh. I 
think the same people are frequently re-elected and have little motivation 
to make real change within the organization. Since it is ridiculously 
profitable, there may not be much incentive to do so for some of them. On 
the other hand, look at what ISC2 has done in terms of community outreach 
and supporting non-ISC2 security projects or initiatives. It was only a 
few months ago that ISC2 finally made an appearance at BlackHat, after 
Remes helped push for more public interaction from the organization.

So, if you are an active CISSP holder, consider the value of your 
certification. Consider what ISC2 does, especially with the money you have 
given them. Remember that with around 100,000 CISSPs, frequently obtained 
by non-security people, that the value of the certification is slowly 
dwindling. It is NOT a measure of security knowledge; it is a punch line 
to many jokes. I believe you should be concerned about this, and look to 
change it. That starts with having a more active, outspoken, and driven 
board.

Please read these petitions and consider alternative board members this 
year:

(1) Boris Sverdlik (@JadedSecurity) [http://jadedsecurity.net/2012/08/22/isc2-bod-vote-2012/]
(2) Dave Lewis (@gattaca) [http://www.liquidmatrix.org/blog/vote-for-dave/]
(3) Chris Nickerson (@indi303) [http://change.isc4thepeople.com/]
(4) Scot Terban (@krypt3ia) [http://krypt3ia.wordpress.com/2012/08/23/isc2-board-candidacy/]

This summary of candidates and more perspective comes from Robert Graham 
(@ErrataRob) and a blog post he wrote about the subject [3].

Thanks for your consideration,

- jericho



[1] http://attrition.org/security/rants/cissp_convenient_ethics/
[2] http://attrition.org/security/conferences/
[3] http://erratasec.blogspot.com/2012/08/these-guys-want-to-reform-isc2cissp.html