(ISC)² Links

(ISC)² Twitter Updates

  • (ISC)² Twitter Updates

    CATEGORIES

    Archives

    More...

    About the
    (ISC)² Blog

    • (ISC)² believes in the importance of open dialogue and collaboration, between both (ISC)², its certified members and members of business and society.

      (ISC)² established this blog to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.

      The postings on this site are the author's own and don't necessarily represent
      (ISC)²'s positions, strategies or opinions. (ISC)² does not control, monitor, or endorse any links provided in this blog and makes no warranty or statement regarding the content on any linked website.

      Those who post comments to blogs should ensure their comments are focused on the topic at hand. (ISC)² reserves the right to remove any post or comment from this site.

      Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org.

      Please click here for FAQs.

      Please click here for the Blog guidelines.

    « Legal & regulatory compliance = risk management? | Main | Using information security surveys »

    08 May 2008

    Welcome to the (ISC)² Blog!

    I’m Howard A. Schmidt. Let me personally welcome you to the (ISC)2 blog.

    The purpose of the (ISC)2 blog is to provide ideas and discussion on the latest information security trends from the perspective of several security veterans from around the world, including me. The goal is that we all come away more knowledgeable – or at least with another perspective on the issues – than we did before, and maybe have some fun and good discussion along the way.

    For me personally, I’ve always struggled to find time to write for a blog, at the same time knowing full well that’s where the world has been heading for some time. Blogs are a tremendous communications vehicle – I follow a number of security-related blogs myself. But, it takes dedicated effort and commitment if you’re the blogger, so my hats off to those that have been blogging for a while.

    My hope is that I will bring some interesting perspective through my travels around the world and from all the top security professionals I meet along the way.  Obviously, as it is the (ISC)2 blog, the subject matter may often lean toward issues of professionalism but will also touch upon other issues that strike each of us bloggers as important to effective security.

    We hope you are looking forward to this new endeavor as much as we are, and as always, we welcome your comments!

    For my first official blog, I am going to start out with a shameless plug for certifications, mainly because I believe they are becoming even more important to the overall integrity of the world's networked infrastructure.

    Last month at RSA 2008 in San Francisco, I had the honor of speaking at the Microsoft CISO Dinner at the San Francisco Museum of Modern Art. There were some 200 CISOs in attendance, and I was one of three giving a brief talk. My topic was "The ROI of Security Certification."

    It has been a long road to get us to a point where information security is recognized as a part of the core day-to-day business process and not just a cost center. From all indications, security-related certifications have now come of age where they are recognized as part of the requirements as well.

    Well, as we all know, there are a number of different certifications in the security field. Separating the wheat from the chaff is no easy task. There are also few hard numbers to come by that quantify the value of certification in the security industry. Without real statistics, I decided to relay some history and personal anecdotes that might explain my premise.

    Ten years ago, organizations and hiring managers began to realize the importance of information security as a skill. But there was still a very small number of people with experience working in a distributed environment. As a result, hiring managers - many who did not have a background in security - and their HR folks began looking at a person's certifications as a differentiator in their employing decisions.

    Back then, attaining a security certification mad an important statement to potential employers that an individual had sought out the knowledge, skills and abilities to defend an organization against possible breaches and could build up its defenses.

    In 1998, there were roughly 2,000 CISSPs. Today, there are nearly 60,000, and the number of security certifications has grown to more than 40 vendor-neutral and more than 25 vendor-specific. Now it's up to providers of both vendor-neutral and vendor-specific security certifications to communicate their value and distinguish themselves from each other.

    Stay tuned to this blog for Part 2 to hear my top 10 reasons on the business value of security certifications!

    Posted by on 08 May 2008 at 11:29 AM in (ISC)2, Certifications, Schmidt, Weblogs |

    TrackBack

    TrackBack URL for this entry:
    http://www.typepad.com/services/trackback/6a00e54f109b67883400e5522c37c38834

    Listed below are links to weblogs that reference Welcome to the (ISC)² Blog!:

    Comments

    “Back then, attaining a security certification mad an important statement”

    Indeed.

    Posted by: Adam | 08 May 2008 at 05:37 PM

    I find it very refreshing to see so many positive changes from (ISC)2 in the past few months (actually since the election); this blog seems to be the latest manifestation of this momentum.

    I was actually surprised to find quite a few blog entries already, that's a good sign that this new endeavor will survive time's test.

    As a member of many security organizations, I find that ISC2 is ahead of the pack when it comes to the amount of activity and growth. Keep up the good work and welcome to the blogosphere.

    Christophe Veltsos, PhD, CISSP, CISA, GCFA
    President, Mankato ISSA
    http://www.katoinfosec.org
    http://katoinfosec.blogspot.org

    Posted by: Christophe Veltsos, PhD, CISSP, CISA, GCFA | 08 May 2008 at 07:58 PM

    What were some of the key points of your presentation on ROI of certifications made to the CISOs?

    Posted by: Ed Sale | 09 May 2008 at 08:17 AM

    This is a great step in the right direction for people involved in risk, compliance and security. I am already seeing discussions that are stimulating and discussing current trends. I hope this will continue to help the practitioners in many ways.

    Below are some example areas that I hope this forum will bring to clarity to:

    1) One impediment that security has as an obstacle in succeeding as a business is security itself and practitioners in it. We still have a lot to learn to

    really 'communicate' and 'earn a seat' next to the business side of an organization. There are still many organizations that are confused about whether CSO

    should report into the CIO, or should he be reporting directly to the CEO, and be a peer to the CIO.

    2) What is the different between CISO and CSO?

    3) How is Risk, Compliance and Security related to each other?

    4) Should the security organization partner, or report into Enterprise functions including CEO, CFO, or CRO?

    5) What is coming down the pike and how can an organization prepare for that? Examples include, regulations, standards, etc.

    Of course, there are other issues, but some of these are what I took away from the recent RSA conference I attended, as well as what I hear from fellow practitioners.

    Good job!

    Posted by: Prasanna Govindankutty | 11 May 2008 at 07:28 PM

    The comments to this entry are closed.

    Enter your email address:

    Delivered by FeedBurner

    Recent Contributors

    Past Contributors