ISC2 Blog

I’m Howard A. Schmidt. Let me personally welcome you to the (ISC)² blog.

The purpose of the (ISC)² blog is to provide ideas and discussion on the latest information security trends from the perspective of several security veterans from around the world, including me. The goal is that we all come away more knowledgeable – or at least with another perspective on the issues – than we did before, and maybe have some fun and good discussion along the way.

For me personally, I’ve always struggled to find time to write for a blog, at the same time knowing full well that’s where the world has been heading for some time. Blogs are a tremendous communications vehicle – I follow a number of security-related blogs myself. But, it takes dedicated effort and commitment if you’re the blogger, so my hats off to those that have been blogging for a while.

My hope is that I will bring some interesting perspective through my travels around the world and from all the top security professionals I meet along the way.  Obviously, as it is the (ISC)² blog, the subject matter may often lean toward issues of professionalism but will also touch upon other issues that strike each of us bloggers as important to effective security.

We hope you are looking forward to this new endeavor as much as we are, and as always, we welcome your comments!

For my first official blog, I am going to start out with a shameless plug for certifications, mainly because I believe they are becoming even more important to the overall integrity of the world's networked infrastructure.

Last month at RSA 2008 in San Francisco, I had the honor of speaking at the Microsoft CISO Dinner at the San Francisco Museum of Modern Art. There were some 200 CISOs in attendance, and I was one of three giving a brief talk. My topic was "The ROI of Security Certification."

It has been a long road to get us to a point where information security is recognized as a part of the core day-to-day business process and not just a cost center. From all indications, security-related certifications have now come of age where they are recognized as part of the requirements as well.

Well, as we all know, there are a number of different certifications in the security field. Separating the wheat from the chaff is no easy task. There are also few hard numbers to come by that quantify the value of certification in the security industry. Without real statistics, I decided to relay some history and personal anecdotes that might explain my premise.

Ten years ago, organizations and hiring managers began to realize the importance of information security as a skill. But there was still a very small number of people with experience working in a distributed environment. As a result, hiring managers - many who did not have a background in security - and their HR folks began looking at a person's certifications as a differentiator in their employing decisions.

Back then, attaining a security certification mad an important statement to potential employers that an individual had sought out the knowledge, skills and abilities to defend an organization against possible breaches and could build up its defenses.

In 1998, there were roughly 2,000 CISSPs. Today, there are nearly 60,000, and the number of security certifications has grown to more than 40 vendor-neutral and more than 25 vendor-specific. Now it's up to providers of both vendor-neutral and vendor-specific security certifications to communicate their value and distinguish themselves from each other.

Stay tuned to this blog for Part 2 to hear my top 10 reasons on the business value of security certifications!