Let me begin by saying that my tweet to @st0ckym4c wasn't intended to be a call to action. I'm not suggesting that anyone make this decision without carefully weighing the matter. But suppose a boycott of this kind were to materialize? What would we like to see emerge from the program's ashes?
Criticisms of the CISSP Program
First, let's set aside issues of cost-benefit and ethics of the certification program operators. These have been more than amply addressed by others. Rather, let's focus on some criticisms of the CISSP I frequently hear or read (approximations, not actual quotes):
- it doesn't measure necessary or practical skills
- the people who are certified can't fill the security position I really need to fill
- it's a tax I have to pay to compete in the job market
- it's trivial to pass even for people who've never held a job in security
Areas for Improvement
If we accept these as general areas for improvement, what should a "more practical" security certification program measure?
1) Test critical and agile thinking. If we accept the generally held opinion that hackers are clever and quick to act, then it follows that measuring how likely a candidate will compete against such adversaries is valuable.
2) Test for for operational experience as a primary competency. Critics and advocates describe the CISSP as a program for security policy and decision makers. While the program does require experience in the field, one can get a CISSP without ever having held an operational role. We can't only train officers. We need superior ground forces (field experience) as well, and we need a way to distinguish these from raw recruits.
3) Test the ethic of candidate. Security practictioners ought to be able to demonstrate they can be held to standards of ethics. We need a basis to establish confidence not only in skills security practitioners possess but that they will apply them appropriately.
What I want from the CISSP or any certification program is that it challenge the candidate, cover relevant subject matter, and be hard to pass.
Perhaps what we need most in certification programs is a course correction. For OpSec purposes, we have other gauges for determining baseline competency than certifications (we used to call them "breaking in periods").
Certifying thousands of candidates with a baseline of competencies, while profitable, is like a traditional military recruiting program. You get a large number of serviceable ground troops. That's important and if this is your business, then be truthful about your focus when you promote your program.
However, if there is even a grain of truth that we are fighting elite hackers, then it's time to think about creating elites of our own. We lack a program that helps us identify the exceptional talent. Perhaps it's time to develop a security professional corollary to the US Navy Seal indoc program (in intensity, education, non-physical training and commitment). Only the best survive such a program.
Imagine what the survivors could contribute.