I received an e-mail this morning that somehow reminded me of an often overlooked threat and arguably the greatest single source of risk to organizations. First off, I need to put the e-mail in context; I perform risk assessments and write security plans documenting operational risks associated with a particular resource (application, system, infrastructure, facility, vendor, etc.) utilized by the organization. To do my job I will need to interview stakeholders and do discovery on the overall posture of the resource. Being a large organization, discovery meetings are done via conference calls and I typically schedule those in advance requesting stakeholders and subject matter experts to participate.

In one invite that I sent, I received this not-so polite reply. Again the organization that I work for have hundreds of thousands of employees, so I don’t know this individual and all I know about him is that we work for the same company. Anyway he said (partially edited to remove proprietary/confidential info):

Why can’t we do this now?  I have a need to use this and am wondering why we even need a security plan as other groups are using this software inside the organization today, without security plans.

The first statement is really inconsequential, since I scheduled the meeting a few weeks out as a common courtesy to give them time to prepare. At the same token, it made me want to say: “The world doesn’t revolve around you, Sparky. You have commitments, but so do I.”

The second statement is really the focus here. I was tempted to reply with my standard reply to my kids when they are about to do something dumb: “If the other groups jump off a cliff, will you jump, too?” In both cases, I decided not to stoop down to that level and be the better man and instead gave him a “professorly”-like reply on the importance of security and risk assessments.

All that said, back to the purpose of this blog entry. That comment reminded me of a particular threat to information security that is sometimes forgotten or ignored: the threat of an insider. When insider threat does come into the conversation, the typical discussion points are typically about bad seeds in the organization, the ones with an ax to grind or the ones that are just malicious. We often ignore those with a higher likelihood of creating a serious vulnerability to the organization, because of:

• Ignorance
• Apathy
• Self-importance
• Complacency
• Laziness
• Plain stupidity

Not knowing this person I mentioned, based on the e-mail, I essentially pre-qualified him to have three of the six items I mentioned above. The information is not enough to qualify him as complacent, lazy or stupid. But, there is a good chance that he is ignorant to the security policies of the organization, not to mention the liabilities and risks it face for failing to maintain a sound security posture. He is probably apathetic to the overall security requirement, because really this application is so small. It can never happen to me. And finally, he sounded so self-important, because he thinks his need to use the software outweighs the need to first assess the risk brought upon by the software to the organization.

You may also argue that he is also just plain stupid to assume that just because others are getting away with something he should be able to get away with it, too. I would not go that far, but I would not argue with you either .

This is essentially what we are up against as security professionals. Technology, processes, policies and our technical skills can only go so far as to ensure the security of the organization that we are protecting. The weakest link remains the people inside that organization. It behooves us, as security professionals to go beyond the technical skills and know-how and learn to effectively communicate and educate our co-workers on the importance of security and understanding the risks.

Oftentimes security is often just seen as road block to progress. As security professionals, we will need to learn the politics of the organization and understand its business goals and effectively communicate to stakeholders that security in fact enhances the competitiveness and viability of the organization. By helping educate stakeholders, security professionals can develop partnerships in security that can prove invaluable in ensuring that not only insider threats are mitigated, but also help protect the organization from external threats.

That being said, the nature of my profession makes me a little bit more attuned to information security issues than perhaps the next guy (maybe not guys sitting right next to me as I write this considering that they do the same work as I do, but perhaps the next guy in the mall or something) and whether I like it or not it becomes part of my nature. To me, thinking about threat, vulnerabilities and risks is about as natural as breathing. This fact, however, is not true to majority of digital innovators and users out there.

Security often takes a back seat behind functionality and ease of use. Often times the key decision points on the marketability of the product relies upon the functionality and the ease of use of that particular product. How secure that product is (unless it is of course a security product) is often an afterthought. Market forces demands this and the bad guys knows this. Facebook for example did not become famous because it assured its users their privacy or that their account are secure, it became the leading social network engine in the Internet because of all the functionalities that it offers and how easy it is to use.

You can imagine these three key facets of security, functionality and ease of use in the form of a triangle wherein each facet represents a corner of the triangle. Now imagine placing an imaginary ball inside that triangle and as you move the ball closer to one corner the farther it gets from the other two corners. What this essentially means that the more you focus on security for example, you will often sacrifice functionality and ease of use and likewise you sacrifice security if you focus on either of the other two.

In essence security is inversely proportional to functionality and ease of use. More of than not there is always the tendency to sacrificing security in favor of either of the two facets even though in the back of our head there could be potential trouble. What that potential trouble could be is often pretty hard to easily see or decipher and hence we assume that it is worth the risk.

So after that long intro, let’s get back into the meet of this topic. So really, “Why Information Security?” (The security guy in me just yelled out “D-uh!”, but I’ll ignore him).

There are obviously a multitude of answers to this question. I can imagine that even your everyday non-infosec person can probably list out a good number of reasons, so I won’t dwell on each of them with specificity, but rather I’ll try present it abstractly in the context of what security professionals call the Information Security Triad or 3 Key Elements of Information Security: Confidentiality, Integrity and Availability also known as the CIA of Security.

Not that you can just simply Google the definition for these three, but I’ll be the good blogger and define them for you and besides it helps build this blog’s keyword ranking, or so I hope:

• Confidentiality
  • According the International Organization of Standardization (ISO) in ISO-17799, which can technically say as the InfoSec bible, confidentiality is defined as “ensuring that information is accessible only to those authorized to have access.” In other words, keeping your secret a secret and not ending up in Wikileaks or something to that effect.
• Integrity
  • According to the Virginia Tech website, integrity is concerned with the protection against unauthorized modification or destruction of information. A state in which information has remained unaltered from the point it was produced by a source, during transmission, storage, and eventual receipt by the destination. In the simplest of terms, imagine a poster of a famous politician and a vandal came in drew a Pancho Villa mustache on the image. Now imagine a hacker having the ability to change a message. Julian Assange sends an e-mail to the President, “I would like to surrender.” Instead, the President receives, “I think you look good in suspenders.” Not cool.
• Availability
  • In simplest of terms, it is primarily concerned with ensuring that information is available to those who need access to the information and are allowed to access the information. Imagine wanting to check your credit card balance or wanting to pay your credit card debt online before you get dinged by the interest and late fees, only to realize that the site is down because it was targeted by Wikileaks supporters for denial-of-service.

I have mentioned Wikileaks several times in the previous paragraph because the recent news about this organization presents a really good case study on answering the question of “Why Information Security”.

Score one more for Facebook’s “act first, apologize later” strategy.

Last month the company announced it would make user information – including phone numbers – available to application developers. But they wouldn’t get access to the data until after they got express permission “through the usual permission dialogues,” according to the INQUIRER.

After only three days, however, Facebook suspended the program, indicating it had received feedback that users weren’t exactly clear on when they would and would not be giving up access to their information, even with the standard permissions dialogue boxes. At the time, Facebook said:

[W]e are making changes to help ensure you only share this information when you intend to do so. … We look forward to re-enabling this improved feature in the next few weeks.But how much information did the developers get in those three days? And why does Facebook want to give it to them anyway?

These are among the questions that the House of Representatives Privacy Caucus wants answered, PCWorld.com reports. Reps. Edward Markey (D-Mass.) and Joe Barton (R-Texas), who co-chair the caucus, wrote a letter to CEO Mark Zuckerberg asking for “specifics”: How was the information to be shared? How was the program vetted? Why did Facebook decide to suspend the program?

Read entire article.

CyberCoders, a worldwide recruiting firm, has analyzed hiring statistics from a pool of more than 12,000 CyberCoders job listings to determine the top 10 tech jobs for 2011 — focusing on which job types offer the most open positions, career growth and compensation. CyberCoders finds that technical candidates often make more, are in higher demand, and have a better chance for career growth versus candidates who apply for marketing or health care positions.

Matt Miller, Chief Technology Officer of CyberCoders, says, “There is a resurgence of companies hiring tech candidates caused in part by industries which need to automate their business systems.” Miller says, “Automating business systems often results in an increased need for software engineers and technical specialty positions, especially among start-ups.” At the beginning of 2011, CyberCoders had more than 1,400 available positions in technology, up 196 percent from the previous year.

The slideshow highlights CyberCoders’ top 10 technical positions for 2011 ranked by salary.

CLICK HERE TO VIEW SLIDESHOW

I then added that the gift of interconnectivity does not come for free, it has opened all of us to threats to our privacy, identity, intellectual property and other confidential information that our society never have to face before.

That thesis was written when Web 2.0 and social media were still at their infancy. It was before the age of Facebook and iPhone. The best technology available for remote access to your work place is through an unstable Virtual Private Network (VPN) connection. The cloud computing concept was generally still pretty much a concept. And finally, even in the heart of the Silicon Valley, I still knew people who still have dial-up connection because neither DSL nor Internet Cable is available in their neighborhood. It seemed like ages ago. However, those statements still ring true, and I would dare say more profoundly, today than back in the early part of the decade.

Fast forward to the present, my mom just demoed her new Droid-powered smart phone and her Video phone to me and she essentially knows more about Facebook features than I do. It will be quite rare to meet someone who is still using dial-up (unless that person, of course, live somewhere in the far reaches of the galaxy or maybe somewhere very remote). In one of my trips from the Bay Area to San Diego, I met someone who works for Google and she bedazzled me with all the work she can do through the cloud. No VPN, no remote access software, just an Internet connection and the cloud.

Within the past half-decade we bear witness to evolution of technology’s usability and also the tech savviness of the end-user. To paraphrase one of my former instructors, “technology is ready for mass market once it becomes as easy as making a phone call.” Facebook, the iPhone, the video phone, cloud computing and the like, no matter how complex they are in the back-end, have made computing essentially as easy as dialing a telephone.

These innovations with all the benefits and promise they provide to the individual and businesses, they also make the task of insuring the confidentiality, integrity and availability of information a little bit more of a doozy than it was in 2004. Social media, portable mass storage present in outwardly benign devices such as smart phones, USB flash drives, digital cameras and even digital photo frames, availability of mass storage (often free) in the web, present a clear challenge for businesses to ensure the security of the information that they are responsible for.

Technology alone cannot provide the answer to the dilemma brought upon by these new technologies. Every security professional, and common sense should, attest to the simple fact that there is no silver bullet to information security. To effectively address the ever evolving threat presented by an ever-changing and extensively complex digital world, businesses of all sizes must be able adapt and effectively ensure the security of the information within their organization. Smart businesses understand that there is a need to develop a information security management strategy that focuses on development, delivery, implementation and enforcement of a comprehensive information security program.

Effective information security goes beyond the boundaries of technology solutions, businesses, specifically information security managers face a daunting, yet highly achievable, task of developing, implementing and maintaining an information security program that is both systematic and is aligned with the organization’s overall business objectives. This involves an extensive understanding the effective information security management will greatly involve a synergized integration of people, policy, process and technology.

An effective information security management strategy will typically involve understanding of and accomplishing key tasks within 5 key functional areas:

• Information Security Governance
• Risk Management Strategy
• Development of Information Security Program
• Management of the Information Security Program
• Incident Management and Response Strategy

Overall, an information security management strategy will need to address various threats faced by an organization with regards to its security posture and how it protects information. In addition, to addressing the obvious ones such as malware or malicious intrusions, it must also concern itself with non-technical threats such as legal liabilities and compliance issues. The organization must develop an information security program that is cost-effective and based on an effective assessment of risks faced by the organization and finally it must be able to develop a plan that will ensure effective response in the event of an incident or a disaster.

On the day of the exam you were as confident as a porcupine with extended twills (imagine that …). You know in your heart you’ve done what you could. You are anxious. You are ready. Then here comes the first question. You think to yourself, “WTF is this? I don’t remember reading about this.” Then the next question was so vague you wondered if it was actually written in English. The third question, seemed like there are two answers instead of one. The fourth was no easier. By the fifth question, all that confidence went down the toilet and by the sixth you are in a near panic.By the time the exam was all over, you are so bewildered that you wonder if someone got the license plate of the truck that hit you. You have no idea if you passed or failed and wondering what you have done wrong and if you actually done enough. I have observed that often times the key reason for a person failing an exam was not because he or she did not know the material, but rather because he or she simply lost focus brought upon by the stress and sometimes panicked over the confusion brought about by how the questions in the exam was framed.

If you’ve gone through a similar painful situation or worried that you may go through the same situation as I have described above when you go take a cert exam, I’d like to share a simple secret that I always take with me whenever I take an exam. It all comes down to simple math.

Let’s look at the PMP exam requirement as an example:

“The PMP® exam is a 4-hour multiple choice exam. In these 4 hours, you are going to have to answer 200 questions. Each question is either scenario based or knowledge based and has 4 possible answers – A, B, C or D. You can only select one answer.

Out of these 200 questions, 25 are considered “pretest questions”. These pretest questions do not affect your score. The PMI uses them as an effective and legitimate way for testing the questions. In other words: new questions for the exam are first tried out in this way, to see how well they work. The pretest questions are randomly placed throughout the exam.

So you start out with 200 questions minus the 25 pretest questions which leaves 175 questions. Out of these, you must answer 106 correctly. That is 61%.” (Source: What is the PMP Exam Passing Score?)

So we know that out of 200 questions only 175 matters and to pass we only need to answer 106 of the 175 correctly. However, there is a wildcard here, we need to factor in the 25 that we have no idea which questions they are. 25 questions that we may all answer correctly, but don’t really count in the score. That would really suck if 1 of the 106 questions that you’ve answered correctly is a pre-test question and therefore your actual score is only 105, which means you fail.

So to negate the pre-test factor, we should set our goal to:  106 + 25 = 131. In other words, to be confident that we actually passed the exam, we will need to have a “buffer” of 25 questions. So in reality the surefire way to pass the exam is to get 65.5% of the 200 questions, vice 61% of the 175 questions. In the grand scheme of things and comparison of probability, it is not really a big jump. We will look at probability in a different context in a little bit. But for now, we’ve established that our passing goal is 65.5%.

Just FYI Formula: 131 / 200 = .655 or 65.5%

We also know that we have 4 hours to complete a 200 question exam. That gives you 1.2 minutes per question. Believe it or not this is actually pretty long. I would recommend targeting to spend only 1 minute maximum per question. This will give an extra 40 minutes to review your answers (that is after you follow the next steps below you still feel like doing a review).

Now that we now know what our passing goal and time/per question ratio is, we are now really prepared to take the exam. Most exams will allow you to have a blank sheet of paper and a pencil to use as a scratch paper. Make sure that you get them. You will need it. Also most cert exams allow you to mark the questions that you would like to go back to for a variety reasons, including, but not limited to:

• You are not sure of your answer
• You don’t know the answer

 As I mentioned there are a variety of reasons why you would want mark an answer, but the two reasons above are the only two that we will concern ourselves about.

This is where the next step of our technique comes in. In your scratch paper, set-up two columns. One column is going to be where you will write the question number of questions that you are not sure of your answer. The other columns is where you will write the question number of the questions that you don’t know the answer.

Third step start answering the questions, keeping in mind your time constraint of 1 minute max per question. You don’t have to distract yourself by really counting every second of the clock. Just have a feel for it and keep it in the back of your mind. Once you run into a question that you are not sure of, pick the one that you think is the best answer. Then write the question number in the appropriate column. Do the same for questions that you don’t know the answer. DO NOT SKIP A QUESTION. Pick an answer and move on. Just make sure you mark that question number.

Once you’ve finished all the questions and stayed true to the self-imposed time constraints (in our case one minute per question), you should have plenty of time for the 4^th step. Count the total number of questions that you were not sure of and count the number of questions that you did not know the answer. If the total number of questions you were not sure of and don’t know the answer to comes out to be less than 69 questions (based on our PMP example), then I would highly recommend: STOP!!! Stop pulling your hair out, you are done.

But just for giggles, let’s assume that it is a little bit more complicated than that. Somehow, you marked even the questions that you have only a slimmer of doubt as to the answer. Continuing with our example the numbers came out as follows:

• Not sure: 60
• Don’t know: 25

Do you start the sweat pumps and start going through each “Not sure” question? I say, hold your horses, mate! Let’s do some math, actually probability to be exact. Let’s throw away, the 25 don’t know. Let us assume, you have the luck of a possum crossing the I-5 Freeway in the middle of rush hour in Los Angeles. Essentially, no way you can get lucky in getting a right on the 25 guesses that you’ve made in the “Don’t know” column.

You have 115 answers that you are pretty sure of. If you go with the 106 mark as originally suggested to be the passing score out of 175 non-pre-test questions, you’ve already passed. But since you’ve set a higher goal of 131 to get a surefire-no-way-you-can-fail score, you need 16 more correct answers. 16 is 27% of 60. With this info, ask yourself this:

1. What are the chances of me missing more than 70% of the questions in the “Not sure” column?
2. What are the chances of 10 or more of the pre-test questions being in the 115 answers that I am pretty sure of?

The answer to question two is actually hard to really know and it is a gamble. However, it is negated by your answer to question one. Question one is really a gut check. It’s not exact math or science, but its all about probability with margins of error. But in the end, you will know the answer to this. So this goes without saying that if the answer to 1 and 2 is “pretty low chance.” Take a deep breath, stretch and submit your answers. In the case of the PMP or other computer-based certs you will immediately know the results. In the case of scantron-based exams such as CISSP, you will not immediately know the results, but you will be confident that there is a very high probability that you’ve passed.

I have used this technique in all the cert exams that I have taken and the results were obviously great. I also used this in taking college exams, although slightly adjusted based on the target score that I want beyond what is required to pass. Obviously, college exams are not simply pass/fail as cert exams, so I have to tweak my goals to ensure that I have the best score possible.

In summary, here are the steps of using math and probability to help you pass the exam:

1. Know your “true” passing goal and time/question ratio
2. Set-up two columns in your scratch paper: “Not sure” and “Don’t know”
3. Answer the questions. Mark columns with question numbers as appropriate. DO NOT SKIP A QUESTION. Even if you don’t know the answer, make your best guess.
4. Do the math, sum up “Not sure” and “Don’t know” and compare with your passing goal.
5. If necessary, do a probability/gut check. How many of the “Not sure” do you think you will miss? Is it pretty high? Or is it low?

All that said, I wish you the best of luck. Yes LUCK does help, but I prefer to understand probability .

There is an alternative view to this generally-accepted idea. The alternative is not an easy sell and it does not have a manual or boiler-plate procedures, however if done right via a well-defined strategic vision and proper execution can transform the IT department from a necessary cost-center, into a valuable resource for revenue generation.

The following are key areas that will help move an organization towards this direction:

• It is important to look at the 50-30-20 Principle
• Plan and execute based on the ARM Framework
• Do some introspection – See where we can improve internally within the department to streamline processes, eliminate waste and increase productivity
• Understand the client – The IT Department’s direct clients are the people it directly supports, and these are typically the other departments within the organization. It is critical to understand the role of each department to helping meet the overall mission of the organization, their individual needs and available resources are critical first step to helping these departments to streamline their processes, eliminate waste and increase their productivity
• As IT learns the overall workflow of the organization, it can help develop innovative solutions or approaches to further help the organization in the areas of revenue generation

For example, key innovations, process improvements and the right technology implementations can help enhance customer experience and help boost how the customer spend.

A more specific example: a slight adjustment in Internet Marketing strategy by implementing a very-cost effective open source Content Management and Lead Management System to work with a well-structured Search Engine Optimization and Web 2.0 and Social Media utilization strategy can help increase generated leads for the company and thereby increasing potential sales for the organization.

If effectively planned, executed and managed, even Information Security Management, which is primarily focused on ensuring the confidentiality, integrity and availability of the organization’s proprietary information can help the organization in potentially saving cost and increasing revenue. How? One immediate area that can be addressed is working with both marketing and product development departments on how to effectively enhance customer experience while effectively delivering a message that security and privacy is an important factor in how the organization does business. This concept is a little abstract; however, such effective and verifiable communication can build trust between the organization and its client and therefore can lead to more positive engagements with the client.

In summary, the approach to effective IT management involves understanding the organizational priorities and the needs and requirements of its stakeholders, a structured framework and an objective that sees IT beyond simply delivering services to the users, but more into helping the organization increase value to its shareholders.

Some of the entries in that document are a little outdated and I am still trying to nudge my lazy self in drafting an updated version.

Below are some of the key points of the framework.

• Three-factor approach that I believe is important to meeting the 50-30-20 principle
• It is a lifecycle that continually evolves and allows for continued flexibility and adaptability based on the needs of the organization and the willingness of the stakeholders to support the organizational objectives
• This is a three-legged stool principle that relies on the effective planning, execution and support of each “leg” to ensure that the stool remains stable and standing
• Each of the leg has underlying milestones or procedures depending upon the scope of the task or project
• Assess – it is necessary to do a full assessment and/or analysis of the task, concept and their requirements. This includes, but not limited to, project/task feasibility study, analysis of business objectives, needs assessment, risk assessment, gap analysis, cost v. benefit analysis and project scope assessment
• Resolve – Once assessment criteria is addressed and outcomes are accepted, resolution begins, this includes the start of fully defining project scope, addressing resource requirements, implementation, testing, configuration and change management.
• Manage – Management involves more than simply making sure the program or project works, maintenance or delivering it on time, on budget and within specification, but rather to truly provide value to the organization, effective management requires continually looking into improving and streamlining the processes involved. This is addressed via measurable objectives, effective analysis of results and development of benchmarks and metrics. As the process, evolves, we continue to go through the ARM principle.

There are a multitude of methodologies, frameworks or what-have-you for effectively managing IT and information security. Each of these frameworks has their key strengths and weaknesses. I am in the belief that none really have a significant advantage over the other as each offer best practices principles that if effectively matched with the organization and properly planned, implemented and supported brings plenty of value to the overall evolution and effectiveness of the organization.

There is, however, three commonalities to each of these methodologies:
• The need to Assess the issue, problem or requirement and finding the right solution
• The need to Resolve the problem with the identified solution
• The need to Manage or Maintain the solution and adjust accordingly to ensure that the problem remains resolved

So within each key leg of ARM (no pun intended), you can insert applicable steps, processes, practices, controls, procedures as it apply to your specific business, field and/or requirements and be able to have a continuous process improvement process, which have goals that that is essentially pretty S.M.A.R.T. Okay, another acronym, but I did not invent this one. SMART means Specific, Measurable, Achievable, Realistic and Time Framed.

Let’s look at what another non-fan of the cert thinks about the cert. In his blog entry he quoted another blog that stated:

“I chose a self study route, and devoted around 2 months for the preparation. Locked myself in and had very little to no time for the family, I’d told them what I was up to, both my wife and son were very supporting. Every weekday I would dedicate 3 to 4 hours, and on weekends 5 to 6 hours for preparation. The last week before exam, I took leave from work and dedicated around 12 hours straight everyday for 7 days. To cope with the physical and mental tensions I did 45 minutes yoga in the morning and 20 minutes meditation in the afternoon. I took a break or stretched for 5 to 15 minutes after every 1 or 2 hours of studies.”

He then followed up by stating:

“That is ridiculous. I would expect someone who wants to be considered as a “security professional” to be well-enough versed in the CISSP material to not require seven straight days of 12 hour studying sessions, beyond the previous seven weeks of study.”

Again, if the cert is all about the question of competence the assertion above is very valid. I can also understand why many feel that it is a question of competence, because it is marketed by the cert’s proponents that way. Not to mention, the title of the cert also implies it that way. All that said, however, once again it misses the entire point.

Let’s look at ISC2’s marketing spiel on why one should certify as a CISSP:

Benefits of Certification to the Professional

• Demonstrates a working knowledge of information security
• Confirms commitment to profession
• Offers a career differentiator, with enhanced credibility and marketability
• Provides access to valuable resources, such as peer networking and idea exchange

Benefits of Certification to the Enterprise

• Establishes a standard of best practices
• Offers a solutions-orientation, not specialization, based on the broader understanding of the (ISC)² CBK
• Allows access to a network of global industry and subject matter/domain experts
• Makes broad-based security information resources readily available
• Adds to credibility with the rigor and regimen of the certification examinations
• Provides a business and technology orientation to risk management

Let’s look at the bullet points that state “Demonstrates a working knowledge of information security” and “Allows access to a network of global industry and subject matter/domain experts.” If we keep the reasons within these two contexts on as to why one wants to be a CISSP and why one would want to hire a CISSP then the negative assertions are entirely true.

However, for the same reason as to why a college grad has a leg-up over a high-school grad. A CISSP has a leg up over non-CISSP for the intangibles that it brings beyond competence.

College and attaining certification brings upon a certain discipline that is not easily measured in areas of direct competence or skill. It goes beyond that. It molds the individual into a certain character that prepares that individual on how to handle situations; more often than not how to handle a situation professionally. Before I continue, I would like to make it clear that I am not dissing high-school grads or non-cert professionals. I have worked with and know of high-school grads who can work with the best of them and college grads, who are nothing more than dirt bags. I have also employed folks who don’t hold a single cert, but I would not dare let them go because of the value that they bring to the company and folks who have all the accreditation in the world, but don’t have a clue on how to tie their shoe laces even if you showed them how. Okay that last part is a tad bit of exaggeration, but you get the point. (I hope …).

The two contractors that I have been talking about neither have the college education nor the accreditation to prove their qualification for the work that we do. However, I believe that they interviewed well and they made their resumes look good. Key things that one learns in college and in taking certifications are the value of professionalism and ethics. One learns very early on the importance of NOT BURNING BRIDGES in your professional life since it has a great potential of haunting you endlessly down the road. I will admit for all accounts and purposes, these two guys probably already know this and it is just a matter of their value system. But then again, I digress.

A CISSP cert, or any other cert or a college degree primarily helps “Confirms one’s commitment to a particular profession.” As that guy who locked himself up for two months to study for the exam or as I have done to prepare for the exam, it shows commitment. It shows dedication. The cert does not prove by any means that I am a better security professional than the two other contractors who did not have the cert or to the detractors of the cert. It just shows my willingness to commit and dedicate myself and my willingness to learn. If I can dedicate myself to learn such complex ideas that may or may not have anything to do with my work, then I may be able to dedicate myself to learn the processes, procedures and politics of the company that I will be working for.

And employers know this. As a former hiring manager myself, I value college education and certifications to the extent that I immediately know that the individual who is applying for the job took the time and had the discipline to dedicate him or herself to a particular goal and objective and achieved it. There is no quicker way to prove to someone, especially to employers, that you are capable of achieving something better than a college degree or an industry-recognized certification.

There is another point that I want to make. This is again coming from the Veracode blog:

• “Career advice, take it or leave it: If an employer or prospective employer demands that you get your CISSP in order to be hired or to progress in your career, run fast in the opposite direction and find a place where you will be valued for your cumulative experience rather than a piece of paper.”

In this job market, I would say good luck with that. Not only does the Fortune 1 company, also known as the US Department of Defense, requires that you attain security certifications if you want to get a job or keep your job in the department (Google DoD 8570.1 for a quick FYI), and the rest of the Fortune 1000 companies worth their salt puts value in the cert because of a variety of reasons including the reason I’ve already mentioned above.

If you are one of the lucky few who have all the experience in the world with a really stellar could not be turned down, shining diamond in the middle of a pile of coal. More power to you. Unfortunately, not many of us are such diamonds.

Also isn’t your resume also just a piece of paper? Looking at the resume of the two contractors that I kept mentioning in this entry and knowing these two personally, I believe that they are nowhere close to having the experience and not to mention have the titles that they claim in their resume. Those claims go a little beyond your average “white lie.”

An accreditation is not the main thing, but rather one of the first things that can help an employer verify a person’s claim about his or her experience and background. Someone might retort, that’s what references are for. Seriously, nobody ever thought of having his/her best buddy pose as his/her former manager?

Let me finalize this entry by talking about why I decided to take the exam in the first place. As I mentioned earlier in this entry was essentially “to build my street cred” or as ISC2 put it:

• Offers a career differentiator, with enhanced credibility and marketability

Ladies and gentlemen, a certification, a college degree and whatever accreditation that you have, truly has very little to do with your competence or true skill set. Such competence and skill set you can build through dedication to your work and experience and you can’t be dedicated to your work or you can’t build your experience unless you get hired. (Unless of course you got all the resources to make yourself your own boss and run your own business, some of us do, but a whole lot many of us don’t). All the swag, all the acronyms and that piece of paper is all about MARKETING. Yes ladies and gents, it is not a testament to your technical skills, but instead a testament to your marketability.

While I was doing work with a government contractor and we are in the process of sub-contracting with the big guys to go after a particular government contract, the prime contractor will typically ask our company, “What is your key differentiator?” In other words, why should I include you in my team versus the other guy? What have you achieved? There is no faster way to tell them about our achievements than show them the company’s certifications.

Is an ISO-this or CMMI-that certified company better than a company who’s been in existence for over 20 years? Probably and more than likely not, but it shows the company’s dedication to becoming better at what they do. A personal certification is no different.

The alphabet soup of acronyms that you tag along your last name such as CISSP, PMP, CISM, MCSE, CISA, CEH, etc. are the big banners that tells employers that you are a capable individual who can achieve your goals and objectives. AND BUSINESSES ARE ALL ABOUT ACHIEVING GOALS AND OBJECTIVES.

As to the value of the CISSP to me personally and my own doubts about its true value, first look at my entries “A Series of Funny Things Happened on the Way to San Francisco – Part 1 and Part 2.” Both companies, decided to interview me because I had a differentiator in my resume and guess what it was: CISSP.

The cert was not the key reason why both companies decided to give me an offer, but rather because I was able to effectively articulate my value to both companies during the interview process. I also did not get hired on full-time by the company I am working for now and essentially getting paid what I believe is my market value because of the CISSP cert, but rather because I have proven my competence in my line of work. However, all of these would not have happened if that five letter acronym was not tagging along my last name.

The bottom line, if you are looking for a CERT THAT WILL PROVE to employers how good you are at what you do, then CISSP is not it. I can’t think of any cert out there that does that. But if you are looking for a cert that will help open doors SO YOU CAN PROVE to employers that you are worth your salt, then CISSP and a multitude of other certifications will do the trick.

One of the contractors was actually not making the cut. Meaning he fails to meet even the simplest objective that is given to him by our manager and team leads. The other contractor was the one who recommended him for the job and also this contractor apparently has another gig that he believes will bring him tons of cash. So believing that the writing is on the wall, they decided to leave. Why they left without notice and also giving out a false statement as to the reason why left has no viable explanation. The only word that comes to mind is, unprofessional.

These two stories came to mind today as I was searching for ideas for acquiring Continuing Professional Education (CPE) credits to maintain my CISSP (Certified Information Systems Security Professional) certification. Somehow the search landed me into pages asking if whether CISSP is worth it. There are several bloggers who simply believe that the accreditation is nothing but a piece of paper that is not worth the ink it was printed with.

You are probably thinking, what does that have to do with the two paragraphs that I started with? I will put them all together, I promise. This is a blogging mystery drama that will all make sense in the end. Or so I hope .

Anyway, the assertions piqued my interest. I, too, had questioned the value of the certification. I became a CISSP in 2007. This is after 3 years of holding onto the first version of the Shon Harris book and not opening it at all. I decided at the time that I needed to spice up my resume and the 5 letter acronym tagging along the end of my name will help build my street cred. There was also the looming change in the requirements to becoming a CISSP that made me deduce that getting the cert then will be a whole lot easier than later.

After diving into my regular routine of studying, I got the cert a month before they changed the requirements. In the end for a wide variety of reasons the cert did not really help much with my career goals at the time. It did help me land several interviews, however, it did not land the “dream job” that I was hoping for.

You see, I had this expectation of that the cert implies what my true qualifications are and what my market value is as a professional. Those expectations don’t seem to match with what employers are presenting on the table. It made me wonder, are CISSPs now just a dime a dozen that the cert doesn’t seem to provide much value anymore? Or is the cert or the need for security professionals simply overhyped and the reality is that most companies don’t see the real value of the cert?

I have concluded then that it was simply the job market that I was in and my qualifications did not match the requirements of the companies in that job market and what those companies are willing to pay for. If I want to see the real value of the cert I will need to look at other locations. Call it an excuse, if you will, but that is my belief and I will stand by it .

All that said, one of the most common criticism of the cert is that “CISSP only demonstrates mere understanding of domains rather than competence.” This blog entry from Veracode entitled “Not a CISSP” drives home the point:

“…like many security certifications, it’s an ineffective measure of a security professional’s practical abilities. Employers and customers often assume the guy with the five magic letters on his resume is technically superior to the guy without. In my experience, it’s exactly the opposite, particularly in situations where you have to sit down at a keyboard and actually DO something as opposed to talking about it. Certainly, I’ve encountered some very notable exceptions to this observation, but we’re playing by the 80/20 rule here.”

Others also criticize the cert as:

“…the CISSP certification … focus is technological issues, and the CBK does not address topics related to organization, finance, and strategy” as the CISSP lacks a broad based understanding of business.” (Source: http://en.wikipedia.org/wiki/Certified_Information_Systems_Security_Professional)

That one I found a tad funny because another criticism of the cert is that it is way too broad and covers too many things that is not fully relevant to every security professional’s line of work. Going back to the same Veracode blog:

“The trend in information security is toward specialization. Security has become such a broad umbrella of varying disciplines that it’s quite difficult to be a generalist. A security career is a balance between breadth and depth, and these days, the skilled pen tester, reverse engineer, or vulnerability researcher is more marketable than the guy who knows a little bit about dozens of different disciplines but can’t apply that knowledge in a practical situation. The CISSP subject matter illustrates this perfectly — you have cryptographic algorithms, site location principles, network security, and civil law on the same exam.”

Since the second and third argument above somehow in a funky way negate each other, I won’t bother rebutting them, I’d like to focus on the assertion that “CISSP only demonstrates mere understanding of domains rather than competence.” In the grand scheme of things, I firmly believe that this is a fact. The cert, or every other certification for that matter, does not give anyone the assurance of your competence in the field. Anyone who is good in memorization and good at taking exams can pass the exam. Anyone who had the slightest background in one of the 10 security domains can get certified after they’ve taken and passed the exam. Yes, there is a 5 year experience requirement, but changing back-up tapes for five years count as 5 years worth of professional experience.

But. Here is the big BUT. And most of you like big BUTS and you cannot lie . No matter how factual that statement may be, it entirely misses the point.

Going back to the first part of this entry, the discussion between my co-worker and I was in part driven by the story about the two contractors who left without notice and left essentially a big stink on how they say they were treated. As I have stated, their claims of maltreatment in the eyes of the team was wholly unfounded. Anyway, I digress.

For folks who have pursued a college education and more often realize that a good part of what they learned in college really has no direct co-relation to practical practice in the real world. Everyone knows that there is often a huge disconnect between what is thought in the classroom and what is being done in the offices of companies. More often than not, you can throw away most of what you’ve learned in school and essentially have to do your work the way the company wants you do it. This essentially means that you have to learn the job the company way.

So why do companies continue to put a high value on folks with college degrees? How can a fresh-out of college kid with a degree in Political Science be competitive with a high school grad who had 6 years of technology experience? The answer has nothing to do with competence.

To be continued – ” To CISSP or Not to CISSP – Part 2“