Certifications: What's New? - Hord Tipton, (ISC)2

Education and training are two of the key priorities of information security professionals and organizations in 2010. And professional certifications are at the heart of that training.

What's new in information security certifications? In an exclusive interview, W. Hord Tipton, Executive Director of (ISC)², discusses:

Training trends;
What's new from (ISC)2;
Insight into new research on the profession.

Tipton is the executive director for (ISC)², the global leader in educating and certifying information security professionals throughout their careers. Tipton previously served as president and chief executive officer of Ironman Technologies, where his clients included IBM, Perot Systems, EDS, Booz Allen Hamilton, ESRI, and Symantec. Before founding his own business, he served for five years as Chief Information Officer for the U.S. Department of the Interior.

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. I am here talking today with Hord Tipton, the Executive Director of ISC2. Hord, thanks so much for joining me.

HORD TIPTON: Oh, glad to be here, Tom.

FIELD: Now we all know the name of ISC2 -- but some of our viewers only associate it with maybe a particular certification they have gone for, so maybe you can tell us a little bit about the organization and the scope of what you do.

TIPTON: I only wish that everyone knew about ISC2, the branding name of the company, and I won't even go into what all of those initials stand for, but I will emphasize that it is an international company, we are known primarily for the CISSP, which is known as the gold certification for IT security professionals.

Our company just celebrated its 20th anniversary last year, which may not sound like much to many people, but 20 years in these days -- if you survive, you have done something right somewhere along the line.

We are a non-profit, a not for profit organization, and we were founded around the kitchen table essentially by a group of very passionate security professionals, something like 20 years ago. So, today we still are not for profit, and we have grown from that kitchen table full of members all the way to over 71,000 I believe now, credential holders with people with certifications within our organization. We are represented in 135 countries. We are truly international. We have a Board of Directors that is made up of business and security professionals from across the world. Our dedication and our passion is to make the internet world more safe and more secure for everyone.

FIELD: Well, very good. Now one of the things that we noted in our own research this year is that organizations are starting to spend more money on training, and information security professionals are starting to seek out more training to improve their own career possibilities. What is new with ISC2? Are there new certifications that you are coming out with this that you will be offering to professionals?

TIPTON: We have currently eight certifications. Three of those certifications are like Master degrees to the gold standard, the CISSP. They are very technical, they are very, very difficult to obtain, and there are less than 1,000 actually of those, whereas we have like I said, something like 67,000 CISSP's at this point.

Developing and building and maintaining certification is truly a labor of love, and they are very difficult to maintain; they are expensive to maintain, to keep them current, to keep them certified under the international standards, the ISO's and the ANSI's. So we think very, very carefully before we do that. Now having said that, just last year we launched a brand new certification that we have been working on for about three years in development and research, called the Certified Life Cycle Software Security Professional. That was dedicated to that missing piece of the software development cycle that we have over time seemed to have known what the problems were, but haven't been successful in actually taking care of those problems.

So security needs to be baked in - that's the secret. To do that you have got to be on the front end of the life cycle, and then you have to follow it all the way through requirements, design, deployment, development, operations and eventually when you retire it. This certification has really caught on, and we now are approaching, or maybe have passed as I haven't kept score here recently, the first 1,000 on that base credential -- and it is a base credential -- and we have endorsements from over 50 major companies, other certifying organizations, and we are off to a good start with that one.

Looking out into the future, we have a number of areas that we believe are in need of professional certification and will be talking about that next month with our product development committee. Can't let up too many secrets out of the bag here.

FIELD: So, you are here at the RSA Conference this week. What are the conversations you want to be having with professionals while you are here?

TIPTON: Well, part of the importance of a credential is actually staying current, and RSA offers that rare opportunity for all of our professionals to not only be smart, but to be smarter when they leave and to stay up with current technologies, what is happening in the Web 2.0 world, how close are we to Web 3.0 -- there are lots of topics on cloud computing, a lot of new subjects on virtualization that our people need to be aware of. They need just to meet with their peers and share their problems, and we have meetings all week just to bring them together and give them that opportunity.

FIELD: One last question for you; I understand you have got some new research that you are about to announce on Thursday of this week. What can you tell us the highlights of the study are?

TIPTON: Okay. Well, the highlights of this study are very, very encouraging, and it is optimistic for people in the IT security world. The downturn in the economy across the world, across the globe, has demonstrated that IT security is still in demand. It is still a very, very big need, and it has not suffered the trials and the tribulations that a lot of other industries have; very encouraging.

FIELD: So what action will you want people to take from hearing these results and reacting to them?

TIPTON: Well, we want that to be known. That the business has finally realized that IT security, protection of their data, their intellectual property, all of the things that travel across these wires and through the air at this point are vitally important to their survival and they finally have seen that. So we have watched the demand for certification and for education in this area grow from "well, it would be nice to have" all the way to "well, it is preferred" when you hire someone, and now we are seeing more and more that it is required.

FIELD: What do you expect to see over the coming months as we continue through 2010?

TIPTON: We are seeing that more and more training dollars are being released. The economy has had a freeze on a lot of those monies, and we knew at the time that eventually it was going to break loose.

I worked in the government for a long time, and unfortunately the first thing that the government likes to do is to freeze training, cut training and travel and then hunker down, I guess, is the word. So we are seeing from kind of a flat interest in training, it didn't go down, but now we are seeing an increase coming back so that is a good signal that budgets have been released and people are seeing the need and they can't do without it. The last people that go from a company are the lawyers, but the next to the last are your security professionals.

FIELD: Well, the good news is we both traveled to talk about training, so take that as an encouraging sign.

TIPTON: Absolutely.

FIELD: Hord, thank you so much for your insights today.

TIPTON: Thank you.





Around the Network