Edit: UPDATE!!

Thank you for all of the signatures received thus far. I will be sending out individual e-mails with a thank you as well as a request for a reply confirming your signature.

Spoke to @wimremes this morning and just got a call from @secwonk who is also on the board. It turns out that the webform is not compliant with the voting process as it can lead to fraud. To submit your vote, please send an e-mail isc2board@jadedsecurity.com with your Full Name and CISSP number in the body of the message. This will be enough to count as a signature. THANK YOU all in advance..











The four horsemen of the Impeding Infosec Apocalypse

 Don’t forget there are four spots available. We all desperately need your signatures to get on the ballot

Dave Lewis aka @Gattaca Vote Here

Scot Terban aka @Krypt3ia Vote Here

Chris Nickerson aka @indi303 Vote Here

Boris Sverdlik aka @Jadedsecurity send an e-mail to isc2board@jadedsecurity.com

I know you must be all shocked to see this and frankly so am I. Wim Remes truly believes that bringing fresh blood to the board is working in a positive way to drive change for the better. Seeing that Dave Lewis is running (Vote for Dave) makes me feel that instead of sitting on the sidelines and bitching about it I should join the fight to drive change at ISC2.

I’m not going to promise things that I may or may not be able to deliver on, but I can promise I will stick to what I believe is a shared vision in the community for a value add certifying body. In order to change perception of the certification and the certifying body we need to change. The platform that  I have is relatively straight forward:

1. The current test does not adequately provide any assurance that the candidate has a firm grasp of real world security as a whole. It is geared towards individuals that are good at memorizing text and being able to test well on the subject. It is very reminiscent of the MSCE/CCNA of the 90s. The format needs to change beyond just being updated with the latest technology. I’d like to see some form of essay driven questions that would truly test the candidates knowledge of real world security problems and identify their logical thinking on how they would address them. This would be akin to the CCIE where candidates are required to actually fix hw/sw problems on Cisco gear to demonstrate aptitude.  This is one of the few ways I feel we can test true knowledge and eliminate the bootcamp mentality.

2. The pre-certification audit process also needs to be updated to provide assurance that the candidate has “real” security experience and to do this we must change the current endorsement process. ISACA requires that candidates have former employers and/or colleagues sign off on the attestation. ISC2 should do the same as this is the only way to attest to experience.

3. CPE requirements should be expanded so that they treat content producers and consumers equally. We produce a daily podcast, yet can only submit one hour of CPEs for the production of the content, while individuals who listen to the podcast can submit per episode. This is somewhat biased and puts off individuals from producing content and contributing to the community. We all agree that to be a good security practitioner you need to always stay up to date on the industry and there are many ways this can be done, outside of vendor driven conferences.

4. Financial Transparency is what we have all been asking for. ISC2 collects annual dues and has a responsibility as every responsible 501(c) to be transparent with accounting.

So Vote for Boris Sverdlik aka JadedSecurity


13 comments so far

Add Your Comment
  1. Good luck – I would be more than happy to vote for you in the elections, so I hope you get through this first hurdle. Sadly, lots of CISSPs are pretty apathetic…

  2. 2012-08-22 Wednesday
    Wise decision. Boris, you have my vote.

    • Thanks!!

  3. You have my vote!

    • Thanks!

  4. Mostly agree with your points. However, I reckon the experience attestation requirement should be canned, because it’s the newcomers to the infosec field who would gain the most from having the cert. Someone with 5+ years’ experience doesn’t need it as much.
    If an applicant invested his/her spare time in learning (both practice and theory) information security, and became talented enough, surely they deserve a shot?

  5. [...] Endorse Boris Sverdlik here [...]

  6. [...] Vote for Boris [...]

  7. Voted for everyone. Though in Krypt3ia’s, are we supposed to just enter our CISSP number in the big field or are we supposed to add something else?

    To expand on your balance in CPEs, I don’t know if the problem is producer vs consumer or rather emphasis on consuming vendor products. Every time I write CPEs, I get the feeling they are a way of forcing me to check out vendor products rather than a reflection of continued exploration of computer security. I think it does, however, manifest it’s self in the vendor vs consumer conflict.

    While we’re on changes, I’d like to see ISC2 using it’s clout to support innovative methods of learning and colaboration. Many organizations won’t let people attend training because it sounds, for lack of a better term, sketchy. (This happened toby Marisa Fagan’s Infosec Mentor’s program at my work.) I’d like to see ISC2 either directly back this stuff, or provide a forum where people can review training (and which ISC2 can lend some type of seal of approval). It should include all types of training from listening to podcasts, to going to conferences, to reading research papers, to participating in online communities, to taking online training through browser-based remote desktops.

  8. Good luck Boris.

  9. Status??????

  10. [...] Endorse Read the petition for Boris Sverdlik here [...]

  11. Dear Boris,

    I found ur site while i was searching for “what to do after being decertified from CISSP” on google.

    isc2 decertified me because i was not able to pay their annual fees despite the fact that this certification did not helped me find an even 300 dollars a month job in my country. I’m from pakistan.

    I ask you, how is it possible for someone without any job to pay them annual fees in dollars and attends mandatory infosec seminars to achieve CPE’z to keep alive their certification.

    I feel they force candidates to earn for them, and i have requested them a million of times to review my case with fairness but they insist me to re-register, sit in the exam, pay all the previous years fees, penalties etc etc…

    What benefit does this certification has ? i did not felt a single one..

    I sure would had voted for you and your team but they wont let me….

    Truly i feel, all of these certification organizations have morphed into money making cruel corporations that feed upon the blood of weak and suppressed.