Tuesday, March 06, 2012

New Certification on the Block – EC Council’s CCISO

 “This one’s too technical”, “that one’s not technical enough” – “ah, this one’s just right”. And some would argue that holders of certain “gold-standard” certifications are not necessarily security-savvy. It goes on and on and on.

Over the years there has been a lot of ink spilled, keys clicked and blood shed over the morass of information security-related professional certifications that have popped up across the landscape like proverbial weeds in the garden.

From my perspective, certifications are analogous to a college degree. There are incredibly smart and capable people that do and do not have degrees. There are no guarantees when it comes to a person’s knowledge, experience, and capabilities.

However, if one does have a college degree it reflects that some commitment had been made by the individual to study and earn the degree. And depending on the quality of the school and program, one would expect there has been some standard of study attained as part of their chosen course of study.

Likewise, pursuing professional certifications reflects one’s commitment to earning the certification, adhering to some standard or body of knowledge that is the foundation for the certification, and typically maintaining the certification by renewal/retesting or continuing education requirements.

This leads me to EC Council’s new C|CISO – Certified Chief Information Security Officer certification.

When the C|EH first came out, I was enamored with the idea of certifying and codifying a body of knowledge around the algorithmic-like steps involved in breaching networks and systems for the sake of understanding the process and defending one's environment. 

EC Council's development of this and the evolution of their other security-related professional certifications have resulted in a truly well-rounded and quality suite of certification and educational offerings. 

I was delighted to learn of their new CCSIO certification which is comprised of five domains: 

(1) Governance (Policy, Legal, and Compliance)
(2) IS Management Controls and Auditing Management (Projects, Technology, and Operations) 
(3) Management - Projects and Operations
(4) Information Security Core Competencies, and
(5) Strategic Planning and Finance.