…or at least put in a home for retired security pundits where someone can make sure I take my medication on time, but I intend to go on blathering about security issues for a while yet. (At any rate as long as ESET continues to pay me to pontificate.)
Nevertheless, it’s officially the end of an era, though a very minor ripple on the surface of the Sea of Security. As of the end of August 2014, I will no longer be entitled to put the acronyms CISSP, FBCS, or CITP in my signature. (In fact, I haven’t been using those manifestations of alphabetti for quite a while now, in anticipation of this day. Or, more precisely, the 31st August.)
There’s nothing sinister about this: I haven’t been drummed out of (ISC)2 or the BCS Institute for conduct unbefitting a computer security guru: I’m simply dropping my annual subscriptions to those organizations. I’m still in sympathy with the general aims and ethics of both organizations. There are many otherwise rational people in the security business who are dismissive of any form of certification that results in an artificially lengthened signature, but I’m not one of them. These particular acronyms acknowledge many years of working to improve the security of the organizations for which I’ve worked since 1986 and the community as a whole: I’m honoured by that recognition of whatever I may have achieved in that time, and refuse to be ashamed of having been entitled to use them. So why am I letting them go?
First, let me save you anxiously searching the web for an explanation of all those acronyms:
- CISSP = Certified Information Systems Security Professional: a certification awarded by (ISC)2 (formerly the International Information Systems Security Certification Consortium) to security professionals who meet the required criteria in terms of knowledge (as tested by a lengthy exam), relevant experience (at least 5 years), compliance with the ISC)2 code of ethics, endorsement by a member in good standing, and maintenance of your own good standing by earning at least 20 CPE (Continuing Professional Education) credits and keeping up to date with the subscription fee.
- FBCS = Fellow of the BCS Institute (formerly the British Computing Society): to quote the Institute’s own criteria, Fellows “demonstrate leadership in the profession by influencing significant numbers of professionals and/or others to achieve common goals, understanding or views within the IT profession.” So maybe all those books do count for something, even if they didn’t benefit my bank balance much.
- CITP = Chartered IT Professional: I was actually grandfathered into this certification, also awarded by the BCS Institute, because I met the requirements for acceptance as a Fellow. I’m not sure if BCS still does that: the normal certification process is quite stringent, and has in fact been made more demanding in recent years.
So, to answer the question “why am I dropping my subscriptions?”, I first have to make a confession. I didn’t maintain those subscriptions out of some purely altruistic desire to further the aims of (ISC)2 and the BCS, though of course I’m happy that my money went towards the attainment of goals that I’m generally in sympathy with. But – shock! horror! – my primary aim was to demonstrate that I have certifiable skills and acknowledged achievements that gave me credibility in the eyes of my peers and enhanced value in the job market. Like most people, even the good people who run (ISC)2 and the BCS (not to mention other organizations like ISACA and SANS), I have to make a living, though I’m fortunate in that I can do so by doing work that I enjoy and (I like to think) I have some ability. Over the last year, I’ve made a cost/benefit analysis (as all CISSPs are taught to do!), and while the cost of those subscriptions isn’t high, the benefits are not what they were:
- I’m already past the age where I could, if I chose, be drawing my state pension. When either ESET – where I still hold the title Senior Research Fellow – or I choose to terminate our current arrangement, it’s unlikely that I’d look for another job. If I did, it probably wouldn’t be in security. And if it was in security, it certainly wouldn’t be the sort of managerial role where being a CISSP is sine qua non.
- I haven’t been seriously engaging with BCS for some time, at any rate not at the level where being a Fellow matters. And I don’t see myself as a candidate for the sort of academic milieu where being FBCS might carry weight.
- I no longer find it amusing to flaunt my alphabetti on those lists where it’s assumed that anyone with the letters CISSP after their name must be either a cheat or an idiot with delusions of grandeur and competence. Or, according to one person who commented on one of my articles for ESET, as compensation for underdeveloped genitalia. I can’t imagine how he knew. 😉
- I actually have certifications that don’t entitle me to a string of acronyms. Not that I’m likely to look for work as a security auditor (for instance) at this stage, but perhaps it’s time to relegate all this stuff to my c.v., which I haven’t needed for a long time now and don’t anticipate needing much in the future. And wikipedia, maybe. 🙂
So from now on, I guess I’ll have to stand or fall by the quality (or lack of it) of my published work. But then, most of the time, I always have. And if I feel the need to expand my signature, I’ll have to fall back on my humble BA. (Now that’s a qualification I am proud of, having completed it under stressful circumstances: that is, as a new parent with a full-time job.)
I may well return to the topic of certifications, though. I addressed it at some length in a chapter in the AVIEN Guide, but maybe it would be a good topic to follow up on the ESET blog.
Small Blue-Green World