Evidently it’s time to rethink our business model at Securosis. All you need to do is role out a certification program and wait for money to roll in. Actually prove skills? Bah, humbug. Actually require some sort of test? Screw that. Basically all you need is a CISO job and $200, and I have a certification for you.

Your CISO cert is worth about this... But at least you'l be happy!My severe case of snark is directed at the new Certified CISO program, introduced last week by the EC-Council. Those are the folks who do the Ethical Hacker certification, which is actually a decent program. This Certified CISO program? Not so much.

How do you qualify to be a Certified CISO? Basically you need to have a pulse and a job. For the next year, all you have to do is show that you have 10 years of experience with 6 years across the 5 CISO domains (Governance, Controls and Auditing Management, Management – Projects and Ops, Security Core Competencies, Strategic Planning & Finance). Not that there isn’t something to be said about someone who decides to remain a CISO for 10+ years (besides questionable judgement), but who needs a certification to prove that?

Do you wonder why most certifications are less useful than toilet paper? At least you can wipe your backside with toilet paper. Wouldn’t your resume just suffice – since this just proves your experience? Even better is the price. You can get this critical certification for the low, low price of $350 to apply and another $200/year to renew. I’m sure Lee Kushner is quaking in his boots, as clearly Certified CISOs will now reduce the need for CISO recruiting services. Companies can now just add this term to their resume filtering machines and move on to the next position, right?

It seems the EC-Council plans to have some kind of test in 2012, although you can exempt out of that if you bother to get high-impact certifications like the CISSP, PMP, and CISA. Although it’s not clear to me how you’d build a truly objective test to show what’s really important for a CISO: persuasion skills and a very high tolerance for pain and frustration. And don’t think that we are anti-certification out of hand. We built the curriculum for the CCSK certification training program. It’s just that the certification has to have some grounding in reality. Is that too much to ask?

All I can hope is that self-respecting CISOs see through this haze and realize that more letters on their business card don’t prove anything. Or maybe I’ll just stop tilting at windmills and roll out a Certified Pragmatic CSO program. Maybe that’s the ticket.

Photo credit: “Very Happy Toilet Paper” originally uploaded by kim’n’Cris Knight

Share: