Over the years there has been a lot of ink spilled, keys clicked and blood shed over the morass of information security-related professional certifications that have popped up across the landscape like proverbial weeds in the garden.
Like the story of Goldilocks and the porridge - "This one's too technical", "that one's not technical enough" - "ah, this one's just right". And some would argue that holders of certain "gold-standard" certifications are not necessarily security-savvy. The rhetoric goes on and on and on.
From my perspective, certifications are analogous to a college degree. There are incredibly smart and capable people that do and do not have degrees. There are no guarantees when it comes to a person's knowledge, experience, and capabilities.
However, if one does have a college degree it reflects that some commitment had been made by the individual to study and earn the degree. And depending on the quality of the school and program, one would expect there has been some standard of study attained as part of their chosen course of study.
Likewise, pursuing professional certifications reflects one's commitment to earning the certification, adhering to some standard or body of knowledge that is the foundation for the certification, and typically maintaining the certification by renewal/retesting or continuing education requirements.
This leads me to EC Council's new C|CISO - Certified Chief Information Security Officer certification. I have been following EC Council's C|EH - Certified Ethical Hacker certification since its inception.
When the C|EH first came out, I was enamored with the idea of certifying and codifying a body of knowledge around the algorithmic-like steps involved in breaching networks and systems for the sake of understanding the process and defending one's environment.
EC Council's development of this and the evolution of their other security-related professional certifications have resulted in a truly well-rounded and quality suite of certification and educational offerings.
I was delighted to learn of their new C|CSIO certification which is comprised of five domains: (1) Governance (Policy, Legal, and Compliance), (2) IS Management Controls and Auditing Management (Projects, Technology, and Operations), (3) Management - Projects and Operations, (4) Information Security Core Competencies, and (5) Strategic Planning and Finance.
For the sake of full disclosure, I currently hold the CISSP, CISA, CISM, and NSA-IAM/IEM certifications. I am proud to have earned and maintain these certifications and the sponsoring organizations are without equal.
I am anxious to follow the evolution of the C|CISO certification as it looks as though it will fill some gaps missing from other "gold-standard" certifications and that are necessary for one aspiring to or practicing security at a C-level.