EC-Council is currently offering to grandfather, for their new CISO certification, security professionals with around 10 years experience in a related role.
This is essentially being done to create a reputable base of certification holders to show better value and increase interest, in the industry, for demand.
The requirements and the content involved with obtaining a certification past September 30th 2012 may not be beneficial for a CISO, but I do not know how applicants going for a these positions with this new certification will stand apart from those with graduate degrees in their understanding of security solutions or other compliance and framework qualifications.
There may be a myriad of people whose career ambitions is to become a CISO and with the way the CISSP has been working they may think HR, hiring managers and recruiters will not look much further than the paper qualifications.
I have seen and tend to believe more than a few individuals exaggerate their experience or are deceptive with the required background needed to obtain the likes of the CISSP. EC-Council’s CISO’s certification may require 10 years relevant experience but what does that mean?
It may just mean they need an EC-Council’s CISO certified sponsor and the investigations into the quality and quantity of the alleged experience may not be extensive. How can they?
Talent and insight of any industry certification holder without really understanding more than the buzzwords and basics reflects ineffectiveness and it is ultimately a disservice to the organizations that pay them and the Industry as a whole.
I feel if companies start looking for CISO certified security management candidates, the overall posture of security will be depreciated.
Hiring quality security professionals requires lengthy interviews with very difficult and in-depth questions about their knowledge, experience and abilities.
A CISO is an Officer and there is not any way in my mind that any certification beyond frameworks and compliance will show definitive proof for being effective in the role or even add value.
Organization’s that have CISOs are typically large and far and few between so we will see how this plays out in the future of requirements for security's top spots.