Among my more varied certifications, I’m a Certified Information Systems Security Professional (CISSP). I got it a few years ago since it was one of the few non-vendor specific certifications available at the time. I studied my tail off and managed to pass the multiple choice scantron-based exam. One of the things about the CISSP that appealed to me was the idea that I didn’t need to keep taking that monster exam every three years to stay current. Instead, I could submit evidence that I had kept up with the current state of affairs in the security world in the form of Continuing Professional Education (CPE) credits.
CPEs are nothing new to some professions. My lawyer friends have told me in the past that they need to attend a certain number of conferences and talks each year to earn enough CPEs to keep their license to practice law. For a CISSP, there are many things that can be done to earn CPEs. You can listen to webcasts and podcasts, attend major security conferences like RSA Conference or the ISC2 Security Congress, or even give a security presentation to a group of people. CPEs can be earned from a variety of research tasks like reading books or magazines. You can even earn a mountain of CPEs from publishing a security book or article.
That last point is the one I take a bit of umbrage with. You can earn 5 CPEs for having a security article published in a print magazine or other established publishing house. You can write all you want but you still have to wait on an old fashioned editor to decide that your material was worth of publication before it can be counted. Notice that “blog post” is nowhere on the list of activities that can earn credit. I find that rather interesting considering that the majority of security related content that I read today comes in the form of a blog post.
Blog posts are topical. With the speed that things move in the security world, the ability to react quickly to news as it happens means you’ll be able to generate much more discussion. For instance, I wrote a piece for Aruba titled Is It Time For a Hacking Geneva Convention? It was based on the idea that the new frontier of hacking as a warfare measure is going to need the same kinds of protections that conventional non-combat targets are offered today. I wrote it in response to a NY Times article about the Chinese calling for Global Hacking Rules. A week later, NATO released a set of rules for cyberwarfare that echoed my ideas that dams and nuclear plants should be off limits due to potential civilian casualties. Those ideas developed in the span of less than two weeks. How long would it have taken to get that published in a conventional print magazine?
I spend time researching and gathering information for my blog posts. Even those that are primarily opinion still have facts that must be verified. I spend just as much time writing my posts as I do writing my presentations. I have a much wider audience for my blog posts than I do for my in-person talks. Yet those in-person talks count for CPEs while my blog posts count for nothing. Blogs are the kind of rapid response journalism that gets people talking and debating much faster than an article in a security magazine that may be published once a quarter.
I suppose there is something to be said for the relative ease with which someone can start a blog and write posts that may be inaccurate or untrue. As a counter to that, blog posts exist and can be referenced and verified. If submitted as a CPE, they should need to stay up for a period of time. They can be vetted by a committee or by volunteers. I’d even volunteer to read over blog post CPE submissions. There’s a lot of smart people out there writing really thought provoking stuff. If those people happen to be CISSPs, why can’t they get credit for it?
To that end, it’s time for (ISC)^2 to start allowing blog posts to count for CPE credit. There are things that would need to change on the backend to ensure that the content that is claimed is of high quality. The desire to have only written material allowed for CPEs is more than likely due to the idea that an editor is reading over it and ensuring that it’s top notch. There’s nothing to prevent the same thing from occurring for blog authors as well. After all, I can claim CPE credits for reading a lot of posts. Why can I get credit for writing them?
The company that oversees the CISSP, (ISC)^2, has taken their time in updating their tests to the modern age. I’ve not only taken the pencil-and-paper version, I’ve proctored it as well. It took until 2012 before the CISSP was finally released as a computer-based exam that could be taken in a testing center as opposed to being herded into a room with Scantrons and #2 pencils. I don’t know whether or not they’re going to be progressive enough to embrace new media at this time. They seem to be getting around to modernizing things on their own schedule, even with recent additions of more activist board members like Dave Lewis (@gattaca).
Perhaps the board doesn’t feel comfortable allowing people to post whatever they want without oversight or editing. Maybe reactionary journalism from new media doesn’t meet the strict guidelines needed for people to learn something. It’s tough to say if blogs are more popular than the print magazines that they forced into email distribution models and quarterly publication as opposed to monthly. What I will be willing to guarantee is that the quality of security-related blog posts will continue to be high and can only get higher as those that want to start claiming those posts for CPE credit really dig in and begin to write riveting and useful articles. The fact that they don’t have to be wasted on dead trees and overpriced ink just makes the victory that much sweeter.