I’d recommend that anyone interested in this get a good understanding of the ISO 27000 standard … and I agree with the comment earlier that the CISSP is out of date … it relies too much on technical knowledge. The 27000 standard covers the other aspects required: administrative controls and physical controls (along with the logical controls i.e. technology). Information is stored in many other places the on electronic systems: paper, microform, in our brains; if you haven’t secured these along with the technology then you don’t have “Information Security”.

Firstly, someone who is certified is probably also a member of those professional forums, for instance a CISA will be a member of the local chapter and will be required to attend and even talk about their experiences to get the CPE credits. So its hard for an outsider to be able to tell who is really proficient in their area.

Secondly, most recruiters are not members of the forums themselves and therefore are not aware of the standing of a member there.

Thirdly and most importantly, most companies do not yet understand the importance of Infosec. Sounds wierd, yes, but its true. Look at the breaches happening around you. Unencrypted tape drives, laptops, USB sticks, etc… being lost resulting in data breaches!
Unpatched servers, virus attacks, etc….!!!

I mean, these cos are’nt even losing data to skilled hackers. They’re losing data due to their incompetence and stupidity. Are these small companies that cannot afford an Infosec team? No !!!
Then why can’t they implement encryption on all storage media, disable USB access, patch servers, update AV dat files and push updates?

The reason is clear, the managements of most companies still feel that Infosec is simply not important enough. They feel that the cost of a Security incident is less than the cost of investing in setting things right. I’ve seen numerous incidents wherein they pompously claim that they have accepted the risks, its a risk that has never materialized in the last few years, and therefore is unlikely to happen in the future.
But having a CISO is imperative, cos clients will ask about the organizations Infosec initiatives, so these forward thinking companies hire a team of jokers with certifications who are content to be YES men, and tout them as the cure for all their infosec woes. Give them a lofty title and they will keep the clients happy. If only it was so easy though…..

Oh, and if the clients are really insistent, then well go get the org certified too. ISO27001, SAS70, SOX et all…. Never mind that the consultant is so brain dead that he/she will sign anywhere you ask him to sign as long as the payoff is good.

The real credit for success goes to management and the real blame for failure also goes to management. They’re also the real Mortals and Immortals in this story.