I'll just make one personal observation about the IISSCC certification process. When they started up the program, and announced the "grandfathering" scheme, I checked it out. I found that if someone like John Draper (the original "Captain Crunch") or Kevin Mitnick were to apply under the grandfathering, they would probably meet all the requirements. Unless someone questioned their backgrounds, they would probabl;y meet the requirements. If they pass the test being devised now, they could probably also meet the necessary requirements. Several of the long-time "black hats" who have not been publicly exposed and convicted could also meet the requirements if they have been working as "security consultants" and say they adhere to the code of ethics. There is no "vetting" process to weed these people out. On the other hand, I would not qualify for certification. This is despite the fact that I write books and articles on security, direct research, produce security tools in wide-spread use, work with response teams and law enforcement agencies, and consult worldwide on the management of computer security. The way the requirements read, my experience doesn't count. Yet, I don't know of anyone who would consider me to NOT be a "security professional." In all fairness, I don't know if the requirements for certification have changed in the 18 months or so since I looked at them -- the program is still being ramped up. However, given the above, I would place little value on the presence or absence of CISSP on someone's resume. --spaf