I am one of the ~90,000 members of (ISC)². Though I’m active in the information security community, saying that I’m active in (ISC)² would be an inaccurate characterization. I maintain my CISSP certification by abiding by the code of ethics, maintaining my CPEs, and paying an annual maintenance fee of $85. Like many of my peers I’ve had conversations with over the last couple of years, I feel that there are opportunities for (ISC)² leadership to better engage its members and govern the organization more transparently. In order to make a more informed decision before casting my ballot in the (ISC)² Board election, I tried to reach out to all of the candidates on the Board slate, as well as those running write-in campaigns, to ask a couple of questions concerning engagement and transparency. I was pleased that 9 of the 11 responded and I’m appreciative that they took the time to write such thoughtful responses.
My email to the candidates is below, followed by the responses of those who explicitly stated that they were willing to have me publish them. I am waiting to hear back from a few to get their explicit permission to share. All of the responses are posted verbatim, with minor editing for formatting and to remove text giving permission to re-post, offers to elaborate, salutations, etc. I successfully made contact with David Kennedy, Doug Andre, Flemming Faber, Freddy Tan, Howard Schmidt, Jennifer Minella, Kiebler Melo, Richard Nealon, Rik Ferguson, and Tony Vargas. I’ve been unable to reach Greg Mazzone. If anyone is able to share his email address or put him in touch with me, I’d appreciate it.
With the exception of Flemming Faber, the rest have responded to my questions and All but David Kennedy, Flemming Faber, Freddy Tan and Kiebler Melo have given explicit permission to share their responses. I’m following up with those 3 23 to ask whether they’ll give permission to share their responses. I’ll add additional candidates’ responses if/when permission is granted.
I’ve reviewed the information you’ve shared online concerning your (ISC)² candidacy and I’m excited about what you hope to accomplish if elected. As a CISSP and active member of the information security community, I want to make an informed decision before voting this month. Though a candidate’s platform is important to me, I am also very interested in member engagement and transparency and believe that these are areas of great opportunity for you and fellow candidates.
Would you mind sharing how you intend to engage the members of (ISC)² during your term? And how you will address transparency so that (ISC)² members have better visibility into the vision, direction, progress, and challenges of the (ISC)² Board?
With your permission, I’d also like to share your response via the Web so that fellow members of (ISC)² can consider it before voting. I am attempting to reach all candidates to give them all an opportunity to answer these questions and asking that they consider allowing me to share the responses with others via the Web.
And thanks for your current and past service to the information security community.
David Kennedy’s response:
For me, transparency is everything. I think some of the issues in the past
around ISC2 has been around the sharing of information and making it more
of a community driven consortium and continuing to move the marker in
security. This is something that I believe openly in and have always been
an advocate of keeping people informed because ultimately, I was voted in
by the same people. I don’t claim to know everything or what will be
perfect, but having community driven transparency and support helps with
the direction and objectives in making sure ISC2 is moving on the right
path with the INFOSEC community. With any group, the CISSP is just a
certification, but the organization should be one that focuses on the
betterment of the INFOSEC industry as a whole. That’s my goal and the
reason for running. I think I can add and help to that direction because I
am a community driven and centric individual. All of my open source
projects, DerbyCon, and others are all designed to take inputs in from the
community and work as one cohesive group. ISC2 is a great avenue to get
the right message out to folks and really steer the community in a
direction to where we can get proactive with security. It’s exciting for
me and something that I look forward to if everyone will have me
To address some of your questions below, specifically I will have clear
objectives that I want to meet and communicate those with ISC2 members and
ask for advise. Tracking those will be important and clear goals of
meeting those needs to be established. I want to make sure that the
direction I take is that of others and the community, that’s the most
important piece to making all of this work.
Doug Andre’s response:
As a single Board member, I would intend to engage membership more in social media, forums, focus groups and chapter meetings. I would also try and push (ISC)2 to communicate in a similar fashion as the masses often do not go to a single website anymore to get information, so mobility is a key factor. I do not feel the BOD has done a good job communicating with members and some type communication channel with the membership should be created, but there would have to be some type of controls in place as the BOD would not have the bandwidth to answer the flood of emails or tweets. I have been harping on better use of the Chapters through the strategy work, so maybe utilizing the Chapters to filter membership needs, wants, and gripes could be a good way to filter the workload and actually vet what the membership is communicating. It would be bad to go down a path based on the views of a vocal minority that had not been vetted with a majority of the membership and I think the Chapters would be a good way to do that. I would also like to see (ISC)2 make better use of technology in communicating with membership. The organization does a lot of face to face communication currently at Conferences and member forums across the globe, but I would like to see better use of virtual communication or “town halls” so to speak using technology such as Google Live or something similar. Travel dollars are scarce and members often are not able to travel to these conferences and forums, so a better way of communicating with them needs to be investigated.
I also agree with you in that the BOD needs to be transparent with the membership. As Chairman of the BOD Strategy Committee, I was successful in collaborating with my fellow BOD committee members in getting a new member focused strategy adjudicated. This strategy has 3-5 year goals and objectives and focus on transitioning (ISC)2 from a certification organization to a membership organization while preserving certification capabilities and value. From a transparency perspective, should I be re-elected to another term, I would advocate publishing the Goals and desired outcomes to the membership and in addition,implementing a balanced scorecard approach (or something similar) by developing membership focused metrics that would allow for (ISC)2 to measure where they are as an organization in achieving the goals and desired outcomes. This would allow membership to see where (ISC)2 is going and gauge progress. As part of the process (ISC)2 would need to survey the membership every other year or so to gauge a pulse as what their wants and desires are for services, certifications, training etc. The data from those surveys would then need to be analyzed for the next round of strategy work to develop new 5 yr. goals and associated outcomes. (ISC)2 needs to strive to provide an unparalleled membership across all offerings including Chapters that sets (ISC)2 apart in content, delivery, and format.
Howard Schmidt’s response:
As to the communications with members, I see this a Multi tiered. One individually where a member would like to make a comment, ask a question or give a perspective that they see from an individual member perspective. All of the normal communications methods are available, LinkedIn, email, Facebook message, etc. I also attend a number of events where members can meet individually with me either as a group of indivually. I see no shortage of opportunies to engage and do not shy away from doing so.
On the transparency issue, this is a bit more challenging as this is not often an indivuall board member’s sole decision ( in this thread me). My default way of doing business is the more transparent the board operates the more value there is for the members and better support, even in areas where there may be disagreement. Often how much transparency is determined by the attorney, current policy ( which should be able to be changed) or vote of the board. In those cases the only thing I can do is to argue for transparency to be the default and not to use it to get around being accountable or making one’s position known. This is always a difficult way of doing governance but should be a priority and embraced not only by me but everyone on the board who exercises their responsibility of servicing the membership while providing the governance we are committed to do.
Jennifer Minella’s response:
Engagement is a difficult one, only because I’m not yet familiar with the inner workings of (ISC)2 and the board. I want to be careful about promising what I will “do” and make sure the promise is of what I will push hard for, and changes and program I will advocate for. It’s important to understand how the machine operates before one starts turning its nobs. I also don’t want to promise a lawn mower can make you buttered toast.
The first part of what seems to be in the largest state of disrepair is the (ISC)2’s communications to and from members. With around 100,000 members worldwide, I understand the immense challenges of communications; language, culture differences, diverse concentration of members, variances in priorities by region, inconsistent expectations of appropriate levels of engagement and formality. All that being said, I think doing nothing is not the right answer. If the perception (or even the reality) is that (ISC)2 is more interested in its future certifying members than its current members, there are still myriad ways for (ISC)2 to better communicate with, listen to, utilize and engage with its existing, AMF-paying 90k+ members. Sure, we get press releases and member updates, but there’s no soul, no face, no personality, and no system in place (that I know of) for member requests to filter up to the directing board. Sending press releases and member announcements by email is more of an alerting system than a communication method. We members are screaming in the dark, and no one hears our cries. We can do better.
Good communication can fix a lot of things, but that communication has to be of high quality, interesting, consistent, meaningful and two-way. Obviously with 90k+ members, the communication has to be structured, but not necessarily formal. Here are some ideas on specific ways to improve communication:
- Monitoring the pulse. I envision something tiered that would include structured monitoring of online and in-person groups. That would include watching LinkedIn, twitter, Facebook, G+, forums (official ISC2-cert forums and maybe the top 1-2 unofficial forums per region).
- Structured aggregated input. Plus, structured communication from chapters, regions, committee teams and any live gatherings at events; member receptions, conferences, social events. Also, a more difficult program but possibly the highest ROI, may be to have more formalized regional groups and ways for each region to communicate more closely with members local to them, and then of course filter and feed key points from those interactions back up to the board. This would be a bolt-on to the existing regional advisory councils.
- Focus groups. Fully engage representative membership in focus groups and put in place a support system and communication process for them. I know (ISC)2 has a mechanism in place for this now, but I don’t think it’s communicated or explained well.
- Surveys, polling, trend analysis. That sort of intelligence gathering should be for the purpose of keeping a pulse on the active membership, acknowledging where there are member pain points, and facilitating a way to gather enough input to identify trends and member needs. All this would be in addition to updates to the more structured feedback systems – member surveys and polls, as an example. Most surveys are constructed completely backwards, and trending data is not kept or analyzed. I think that’s an easy fix.
- An “Insiders” communique. For those interested in the inner workings and tasks of (ISC)2 I’d propose an “ISC2 Insiders” communiqué, maybe in the form of a monthly or quarterly e-newsletter. Something of this nature would let curious members know about impending updates or programs, interesting projects, personnel changes and more. The logo changes, in my opinion, would have been a great example of a good insiders’ communication.
- Getting more personal. (ISC)2 is a nameless, faceless blob to most members. The board needs to lighten its iron fist with external communications, facilitate and encourage structured communication and let the members really get to know the people running this massive organization. When you put a face and a soul behind a directive, it’s more meaningful, and frankly it makes that dose of medicine a bit easier to swallow.
- Member QA meetings.
I’d love to see virtual online web meetings with the board, and with the various committees and advisory groups; these would be closed and available to active members only. It would give the teams time to discuss projects, goals, objectives, and offer a conduit for members to ask questions. If not all questions can be answered, the comments are captured by the moderator and followed-up on later with the member(s).
- Various programs. I could quite literally write a small book on ways I think we can improve communication within (ISC)2. I’m going to turn my attention instead to the next question of transparency.
And now for the transparency part. At the risk of alienating a few people, I’ll say I firmly believe that many (but not all) of the transparency issues can be fixed simply with better communication. Many of the things I hear people complain about are based on incorrect information, inability to access the information, and/or a severe deficit of facts resulting from poor communication. Let me push aside those items that can be fixed with communication and we’ll say they’ll sort themselves out as communications improve. If we focus then on the remaining places where I think we need more transparency, I’d suggest starting with these tasks:
- Share early, share often. I don’t know the reasons behind it, but ISC2 is slow to share information to its members, and frequently news is hitting the stands before we (members) are privy to it. This ties closely in with communication, but I think ISC2 needs to let loose a bit and realize the importance of timely news to its members.
- Embrace conflict. Even if ISC2 is afraid members will disagree with a decision or a plan, it’s okay; we still need to share the message with them. Not everyone gets to have a say, but we can embrace the conflict by addressing it openly and letting everyone vent their frustrations, learn why the changes were made, and have a support system to move forward. If you look at other major companies, the ones rated with the highest customer loyalty are those that put programs in place to willingly listen to negative feedback and let the members/customers know at least their voices were heard.
- Take off the cloak. I have no clue what goes on with the (ISC)2 board, its committees or advisory councils, and I bet most other members don’t either. In fact, I don’t even know how many committees it has, who the chairperson is of each, nor how many members sit on the committee. (ISC)2 is not-for-profit subject to strict guidelines and bylaws, but that’s no cause to conceal its daily operations. Members have a right to understand how the organization is run, and not be shunned by the board for asking questions around the subject. It’s time to take off the cloak and show the faces of all involved in running the organization. After all, the members elect the board. The board appoints the chairpersons, the chairpersons (it’s my understanding) fill the committees with their own appointees. That’s a handy piece of information; by virtue of voting for the board of directors, you’re effectively using that choice to influence the chairpersons and committee members.
- Share more. Similar to share early, share often is share more. We know there are limitations to what (ISC)2 is allowed to share about members, member status, and ethics decisions. But, there’s no reason the organization can’t share sanitized, aggregated data. If you can’t publish the names, what harm would it do to publish the number of CISSPs that had their certification revoked due to an ethics violation last year? I’d like to find a way to share MORE data with members without compromising the privacy laws (ISC)2 is following globally. Again, we can do better here.
Lastly, I want to address a large issue you didn’t ask about, and that’s how to add credibility back to the CISSP and similar certifications. I’m adding it here, because I get asked this almost daily; how do we restore value to the CISSP certification? The question stems from the realization that applicants without the proper experience are earning the CISSP, the feeling that the CISSP has been marketed to the wrong crowds, and that there is no way to distinguish long-term information security professionals from a newly certified pro.
I don’t claim to be an expert in certifications, certifying bodies, or credentialing, but here are some ideas I’ve had, many of which are the result of conversations with peers and colleagues in the past 5 years or so. Thank you Austin, Mark, Jim, Rick. Tom and many others for sharing ideas and sparking thoughts.
- Create tiered certifications based on experience. Instead of only having an Associate CISSP and a full CISSP, perhaps we can demonstrate added value to both certification holders and employers by creating tiers based on longevity and experience in an information security role (or other specific portions/numbers of the domains). Perhaps a CISSP-I has up to 10 years of experience, while a CISSP-III has 30.
- Layer security clearances over the CISSP for added value to DoD consumers and certified members. (ISC)2 could add value with an option for background checks (by a 3rd party) for security clearances. Due to volume, the fees would be less than a typical background check, making it more affordable for the certification holder or his/her employer.
- Clarify professional experience requirements. I also think ISC2 should clarify the type of work that would qualify as being in the domains. For example, I’ve recently seen several examples of someone that was a PC bench technician for 2 of the required 5 years of professional experience. I tried to make a case for that falling in two of the domains, but I haven’t been successful.
- Enforce endorser ethics and implement some punishment or warning for endorsers that sign off on CISSP candidates that do not have the required professional experience.
- Outline certification requirements for HR groups and work with organizations to properly apply CISSP and other certification requirements for the appropriate job types. Too often, we see sales people or systems admins with CISSP certifications. They have every right to have the cert (as long as they have the requisite professional experience) but more often than not, they acquired the certification because some hiring manager listed it as a requirement when other experience would have been more appropriate for their job. If (ISC)2’s vision is to “Inspire a safe and secure cyber world” and the mission is to “Support and provide members and constituents with credentials, resources, and leadership to secure information and deliver value to society” then they/we should start here. Make sure the credentials and credential requirements are used for the greater good of organizations and society, and not diluted.
Richard Nealon’s response:
Same caveat that I said recently – this is not the view of either management or board of (ISC)2. It’s just the personal view of Richard Nealon, security professional.
As I see it, there are two parties to engagement. Both have to be fully committed, and there has to be open dialog between both sides. It’s never easy for either side, and we always have to continue to work to make it better.
I’d argue that while the board is elected by the members, it’s not their role to engage directly with the members. Their job, and the job that should be expected of them, is simply:
- To provide governance (fiduciary and oversight) to ensure the continued survival of the organisation on behalf of the members, so that value of their certification is maintained
Now this might sound very straightforward on first reading, but some of the tasks that align to that include:
- developing strategy to ensure the organisation meets the needs of the members and constituents
- managing executive management to ensure that they have challenging goals and objectives that align with strategy, and ensuring that they meet these
- ensuring succession for executive management and themselves
- agreeing organisational budgets and ensuring that these are managed tightly
- deciding on ethical issues arising
The dialog part (i.e. the issues that members have with the way that they think they’re served by the organisation) really needs to take place between the members and management. I know that you think I’m copping out here, but that’s the long and short of it. The board shouldn’t get involved in operational management – that’s why we have a professional management team in place.
I got involved with (ISC)2 way back in the late nineties, when I had sat an exam that had questions relating to the Rainbow books, the Boston fire regulations, etc. on it. I wrote to management at the time complaining that many questions on the exam had no relevance to an international candidate and didn’t get a response. I wrote again. I didn’t get a response again. I was introduced to a (ISC)2 volunteer who was involved in test development at a conference, and I backed them into a corner and let rip. I subsequently got invited to a test development workshop and became a volunteer from then on. I’m happy now that questions are international; that they’re a test of security knowledge and experience and not ones ability to read complex english; that they are translated into many languages; that they are properly formed and not negatively phrased.
What I’m trying to say here, is that engagement has to be two-way. If we want to change the way the organisation works, we have to be prepared to get down and dirty. We have to be prepared to contribute, and we have to find a way to get our point across and make it sensibly.
There’s nothing to be gained by saying the same thing over and over again, in the same way, on the same channel, but just shouting louder. My belief is, that once they go past the age of two, it’s not my intention to spoon feed anyone. I’ll continue to support my charges through their teenage years, but once they reach adulthood they need to take personal responsibility and accountability for their actions.
How do we effect change at work – we build a business case, we justify the change, we suggest how it could be implemented, and we outline the outcome, and we present it to our boss. Sometimes it gets accepted, and sometimes it doesn’t (maybe because the time isn’t quite right).
My approach to this (and it very much depends on how strongly I feel about the change) is, either:
- let it go. It wasn’t the right time, and perhaps an opportunity will come around again, or
- look at the case, and see why it wasn’t accepted. See if it can be looked at from a different angle, or if there’s a compromise that might be acceptable, and start all over again
Not tell my boss that he’s a jerk, that he doesn’t know what he’s talking about, and go over his head. In doing so, I loose all credibility, and the next time I go to him with an idea, what’s going to happen?
One of the key ways for me to drive member engagement is to provide mechanisms for them to volunteer with the organisation at whatever level they are comfortable with. I feel, that it’s only when we have personal time and effort invested, that we really benefit. There are challenges in being able to manage this, but I’m really encouraged by the efforts of members all over the world in really getting involved in the chapters and working hard to provide a conduit for the profession as a whole in their local communities. I’m similarly heartened by the continued success and growth of Safe and Secure program and it’s recent progress in areas of the world that are non-English speaking. Not only do these types of initiatives serve society, but for me they have the added benefit of engaging the members.
Communications have come up a lot in discussions. Yes they could be greatly improved. This is recognised by members, management, and board. All I can say to this is that we continue (all of us) to improve.
transparency – vision, progress, challenge of the board:
Not quite sure how to answer this. Vision and mission of the organisation has changed in the last two years. However, in the immortal words of Michael Caine “Not a lot of people know that!”
It has been communicated. Yes, it needs to be communicated better. It needs to be reenforced better. We have to align our operational objectives to it. It needs to be embedded in our culture. Lots of work still on this one.
The thing that I found interesting in the recent debate was the ignorance (and i don’t mean that word in a bad way) of some of the detail that available about the organisation by some of the most vocal critics.
The presence of the 990s; the fact that the (Isc)2 Foundation was a separate entity from (isc)2; the change in the mission of the organisation away from ‘education and certification’ to ‘member focus’ – these all seemed to be news to almost everyone. This is all publicly available information, and yet we don’t seem interested enough to seek it out? The call for transparency is all very well, but there’s an argument to say that the organisation is fully transparent – just that folk choose not to look.
I’m personally happy with the new vision and mission. It means much more to me as a member and as a security professional. The old mission seems better aligned to a commercial organisation, whereas this feels good to me as a not-for-profit membership organisation.
In terms of progress, the board can’t really take credit for any of it. Management are the ones that drive the operational change that you see – chapters, CBT, the Foundation, new credentials, etc. The board simply ensure they have sound cases, make the means available to them, and provide the ‘second set of eyes’ to make sure that they are using resources wisely, and meeting hard targets and objectives set for them.
Finally challenges for the board. I addressed this in a post to the forum last night.
- fragmentation of the profession into specialisations
- an ageing profession not being fuelled by young talent
- lack of gender diversity
- how (ISC)2 can best represent the profession
- what (ISC)2 have to do to be considered the go-to place for the profession
- how (ISC)2 can distinguish itself from the CISSP brand
- ensuring strong succession plans exist for board and executive management
Rick Ferguson’s response:
Of course the first part of my term as a member of the board of ISC2 is necessarily going to be spent familiarising myself with “how it looks right now”, there is little point in attempting to repair something unless you understand the nature of it. Hopefully that period will not be a prolonged one. I am a strong believer in the power of social networks, particularly Twitter, outcomes, when it it is done right, can be both immediate and fulfilling. ISC2 it seems is still rooted in emails for communication and many of these, I am sure, go straight into most members’ trash. Very few of the current board members have an active social presence, with the vibrant and vocal security community, engaging 24/7, that’s both an oversight and a shame. Most importantly ISC2 itself has to have ears as well as a mouth, listening to the membership is not something that seems particularly developed. Many members do not have time for local chapters or formal meeting structures, we are all busy security practitioners, so engaging with online communities and helping to generate more energy and pride in being a part of ISC2 is key.
In terms of transparency, there may be some strictures of which I am unaware (but would certainly fight to change), but I firmly believe that minutes of the board of directors meetings should be published and archived for members to review at leisure. Far too many organisations do not publish board meeting minutes, regardless of the fact that they are ostensibly there to serve the membership. I am certain that a fair percentage of the “image problem” that ISC2 suffers from is simply a result of a lack of communication, rather than a lack of will. Making public the beliefs and stances of the members of the board, will not only allow their track records to speak for themselves, but also give more members an insight into there the organisation is headed and crucially, why.
Of course I will have a lot to learn and the curve will be steep, there is far more to success with ISC2 than the two simple areas I have outlined. I will be there to listen and learn as well as to advise and to steer and I will gladly make my views and decisions a matter of public record, in order that I may be guided by the membership itself.
Tony Vargas’ response:
Better transparency for (ISC)2 is something that I know Jennifer and I are both very passionate about. I believe quarterly operational review updates (similar to financial conference calls for public companies) would be one way to achieve better transparency for (ISC)2. The quarterly operational reviews would be video recorded so that anyone could watch them. I think a combination of quarterly reviews and video would help make (ISC)2 more transparent, which in turn would make members feel more comfortable with the organization. The quarterly reviews would show what programs are working and which programs could use additional member support. Members would be able to provide feedback to all of the videos and potentially may be able to provide questions in real-time. I believe it is hard for members to want to engage with the organization if they don’t know what programs the organization has created for it’s members, yet I believe these ideas would help with some of the transparency issues.
To further address the transparency issues, I’d work to setup a number of “Inside (ISC)2″ videos of the people working at (ISC)2 to showcase their thoughts on the programs and challenges they face being able to provide for the membership. I think by people seeing the people who work at (ISC)2 in a video would help bring a face to the organization. Also, (ISC)2 I believe consists of around 80 people. Eighty people to support an organization of over 90,000 members is a big task and I think that by seeing videos of the staff and the member projects they are working on will help make the members feel closer to the organization, which I believe will make the members more willing to work with the organization. I also would work to lead a set of “(ISC)2 Board of Directors videos” with the goal of helping people feel closer to the board. Additionally, at any conference I attend I would personally be open to chatting with any member about how we could make the organization better.
I believe that through better transparency, (ISC)2 members will want to become more engaged. I feel that it’s hard for people to want to work with and trust an organization if they don’t have a good understanding of the organization an it’s programs. I believe once people know more about the organization, how it works, programs it offers, initiatives, etc. that (ISC)2 members will be more engaged to partner and work with (ISC)2.