My first year with (ISC)2

It’s been a year, and I thought this marked a great opportunity to revisit my positions of a year ago, when I was naive to the inner workings of the organization, and see if they’re still valid and in my cross-hairs.

During my campaign in the 2013 elections to serve on the 2014+ Board of Directors, I said things… things which are forever emblazoned on the interwebs and cannot be undone, or forgotten. Here, I hop in the time machine  and take a look back to a year ago, as I campaigned for your support, to see if my points are still valid, or if naivety triumphed.

I posted several articles, and answered several requests. Let’s start with the data collected from member Steve Werby on his site at http://justifiableparanoia.com/blog/2013/11/29/isc2-board-election-candidate-responses/.

Steve’s question to all candidates:

… Though a candidate’s platform is important to me, I am also very interested in member engagement and transparency and believe that these are areas of great opportunity for you and fellow candidates.

Would you mind sharing how you intend to engage the members of (ISC)² during your term? And how you will address transparency so that (ISC)² members have better visibility into the vision, direction, progress, and challenges of the (ISC)² Board?

My very long but (I hope) well thought-out response was this:
Current responses, updates are marked in green.

Engagement is a difficult one, only because I’m not yet familiar with the inner workings of (ISC)2 and the board. I want to be careful about promising what I will “do” and make sure the promise is of what I will push hard for, and changes and program I will advocate for. It’s important to understand how the machine operates before one starts turning its nobs. I also don’t want to promise a lawn mower can make you buttered toast.

The first part of what seems to be in the largest state of disrepair is the (ISC)2’s communications to and from members. With around 100,000 members worldwide, I understand the immense challenges of communications; language, culture differences, diverse concentration of members, variances in priorities by region, inconsistent expectations of appropriate levels of engagement and formality. All that being said, I think doing nothing is not the right answer. If the perception (or even the reality) is that (ISC)2 is more interested in its future certifying members than its current members, there are still myriad ways for (ISC)2 to better communicate with, listen to, utilize and engage with its existing, AMF-paying 90k+ members. Sure, we get press releases and member updates, but there’s no soul, no face, no personality, and no system in place (that I know of) for member requests to filter up to the directing board. Sending press releases and member announcements by email is more of an alerting system than a communication method. We members are screaming in the dark, and no one hears our cries. We can do better.

> 2015 update: I completely 100% still agree with this and continue to strive to resolve this. With the help of new teams within (ISC)2 including (and especially) Communications teams led by Felicia Johnson (Senior Manager, Global Communications), I think this is finally turning around, slowly but surely and steadily. Felicia’s team has a great zest and zeal and continues finding new ways to engage the Board, Management and Members for better TWO-WAY communications.

Good communication can fix a lot of things, but that communication has to be of high quality, interesting, consistent, meaningful and two-way. Obviously with 90k+ members, the communication has to be structured, but not necessarily formal. Here are some ideas on specific ways to improve communication:

• Monitoring the pulse. I envision something tiered that would include structured monitoring of online and in-person groups. That would include watching LinkedIn, twitter, Facebook, G+, forums (official ISC2-cert forums and maybe the top 1-2 unofficial forums per region).
  > 2015 update: I’m extremely pleased to say this was underway “BMT” (Before My Time) and as of late 2014, is going strong.
• Structured aggregated input. Plus, structured communication from chapters, regions, committee teams and any live gatherings at events; member receptions, conferences, social events. Also, a more difficult program but possibly the highest ROI, may be to have more formalized regional groups and ways for each region to communicate more closely with members local to them, and then of course filter and feed key points from those interactions back up to the board. This would be a bolt-on to the existing regional advisory councils.
  > 2015 update: This is in the works and I’d hope would be more fully developed throughout 2015 and 2016 as chapters establish their networks locally throughout the globe.
• Focus groups. Fully engage representative membership in focus groups and put in place a support system and communication process for them. I know (ISC)2 has a mechanism in place for this now, but I don’t think it’s communicated or explained well.
  > 2015 update: This is, in fact, in place to some degree and continues to grow as new Membership Director Erich Kron gets his footing in the organization. He and his team have been a great asset and I think the membership will continue to realize value through new programs and upgrades his team brings.
• Surveys, polling, trend analysis. That sort of intelligence gathering should be for the purpose of keeping a pulse on the active membership, acknowledging where there are member pain points, and facilitating a way to gather enough input to identify trends and member needs. All this would be in addition to updates to the more structured feedback systems – member surveys and polls, as an example. Most surveys are constructed completely backwards, and trending data is not kept or analyzed. I think that’s an easy fix.
• An “Insiders” communique. For those interested in the inner workings and tasks of (ISC)2 I’d propose an “ISC2 Insiders” communiqué, maybe in the form of a monthly or quarterly e-newsletter. Something of this nature would let curious members know about impending updates or programs, interesting projects, personnel changes and more. The logo changes, in my opinion, would have been a great example of a good insiders’ communication.
• Getting more personal. (ISC)2 is a nameless, faceless blob to most members. The board needs to lighten its iron fist with external communications, facilitate and encourage structured communication and let the members really get to know the people running this massive organization. When you put a face and a soul behind a directive, it’s more meaningful, and frankly it makes that dose of medicine a bit easier to swallow.
  > 2015 update: Again here, not only Felicia’s teams in Communications, but the full force of the organization has gotten behind this in 2014 – from introducing team members at events to featuring them in newsletters and in articles and quotes across media – the organization has really turned this around, in my opinion and I’m extremely proud (even though these are through no efforts of mine!)
• Member QA meetings.
  I’d love to see virtual online web meetings with the board, and with the various committees and advisory groups; these would be closed and available to active members only. It would give the teams time to discuss projects, goals, objectives, and offer a conduit for members to ask questions. If not all questions can be answered, the comments are captured by the moderator and followed-up on later with the member(s).
  > 2015 update: As it turns out, they do host Town Hall meetings. In 2015 and beyond I think the teams are looking for ways to extend the reach of the current Town Hall meetings to see if online mediums could be successful for members.
• Various programs. I could quite literally write a small book on ways I think we can improve communication within (ISC)2. I’m going to turn my attention instead to the next question of transparency.

And now for the transparency part. At the risk of alienating a few people, I’ll say I firmly believe that many (but not all) of the transparency issues can be fixed simply with better communication. Many of the things I hear people complain about are based on incorrect information, inability to access the information, and/or a severe deficit of facts resulting from poor communication. Let me push aside those items that can be fixed with communication and we’ll say they’ll sort themselves out as communications improve. If we focus then on the remaining places where I think we need more transparency, I’d suggest starting with these tasks:
> 2015 update: Dear Lord, How I still throw my passion to this cause…

• Share early, share often. I don’t know the reasons behind it, but ISC2 is slow to share information to its members, and frequently news is hitting the stands before we (members) are privy to it. This ties closely in with communication, but I think ISC2 needs to let loose a bit and realize the importance of timely news to its members.
  > 2015 update: I’m happy to say, due to recent changes in the orgqanization (last 1-2 years) this is definitely improving. Communications have been brought in-house, there’s more open dialogue between Board and Management and the result has been more frequent and more meaningful communication by way of blogs, articles and videos. I’m sure this trend will continue!
• Embrace conflict. Even if ISC2 is afraid members will disagree with a decision or a plan, it’s okay; we still need to share the message with them. Not everyone gets to have a say, but we can embrace the conflict by addressing it openly and letting everyone vent their frustrations, learn why the changes were made, and have a support system to move forward. If you look at other major companies, the ones rated with the highest customer loyalty are those that put programs in place to willingly listen to negative feedback and let the members/customers know at least their voices were heard.
  > 2015 update: We encountered the first major public display of this during the 2014 November elections, where the organization hosted a public, open, un-moderated LinkedIn forum to facilitate communication between candidates and members. Although in perfect reason, some members did necessarily take aim and practices of the organization, and we were able to have open dialogue without caution or moderation from the organization. Member feedback, negative and positive alike, is valued equally and highly regarded.
• Take off the cloak. I have no clue what goes on with the (ISC)2 board, its committees or advisory councils, and I bet most other members don’t either. In fact, I don’t even know how many committees it has, who the chairperson is of each, nor how many members sit on the committee. (ISC)2 is not-for-profit subject to strict guidelines and bylaws, but that’s no cause to conceal its daily operations. Members have a right to understand how the organization is run, and not be shunned by the board for asking questions around the subject. It’s time to take off the cloak and show the faces of all involved in running the organization. After all, the members elect the board. The board appoints the chairpersons, the chairpersons (it’s my understanding) fill the committees with their own appointees. That’s a handy piece of information; by virtue of voting for the board of directors, you’re effectively using that choice to influence the chairpersons and committee members.
  > 2015 update: Honestly we still have much work to do here. Most of what may be of interest is in the bylaws. I spilled the beans on a few topics in a recent podcast (see November in Year-in-Review), but we have a long way to go to effectively and pro-actively communicate our “doings” and “workings” to the members.
• Share more. Similar to share early, share often is share more. We know there are limitations to what (ISC)2 is allowed to share about members, member status, and ethics decisions. But, there’s no reason the organization can’t share sanitized, aggregated data. If you can’t publish the names, what harm would it do to publish the number of CISSPs that had their certification revoked due to an ethics violation last year? I’d like to find a way to share MORE data with members without compromising the privacy laws (ISC)2 is following globally. Again, we can do better here.
  > 2015 update: There are some interesting challenges in these spaces, due to the privacy laws of other countries which are, with rare exception, much more strict than those here in the US. That aside, we are constantly working to “share more” but understanding what specific items are of interest to the membership will be the next major hurdle. There’s a lot of data that can be shared; who wants to see what? I have my own list, but I think the Board and Organization needs to see YOUR lists.

Lastly, I want to address a large issue you didn’t ask about, and that’s how to add credibility back to the CISSP and similar certifications. I’m adding it here, because I get asked this almost daily; how do we restore value to the CISSP certification? The question stems from the realization that applicants without the proper experience are earning the CISSP, the feeling that the CISSP has been marketed to the wrong crowds, and that there is no way to distinguish long-term information security professionals from a newly certified pro.

I don’t claim to be an expert in certifications, certifying bodies, or credentialing, but here are some ideas I’ve had, many of which are the result of conversations with peers and colleagues in the past 5 years or so. Thank you Austin, Mark, Jim, Rick. Tom and many others for sharing ideas and sparking thoughts.

• Create tiered certifications based on experience. Instead of only having an Associate CISSP and a full CISSP, perhaps we can demonstrate added value to both certification holders and employers by creating tiers based on longevity and experience in an information security role (or other specific portions/numbers of the domains). Perhaps a CISSP-I has up to 10 years of experience, while a CISSP-III has 30.
• Layer security clearances over the CISSP for added value to DoD consumers and certified members. (ISC)2 could add value with an option for background checks (by a 3rd party) for security clearances. Due to volume, the fees would be less than a typical background check, making it more affordable for the certification holder or his/her employer.
• Clarify professional experience requirements. I also think ISC2 should clarify the type of work that would qualify as being in the domains. For example, I’ve recently seen several examples of someone that was a PC bench technician for 2 of the required 5 years of professional experience. I tried to make a case for that falling in two of the domains, but I haven’t been successful.
• Enforce endorser ethics and implement some punishment or warning for endorsers that sign off on CISSP candidates that do not have the required professional experience.
• Outline certification requirements for HR groups and work with organizations to properly apply CISSP and other certification requirements for the appropriate job types. Too often, we see sales people or systems admins with CISSP certifications. They have every right to have the cert (as long as they have the requisite professional experience) but more often than not, they acquired the certification because some hiring manager listed it as a requirement when other experience would have been more appropriate for their job. If (ISC)2’s vision is to “Inspire a safe and secure cyber world” and the mission is to “Support and provide members and constituents with credentials, resources, and leadership to secure information and deliver value to society” then they/we should start here. Make sure the credentials and credential requirements are used for the greater good of organizations and society, and not diluted.
• > 2015 update: I can’t quite (YET) speak to these items, but in Q1 2015, I expect some small updates that might be of interest to you.
  
• > UPDATE 17 Jan: New changes to the CISSP and SSCP have been announced, including the new 8 (not 10) domains of CISSP. I’ll be back soon to post links describing the process by which (ISC)2 as an ANSI-accredited certifying body must follow during the processes of creating and maintaining certifications. Suffice to say that the key items to note are that A) (ISC)2 staff does not come up with content or tests new certifications or maintenance changes to those items; they are developed through volunteer certified members, facilitated with 3rd parties; and B) the processes and procedures required of CISSP and the other ANSI-accredited certs is absolutely mind-boggling. Even having worked with manufacturers through Angoff procedures and verification in the past, I had no idea until this past year what all was involved. If you want to read more about the changes visit the FAQs at https://www.isc2.org/cissp-sscp-domains-faq/ and/or the blog post by new Executive Director David Shearer at http://blog.isc2.org/isc2_blog/2015/01/maintaining-the-relevancy-of-isc%C2%B2-certifications-cissp-and-sscp-credential-enhancements.html

 

So, in the meantime, I’ll keep pushing for the items on this agenda – those of Meaningful Communication and Increased Transparency primarily. If you have new ideas, feel free to share here, or hop over to the LinkedIn Groups and share there as well!

# # #