I understand that this post is long-winded and probably TLDR for some. If you are an ISC2 certificate holder or was one in the past, I would encourage you to read this as it hopefully has a lot of insight into how the organization runs. This is my first year being on the board of directors for ISC2 and I’ve held off a little bit before posting anything related to it, changes, or what I see as a member myself. I want to first thank everyone for voting for me at the beginning of the year and trusting that I will help change things for the better within the organization. In the past there has been a lot of negativity towards the organization and most specifically the CISSP.
I think a lot of this comes down to communication. Before joining the board, I really had no idea what ISC2 did, why I needed my CISSP (or other certs from ISC2), or why was it even relevant to me. That’s unfortunate because I think having open communication with members is extremely important as well as the benefits for having a certification through ISC2 and maintaining it. Now that I understand how to operate and work within the board, expect much more of these posts on how things are progressing and what the other members are doing.
Simply put, the current team on the board is absolutely amazing and I hope this doesn’t come off as me taking credit for their hard efforts. Each one of the members is such a contributing force and it’s great to see a team as passionate as I am about doing the right thing. I am still a board newbie and I have a lot to learn. I have to say Wim Remes as the board chair has been one of the best things from an experience standpoint on getting things done; I hope he continues at the end of the year as the board chair. The following post isn’t what “I’ve done” but what the board and the team at ISC2 has done together and what we plan on doing in the future.
What ISC2 Can’t Do.
Let’s be clear here: I’ve seen some pretty outlandish claims on what people expect from ISC2. Having a ISC2 certification isn’t going to solve world hunger or create the united federation of planets or bring balance to the force. The ISC2 organization is a certification body that is member run. It’s limited in what it can do but at the same time, it’s endless what we can do as an organization which is exciting. It’s easy to complain that it isn’t perfect when you aren’t spending your own personal time to try to fix it.
What is and isn’t a CISSP
What it is: A CISSP is a base-entry certificate that verifies your experience and ethics within the security industry. It ensures that you have ethics very similar to something of a bar association and stay in good standing within the organization. It provides employers the ability to verify experience, ensure consistency through CPEs that you continue to learn, and have a base understanding of security. One thing we actually approved during this board meeting was re-verification and testament to ethics upon CISSP renewal. One loophole was that ISC2 would review a person’s ethics upon requesting to take the CISSP test but not upon renewal. When renewing, you’ll be presented with the same questions as before to ensure you are in good ethical standing. What’s also interesting is that the ethics committee as part of the board reviews each and every case to ensure that ISC2’s reputation is protected but also to give folks a fair shot at giving a CISSP even if they have had issues in the past.
What it isn’t: An OSCP, a SANS certificate, a technical certificate, a golden ticket to being the most amazing hacker in the world. Calling a CISSP something it isn’t and claiming it needs to be more technical or have XYZ is very myopic. If there are changes that need to be made I am all for that, but we need to recognize as an industry what its intent, goals, and value are to you and to employers. A certification doesn’t make you an expert in the field. Technical certifications such as OSCP demonstrate your ability to learn and adapt based on understanding the fundamental concepts. The CISSP is much different than a technical certification and it shouldn’t be considered a comparable certification. They both serve different purposes and functions. The CISSP attests to your years of experience and base knowledge of general security principles, not a micro focus in a specific area.
The CISSP isn’t your one and only solution to progressing your security career. It’s a base way to validate your experience within the industry and continue your progress moving forward. When I started my career one of the first certs I got was the CISSP. I continue to renew my CISSP every year and will continue that based on it being the base of when I first started in this industry. The question is, how do we maximize an ISC2 membership not only with the CISSP, but with other certifications and memberships to be a better benefit for the members?
It’s also not just about the CISSP. ISC2 has a number of certifications and ISC2 as a whole is looking at what that means and the best way to reach people with quality certifications and improve.
What it means to be a board member
It means that I get to be one voice of many for you. The member. It means that I get paid zero for a ton of extra work to try and make it better for you. It means that four times a year I have to travel away from family in order to meet on the strategy and operations of the company. It means that through the entire year, I have bi-weekly calls, deliverables, committee meetings, and constant review and progress checking of the organization. While this might sound like a complaint or rant and a lot of work (and it is), it’s rewarding because what I get out of this isn’t monetary, it’s giving back to the security community which has sustained my family, kids, and me for a number of years. My entire career has been dedicated with the mindset that if you continue to do the right things and help anyone you can, good things in return happen to you and to those around you. With starting DerbyCon, to the 18 open-source tools that I wrote, the 2am Skype sessions helping people learn, or participating on the board, I will always continue to help this community to my very end. That’s my reward. I wanted to share the initial video that I sent when I was nominated to the board for when I was under consideration to be nominated, and I still hold true to all of these and will continue this forward.
I’m proud to help out, offer my advice, listen to members, and try to make things better – even at the own sacrifice of my time and effort. I’m only one member of countless others who do the exact same thing (and way more). What I can say is that the folks who are on the board, including chairman Wim Remes, get it. They understand what needs to be done all the way through the organization and we are moving as fast as we can to make being a part of ISC2 as meaningful as possible. One thing I am not – is above anyone else that is an ISC2 member. We are all equals and I happen to be a voice for you, a member of ISC2.
I am a member of ISC2.
Our primary task as board members isn’t to implement things or focus on tactical aspects of the business. Our task is to be a voice for the members and focus on strategy to maximize the benefits to our past, current, and future members. This was a hard one for me; in the very first board meeting I wanted to do X and implement Y and focus in on the nitty gritty of the business. I had to take a step back and realize that my role isn’t to do this but to provide direction. I am co-chair on the strategy committee which helps direct and guide ISC2 and its mission. I work closely with the chair Jennifer Minella, Kevin Charest, and Wesley Simpson (Chief Operating Officer) and the other strategy committee members to develop the strategy not only for the current year but for the next three. Jennifer and Wesley are by far the most fantastic people I’ve gotten to work with. Jennifer is one of the main reasons we continue to drive forward within the group and she literally and single-handedly keeps us all together, focused, and working towards one common goal. I recently brought on Chris Gates to the strategy committee (work in progress) to help with advising as a non-voting member and plan on bringing a few other folks that I trust to continue that.
The executive team at ISC2 also presents to us the status of ISC2 from all different areas of the business, everything from the information security program at ISC2 to the financial stability of the company. We get to see the overall health of the organization and the numbers behind what that means. We get to see the progress of areas that we require the team to do, and we get to have an executive session to let David Shearer know how he’s performing and our expectations as representing members of ISC2. The relationship between the board and the team over at ISC2 is very healthy, friendly, and accountable, with great dialogue – and we hold nothing back. Most importantly, it’s actionable with things.
My Experience from Q1 board meeting to Q3 (now)
I’m writing this sitting inside the Singapore airport after just finishing the Q3 board meeting. When I first landed in the Q1 board meeting, I didn’t say much and kind of let it all sink in. There were already established roles, relationships, and ways of doing things, and I wanted to understand all of this before making opinions or suggesting sweeping changes. To my surprise and to the opposite of what the community was portraying, the board ran extremely well (this wasn’t always the case – far from it based on prior history), people got along, and the leadership team running ISC2 from the CEO down was spot on in what they wanted to accomplish with ISC2. That doesn’t mean agreeing with how everything was being done (we’ll get into that), but it was a good sign that I would be able to work with people in order to accomplish awesome things here. Fast forward to Q3: I’ve developed friendships with each of the board members and the executive team and have trust in them completely. I had someone recently say to me on Twitter, “I’m thinking about running for the board of directors because I want to help change an organization that seems to be ‘completely set in its ways’”. I can say that this – while it may be perception – is far, far from reality. The organization is continuously changing and evolving in a way that is both uncomfortable, risky, and best for the organization.
Not everything is perfect. This board meeting, we talked about how we as board members are not doing enough and frankly doing a lot of manual process. Lots of things are still overly confusing, and especially as a new board member; something that I brought up was a way to better explain things to people new to being a board member. We are a very functional board with a lot to still accomplish. In order to facilitate that we need to be better organized as board members and hold each other accountable. Wim brought this up and expects all of us to do our part and to perform. We sent a formal review of how to rank each board member on performance and ensure that each of us are doing what we were elected to do. This is due for us on Q4 and something where we will hold each other more accountable and ensure we all do our part. One thing I love is working with Kevin Charest – he is probably one of our most vocal and outspoken individuals of the group (when he needs to be and which is a noble trait).
Things that are coming
The biggest news is that we have been working with the executive team on a project called “DETE”, the digital end to end revamp of ISC2 online presence. This is a massive undertaking that will literally and fundamentally change ISC2 and its members for the better. The current web infrastructure is 10+ years old, clunky, and not what we should expect from ISC2. Looking at analysis from the site, most members only log into the ISC2 portal when AMFs are due or when updating their settings. It’s not something that individuals ever log into in order to see how things are progressing, or a central part for their career. We are aiming to completely change that.
What DETE will provide:
1. Ability to facilitate communication with members on what’s happening. This is one of the weakest areas of ISC2 today. Members have no idea what the AMFs go to, why they need to renew aside from it being a market standard, or what they can do to help or drive the organization. A good example of this: I recently saw a tweet online where emails were going out almost daily for Frost and Sullivan surveys. This is excessive, annoying, and something that shouldn’t happen. The board needs feedback from the members because we are members too. With this change, it’s also a direct way for you as a member to communicate with ISC2 and the board, and a way to facilitate dialogue and communication about things you are and I aren’t happy with.
2. The ability to track your career progress through ISC2 and open up a collaboration between job openings, positions, and opportunities for recruitment through the ISC2 network. I think it’s important finding talented people and being able to leverage a massive million+ network.
3. The ability to foster a community of people in the information security industry to work together based off of their skill-sets. Creating designations within the portal to allow people that are offensive, defensive, GRC, PCI, or whatever your focus is to share research and collaboration together in a central area.
4. The ability to better track where you are, simply your experience, and make sure you understand where you are career progression wise.
5. Provide an easy to member benefits. Did you know that there are a ton of places where you can already receive discounts just by being an ISC2 member? I didn’t. Everything from technology discounts all the way to cyber insurance, there are a number of organizations that provide extremely large discounts and can save you and your company money just by being an ISC2 member. This will continue to expand, but a simple way to identify all of these discounts that you get as a member.
6. The ability for us as board members to get large amounts of metrics in order to make decisions to better serve you. Right now we have no idea why people log into the site, how happy they are, what things ISC2 can improve on, and what can be done better. The whole purpose of this new system is to adopt agile practices and shift ISC2 from a more traditional development shop to be able to rapidly release features and things that you want. Of course I already suggested a full review of the SecSDLC process and a full bug bounty program and ways to reward folks on the security side for contributing =)
7. Additional content and material; webinars, podcasts, newsletters, access to cyber ranges and more. One central stop for you to get the information you need.
8. Provide the ability to do CPE’s directly through the DETE portal. This means that if you haven’t had the chance to visit a conference, or be able to fulfill the CPE requirements, you can take online knowledge learning in order to complete these.
9. Join or replace fragmented systems for members as well as ISC2 internally. Think of this as a way to integrate all systems together in cohesion and make the experience both from an organization perspective and member perspective.
10. ISC2 mobile apps and better technology integration. As mentioned, the old system isn’t anywhere near cutting it. This needs to change and will.
These are just a few of many things to come; the above examples are the most exciting to me that I think will really help its members. We approved it at this board meeting and have been working on it since Q1 to get expectations, delivery, and protection around. We recognize how big of a project this is and need to make sure its 100% successful to its members. We’ve been heavily involved as board members in the development, requirements, and understanding of what members want out of their ISC2 membership. The DETE program is designed to address a number of the main concerns. There is a ton of working documents, a full massive document and implementation strategy for DETE, presentations, analysis on best integration into ISC2 and its members, and more; this isn’t something small, this is a large restructure of how ISC2 operates and for the better.
One thing that resonated with me in the board meeting from David Shearer was his comment when presenting DETE. The statement to the board was around how ISC2 could continue doing the status-quo, keep the same systems, and keep providing what they currently do and the organization could stay steady and do the same things. Instead the team will continue to push the envelope, make it better, and ensure its success. David knows the importance of DETE and to the overall success of ISC2. He also knows we will continue to hold him accountable for the progress and success for not only DETE but ISC2 as a whole.
A few other things. We got to see the new welcome package for new members; while it may seem small, having a packaged product and something that is visually appealing when you have just passed your first certification is rewarding for all of the time and effort you put into it. Sometimes it’s the small things that make a difference.
There’s also discussion now around structuring content for non-ISC2 members as well as providing more content to our members. The ability to help the community is really what the mission for us is.
What I’m working on personally:
One of the big ideas I introduced in Q1 and have requested feedback on from a number of members thus far was the ability for designations within the ISC2/CISSP realm. There are a TON of great certifications out there; for example, the ones that I hold highest still to this day are the offensive-security courses (OSCP, OSCE, etc.). Not just offensive, but also defensive ones as well. Folks that are QSAs, ISO certified, IR handlers, researchers, coders, and more. I think those should be recognized within your ISC2 portfolio and designations assigned to help focus your profession. I’m working on a presentation and document that I’ll share with everyone to present to the strategy committee first (which I am the co-chair on) as well as the board for Q4 on my recommendations. My goal is to have designations on top of the CISSP that allow businesses to determine their focus and skills quickly while providing a much needed backing to the CISSP. For example, having an OSCP plus years of experience as a pentester could give you an “Offensive” designation (don’t quote me on the words yet), so more of a CISSP-Offensive with having multiple designations. Maybe having a SANS defensive cert or even years of experience in a given area allows you a CISSP-Defensive or Expertise designation so you can hone your skills and show progress. This would be validated by ISC2 and reviewed to ensure you meet the qualifications and allow you to stay relevant in those areas.
For me, I would love to read a resume and show relevant experience associated with the skills that I know I’m good at. This doesn’t mean it will be implemented or will be done – it is still an idea and needs to be vetted out and pushed through the members to see if it’s a good idea. In addition, with integration with the digital end to end (DETE) project, it would be easy to identify/relate with others, job opportunities, and the ability to grow as an ISC2 member as you grow individually in your profession.
This isn’t just a CISSP thing either, ISC2 has a number of other certifications and great ones that continue to expand. Most folks know ISC2 from the CISSP but there are a number of other certifications that provide recognition and credibility based on level of experience and ability to go through the examination process. My goal is to focus on that progress and how to better build strategy around how to leverage existing certifications and new ones to better promote your knowledge and expertise. More to come on this soon, and I’m excited about it.
Lastly, I’m soliciting feedback from members on what they want and what I should focus on. Feel free to add to that dkennedy [at] isc2.org. What are you expecting from me?
Did You Know…
…that the ISC2 organization isn’t just doing things for members? They have programs for training our next generation of kids, have exclusive rights in INFOSEC for Garfield, and are trying to reach our youth to make things better. As someone who focuses heavily on teaching at high schools, colleges, and more, this for me is an amazing program and I know Allison Miller on the board continues to do amazing things with that program and working on making it even better. Visit https://safeandsecureonline.org/ for more information on how to get involved. She also brings a lot of rationality and ideas to the team which is so important. Something Jason Kent brought up to Wim and me at the ISC2 Congress in Bangkok was the ability to leverage training material to actively go out and get involved in this program and teach kids as CPE’s. This will be something that I bring up soon to see if it’s possible. I think it’s a good idea – we just need to figure out how that works into the ongoing learning program.
The chapters continue to thrive and have some amazing leaders, and I met a few of them in Singapore. It’s great to see healthy security communities and folks from all over. We do recognize some changes to the chapters in the form of better definitions and expectations of them, and we’re working towards that.
Not just a U.S. thing
My view is limited coming from the states; one of the great things I’ve learned in this process is getting perspective on other regions and their challenges – areas like Brazil which are still in the early stages of information security all the way to China which continues to expand in the information security population. One thing that is clear is that we need folks that represent the globe, not just within the United States. We have a number of folks from all over the world representing almost every major continent and economy. It’s great to get perspectives from these different areas and learn from one another. ISC2 has to continue to focus on reaching people in all areas of the world.
This takes time
These things take time for an organization to move and address. David Shearer, the CEO at ISC2, reports directly to us as members. They understand the importance and the struggles you have. The ISC2 organization prior to me coming aboard did some amazing things and continues to. One of the things was term limits to allow “new blood” and members to come in the board and provide fresh perspectives much like I’m trying to do. Understand that the first year for me is really about learning and trying to figure out how best to serve the members. I fully expected the members (and the community) to hold us accountable when we don’t provide. If you collectively decide I’m not doing my part, I would fully step down in a heartbeat and not think twice about it. My benefit and reward is trying to make a difference and make things better.
This is on you too
We represent you. Without knowing your pain and struggles and without you communicating them, we can’t fix them. If you are unhappy with ISC2 then change it. Email me anytime at: dkennedy [at] isc2.org. I can’t promise the world, but I can promise you we’ll look to see if we can do it. For those that don’t feel like we are doing a good enough job, step up and run to change things. As a member, get voted in and make a change like we are. I expect you to be critical of us, and let us know when we aren’t doing what you expect from us. We are here representing you.
Sorry for the long-winded write-up
I thought it was important to show you that we aren’t just sitting in a room and debating about things. We are actually getting things done and most members don’t see the hard work and effort everyone at ISC2 and the board members provide. One thing I can say is that when I joined I was skeptical, but after knowing what I do now, I have so much confidence in the direction of ISC2 now more than I ever have. I have the upmost confidence in David Shearer, the CEO of ISC2, his team, and the direction we are taking from the organization. Thank you all for having the confidence in me, and you should be seeing some amazing things coming soon. Expect more of these and how we are doing on progress. I owe it to you to keep you apprised of what is happening inside of ISC2. Please note that this takes a significant amount of our personal time, away from our families and our businesses. I hope people understand what all of us sacrifice in the board in order to help the greater community, and I hope instead of complaining, people can step up and make a change themselves. I am happy to call out inaccuracies when they are public, and feel free to call us out anytime you see us slipping. We’re in this one together.
I know some of you remain skeptical and that won’t change overnight. I expect that to change with time, and that’s all I’m asking for. I promise to continue on with communication and how things are progressing and hope you find this valuable for you.
Thanks for reading, and look forward to hearing from you. What I can say is I’m proud to be a holder of the CISSP and a member of ISC2. I hope you are, or will be soon.
This message was written by Dave Kennedy – CEO of TrustedSec, Binary Defense, and Board of Director member at ISC2
Author: David Kennedy
Security expert, keynote speaker, avid gamer and the go-to for protecting companies from threats.