topic Re: My personal thoughts on AMF increase in Member Support

My personal thoughts on AMF increase

wimremes — Sat, 26 Jan 2019 16:13:27 GMT

As I've been asked questions through different forums recently, I decided to write down my personal thoughts in long form here : https://www.linkedin.com/pulse/isc2-fees-price-being-professional-wim-remes/?published=t

I am not a board member, I do not speak for the board, I do not speak for the organization. Everybody is free to reach their own conclusion and decide accordingly. I just thought my perspective could be helpful to some.

Cheers,

Wim

Re: My personal thoughts on AMF increase

CraginS — Sat, 26 Jan 2019 17:12:37 GMT

Well thought out and good words, Wim ( @wimremes ). Thank you.

One point you make deserves discussion here: you said (ISC)2 does a poor job of communication. Actually, it does a TERRIBLE job of communicating.

The process for changing the rules and amounts for AMF should have been open in the lead up to a board vote, with the membership notified of financial situation, and what the board would be considering. As it happens I think the payments should have been in advance, not in arrears, all along. I never understood that part of our process. The need for an increase, and discussion on the necessary or advised level of increase would have been in open discussion among the membership prior to a board vote.

Re: My personal thoughts on AMF increase

wscarano — Sat, 26 Jan 2019 19:43:21 GMT

Agree with CraginS, there should have been member involvement not only with price increase but the decision to cut the exam time in half.

I mentioned to an ISC2 friend recently that I felt the past few years ISC2 is focused too much on revenue. Case in point:

1. Cut exam in half making it more palatable for people to approach the exam - more people taking the exam is more revenue.

2. I've noticed many articles the past few years where ISC2 is teaming with education providers to create the myth that there is an enormous shortage of qualified people for security jobs. By enticing people about the huge number of opportunities more revenue is realized.

3. I've been receiving a lot of spam the past few years from ISC2 about hundreds of cost savings for things I'll never use. The emails are identical to AAA discounts, AARP, and every other association. I'm not a CISSP seeking to get discounts for merchandise. How much revenue is realized by this marketing partnership?

4. Raising our rate 50% while describing all the benefits we can utilize. What if we don't want to use them? We're again paying. What revenue is realized by partnerships? Also, it's mentioned conferences like Congress are a benefit. I've worked on the financing for conferences and if they are smart they always make a profit. So we shouldn't need to raise the rates if conferences make a profit.

We need transparency and stop cheapening the certification with every marketing scheme tried by most corporations.

Re: My personal thoughts on AMF increase

wimremes — Sat, 26 Jan 2019 21:11:27 GMT

(Replying to both of you in one post)

On communications ... it is not that simple. ISC2 has very good people that definitely do not suck at communications. Fact is that a large part of the membership (the majority) chooses not to communicate with ISC2 apart from logging into the portal, pay their AMFs, and submit their CPEs. If there was some kind of referendum, it would be a small vocal minority that would call the shots. If ISC2 had followed, as an example, the process used for Bylaws changes, it would also be a small vocal minority that calls the shots. This minority would also be very US-centric, disregarding especially our APAC and LATAM colleagues. With the board, you at least have representation for all regions. Against all assumptions, the board - first and foremost - represents the interests of the membership as a whole. I can, in all honesty, say that even the slightest allusion to the contrary would be massively unfair. So, I disagree with you that an open discussion would have yielded better results.

Becoming a member of ISC2 is significantly easier than managing the membership. Billing in arrears was a choice made in the past and definitely not the best choice. However, turning that around comes with huge risks and isn't just flipping a switch. Over the past 3 years ISC2 overhauled all its back-end systems, including accounting and member management systems. In another forum I've referred to sticky prices. The increase and change to upfront billing, probably should've happened years ago but doing that would have been more expensive than what it would add to the member management budget.

On the exam time reduction, your representation is severely underinformed. This is most likely, again, the result of a lack of communication from the organization. ISC2 introduced CAT, Computer Adaptive Testing. This doesn't only make the exam more difficult to cheat at, it also ensures for better testing thus resulting in higher quality certified professionals. More importantly, the use of CAT reduces the number of items (questions) exposed to exam takers. Exam items, for a certification organization, are the single most expensive items on the books. If there was one big driver behind the move to CAT, and as a result the shorter exam time, it was this.

I work as a virtual CISO with a number of clients. The lack of security talent is not a myth in my humble opinion. If you have data to the contrary, I am happy to take a look at it.

The member benefits is also something I've brought up in my post I believe. I think it is a good idea but the implementation can definitely be improved on. the PDI (Professional Development Institute) that was announced last year is something I eagerly look forward to.

Yes, ISC2 should keep a closer finger on the pulse of the membership. They do have the tools now so there are few excuses left. We're a very diverse bunch and what counts as a benefit for you might not be the same as for me.

I again strongly disagree with your points about a pure commercial approach. As a board we always have, and I'm sure the current board continues that practice, asked "why is this good for the membership?" on every decision. I'd encourage every single member to engage with the organization. Through the local member management representation, through ISC2 management, through the board. This organization exist for and because of us.

Re: My personal thoughts on AMF increase

MikeGlassman — Sun, 27 Jan 2019 14:40:48 GMT

You make some excellent points, but I can't help but not disagree with some of them.

My main one would be your final sentence in which you state that the ISC board always asks/asked "Why is this good for the membership?".

There is nothing I can see in this move to increase the cost of the AMF's which is good for the membership. Very much so not for this member for sure.

Perhaps it's good or even great for those who have more then one certification and now only have to pay one cost to maintain them all, but for those of us with one, it has no meaning and is in fact enough to make me rethink whether remaining certified is worth the cost.

I have been a great stander upper for the ISC since I got my certification in 2004, but I have not seen a return in value that I expect from an organization of this type. I hear of less people looking for ISC2 certifications where in the past it was highly sought after. I know of far fewer people who are maintaining there certifications after passing the exam these days as well.

I for one, was also sadly let down by the split of the US based conference. There are a lot less topics of interest, and this as well as the cost for me is already making me look at alternative conferences and no longer come to the ISC ones.

As a whole, the past few years have not shown an improvement as far as I am concerned.

You did make good points though.

Re: My personal thoughts on AMF increase

Early_Adopter — Sun, 27 Jan 2019 14:42:56 GMT

@Coming to this a bit late, as I spent a few months not being particularly bothered, but Wim is pretty sensible on this.

to point to Wims post - the increase in AMF is pretty much in line with other certification professional membership bodies(I’ve more than one certification with ISC2, so I guess it benefits me, so I’d probably be supportive anyway). I’m not sure why there is so much wailing and gnashing of teeth on this one(one you get over sticker shock - maybe some A/B testing on the site would help there) it does seem that the profession is pretty well paid, and folks ISC2 do not seem to me to be taking a purely commercial approach, it’s NPO status’s covered by Wim would seem to preclude that. There are people working full time and they do need to be fairly compensated for their time, they need health plans etc, and they might want a holiday - so personally I’m comfortable with the increase.

Maybe we should look at options to address the concerns of members who have issues paying the AMF or indeed the exam fees.

Communications wise I feel it’s OK, I gave feedback in October, it was considered and some changes were made for it and they got back to me.

On the CISSP exam - frankly CAT overall makes it harder to pass as you see less questions so there are less cribs to helpfully jog memory... Glad I didn’t have to sit the CAT test when I wrote the CISSP. Good confirmation of knowledge does not need to be an endurance test, and probably shouldn’t be.

Re: My personal thoughts on AMF increase

wscarano — Sun, 27 Jan 2019 15:27:59 GMT

CYBERSECURITY SKILLS SHORTAGE SOARS, NEARING 3 MILLION

https://blog.isc2.org/isc2_blog/2018/10/cybersecurity-skills-shortage-soars-nearing-3-million.html

If there was really a shortage there wouldn't be unicorn job postings and MBA Cybersecurity graduates wouldn't be coming to my meetups asking how they can get work. With a three million shortage I would be developing plans to bring my company to $100 million in sales and compete with the likes of Cognizant with an eye on making billions.

1998-2001 were the best. (Had to delete link because error msg: invalid HTML).

Re: My personal thoughts on AMF increase

wimremes — Sun, 27 Jan 2019 15:53:59 GMT

Oh, I agree when it comes to that. Based on the survey more than 80% of those reqs would exist in APAC, which isn't really relevant for EU and US job seekers. Claiming 3 million based on a survey of (maybe?) 15k respondents is also not statistically honest.

Re: My personal thoughts on AMF increase

CISOScott — Mon, 28 Jan 2019 14:03:31 GMT

Remember that a cyber-security skills shortage doesn't always mean an open job position. There are plenty of people in "cyber-security" or "IT" jobs that are woefully under skilled in cybersecurity. When you view it like that, you can see why the number is so high.

Re: My personal thoughts on AMF increase

Early_Adopter — Mon, 28 Jan 2019 15:29:17 GMT

I think that we may see a few waves of automation come in and dent that, and take up some of the easier to describe roles fairly soon, so first line SOC Analysts should probbaly look to add some esoteric niches that are not so worth training learners or creating automated playbooks. Of course with every new idiocy/outrage there comes a push to do something so who knows - devils advocate - maybe three million is conservative? On thing I can conclusively point to is folks in data protection would really like to involve a lot of their own workforce in remediation, which broadens the term of what a security role is or can be.

I’d suspect recruiters in countryies could provide more accuracy/ better data:

https://www.barclaysimpson.com/security-market-report-2018

Asia is special case, numbers of people are large, throwing bodies at problems is quite common even though a lot of people are trying to get away from that. Two million is a lot, However there are some data points that support this ballpark:

http://www.atimes.com/article/chinas-plan-massive-cyber-warrior-expansion/

If India, ASEAN, Japan, Korea and Aus/NZ needed about the same as China in the Tencent report states, then it’s plausible.

Re: My personal thoughts on AMF increase

emb021 — Mon, 28 Jan 2019 16:54:10 GMT

Agree.

Admittedly, a good deal of my issue with the so-called "skills gap" is anecdotal, my issue is its being played as across the board for all kinds of cybersecurity positions.

I will accept that in SOME markets for SOME types of jobs, there is a lack of talent, but to play it as being the same everywhere is wrong.

Too many people are being sold on this idea, and spending time and money to become cybersecurity trained and then finding there are no positions. Or no one will hire them because they have no experience. Then you got wags claiming we should just pull people from outside of cybersecurity to fill the gap. Uh, what about the folks who are NOW in cybersecurity looking for work. Hire those people FIRST before you start pulling from outside.

Also, a lot of us see just bad job postings. Posting that are looking for people with the skills/experience of 3 people, or wanting someone to do the job of 2-3 people, or wanting a senior-level person from an entry level position (and entry level pay).. And some companies really don't know what they want or what they should pay. There is information out there on that. So they turn away or ignore talent, leaving positions open for months, or offer below market rates and don't understand why they can't fill positions. I know from personal experience positions that went open for months when 2-3 qualified people applied, sometimes were interviewed, and none hired. Don't tell me there was a lack of talent.

Re: My personal thoughts on AMF increase

emb021 — Mon, 28 Jan 2019 17:14:52 GMT

Overall I thought your posting was good.

I think that too many in our industry don't understand what it takes for certifications to be valued and what they have to do in terms of having that ANSI approved cache. I've seen this with new people getting CompTIA certifications, and then being shocked that they now need to pay an annual fee and do CPEs to maintain their certs, some saying its just a money making scheme. Not understanding that for their certs to be valued and respected, they need to be ANSI approved (the DOD won't touch them if they aren't), and that required the org do stuff, including CPEs, and the like that costs money, hence maintenance fees.

I understand the need to increase fees. I've seen this with other orgs which have held off on increasing fees/dues and then being forced to increase and the jump is large. What I don't like is how it was handled. I pay $150 a year for 2 certs. The switch over should have been that instead of paying $150 this calendar year to pay $125, and nothing more. But instead it seems that I am being asked to pay something like $235, which I don't understand. Just poor way of rolling it out.

Re: My personal thoughts on AMF increase

rslade — Mon, 28 Jan 2019 18:47:37 GMT

> wscarano (Viewer III) posted a new reply in Member Support on 01-27-2019 10:27

> If there was really a shortage there wouldn't be unicorn
> job postings and MBA Cybersecurity graduates wouldn't be coming to my meetups
> asking how they can get work.

Absolute agreement.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Power corrupts. PowerPoint corrupts absolutely. - Vinton Cerf
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: My personal thoughts on AMF increase

steinarna — Tue, 29 Jan 2019 15:41:06 GMT

This was a good summary and I agree with you.

Re: My personal thoughts on AMF increase

wimremes — Thu, 07 Feb 2019 10:31:50 GMT

I'm not an expert on statistics but if you have 15.000 respondents on an online questionnaire, extrapolating a need of 3 million people globally is likely, to say the least, statistically dishonest. I'll have to dive deeper into the report to determine what led to that number being the leading statistic. It would be interesting to see a more detailed analysis through a series of blog posts or webinars.

Re: My personal thoughts on AMF increase

emb021 — Thu, 07 Feb 2019 16:21:55 GMT

Have to agree.

Am bothered by these claims of a 'skills gap'. Too often it seems people aren't willing to dig into the causes. Many companies can't fill roles. Heck, have seen this in my area. Is this due to lack of talent, or is it due to other causes, such as the company having unrealistic job postings, unrealistic expectations, and in many cases ignoring or passing over qualified candidates? I know in a few cases in my area companies trying to fill infosec roles for months when they passed over/ignored several qualified candidates. There is no excuse for this. But to claim its due to a "skills gap" or lack of candidates is misleading.

Re: My personal thoughts on AMF increase

paolomiranda — Sun, 24 Mar 2019 16:49:59 GMT

Having handled Memberships before, I understand the difficulties in managing this area and can only imagine the greater difficulties in doing this on a global scale. I do believe that the communications and collaboration could have been handled better. Maybe involving the local chapter leaders and members earlier on in formulating the new fees and other major changes could have resulted in better buy-in from all stakeholders. Some transparency on how the new fees were arrived at would have also been good. In addition, the fees could have also been structured in a better format that would offer benefits to multiple credential holders without a huge impact to single credential holders as these form the majority of members based the latest member credential counts.