topic Re: Let a candidate ask the community something? in 2019 Board of Directors Election

Let a candidate ask the community something?

DavidMelnick — Fri, 06 Sep 2019 18:23:32 GMT

What do you think are the key issues the Board should tackle in the coming term. Help me understand what you think are the important challenges facing our community that the Board should attempt to address?

David Melnick, Candidate

Re: Let a candidate ask the community something?

jhamm1016 — Fri, 06 Sep 2019 21:04:59 GMT

I think a lot of us can agree that the infrastructure supporting ISC^2 should be the immediate priority. Myself, and tons of other new members are having issues with the SAML sign-on error when it comes to making payments, check cpes', or even check your certificates. I honestly think support needs to be bolstered to handle the large load of support requests coming in because of all of the issues since the adoption of the new system. I think between the drastic increase in AMF payments, and many people never receiving e-mail responses/having to call multiple times to resolve the different issues they are having, may have rubbed someone the wrong way as a result. I also think the board can be more clear as to what the issues are, an expected time frame to resolve these issues, etc.

Re: Let a candidate ask the community something?

DavidMelnick — Fri, 06 Sep 2019 21:10:40 GMT

Thank you for bringing that up. Clearly the Board can play a role in working with ISC2 management to prioritize investment in basic services. Perhaps increasing budgeted staffing around this area. Seems to me that providing these types of basic services to our membership should be one of the easier problems to tackle.

Re: Let a candidate ask the community something?

jhamm1016 — Fri, 06 Sep 2019 21:11:57 GMT

It is not to say that ISC^2 support isn't outstanding, it is! I just can tell they might be a bit overwhelmed.

Re: Let a candidate ask the community something?

denbesten — Fri, 06 Sep 2019 22:00:16 GMT

@DavidMelnick wrote:
What do you think are the key issues the Board should tackle in the coming term.

Ensuring the Certificates remain relevant in the industry -- Possessing a CISSP needs to remain recognition that the holder has experience and knowledge and is a person "worth listening to".
Ensuring members get value from holding the certificates. Be that opening career paths, assisting with continuing education, facilitating peer-relationships (e.g. chapter meetings and the online-community), etc.
Ensure that our membership money is efficiently spent and that it results in member benefit to the greatest extent practical.
Promote transparency with the members. I don't just want an annual report full of self promotion, I want to know both the good and the bad. I want the successes and the struggles. Regularly published board minutes (redacted as needed) would be a good start.
Reduce friction in maintaining a certificate. Today, that friction shows up mostly in poorly automated processes with awkward user interfaces, failure to consider border cases (e.g. certificates can not be renewed until after they expire, causing job-issues for some members) and arbitrary limitations (e.g. can only pay AMFs 60 days in advance).
Relentlessly streamline processes and don't be (too) afraid of altering policy to improve implementability. For example, A CISSP who subsequently attains a CCSP or SSCP should automatically skip the endorsement process because there is no added experience requirements to validate. Getting these people out of the queue will only speed the lines for everyone.
Remain engaged with the membership on this community not just as a campaign strategy, but keep it up even after we have elected you to the board.

Oh yea, welcome aboard the community. Glad to have you here.

Re: Let a candidate ask the community something?

DavidMelnick — Fri, 06 Sep 2019 22:20:24 GMT

Wow that was awesome. Ok a couple of observations from your thoughtful list:

we have a theme developing around efficient/streamlined basic services;
you raise the tough problem that really should take up much of the Board's concern, i.e. ensuring relevancy of your Cert in the marketplace increasing both earnings, reputation and role of holders; and
a passionate topic for me around Board Governance and Transparency. Clearly a basic responsibility is financial and strategic oversight, but the point about transparency is a topic I am personally passionate about. Historically there has been a great deal of resistance to transparency. Without trying to get at all the reasons/motives, the bottom line is we should be as transparent as possible and releasing the board minutes would be a very minimal step in the right direction. You definitely have my commitment to pressing transparency in all the board activities. We need to do better on this front.

Thank you for the comments. And I encourage all the candidates to jump in here and share their points of view on these topics.

David Melnick

Re: Let a candidate ask the community something?

AlecTrevelyan — Fri, 06 Sep 2019 23:02:32 GMT

Welcome to the community, David!

I think mine have already been covered, but they’re worth reiterating:

I think it’s fair to say that meaningful interactions between the standard members and the board / executive team are few and far between. These seem to be limited to times when you want something from us, like votes! Or when we need something from you, like action on issues we’re facing as members.

How do we change this so there is continual, meaningful dialogue between us all? (ISC)2 is supposed to be a member organisation, but most of the time it doesn’t feel like the members have any voice and that needs to be remedied.

At the risk of sounding like a broken record, I believe one of the major challenges will be repairing the organisation's tattered reputation after the debacle of the digital end-to-end transformation programme. This has been nothing short of disastrous from the first flawed CPE portal “upgrade” through to the latest flawed AMF portal “upgrade”. Embarrassing. Very, very embarrassing.

Finally, there’s a large problem starting to build up that will affect the reputation of the organisation’s flagship certification. That being, since the change to the CAT version, the calibre of some of the individuals able to pass the exam is incredibly low. I have had the displeasure of interacting with some of these individuals and I’m telling you they and their crackpot notions of security are dangerous. Every email they send where they proudly boast those five initials after their name while expressing some of these alarming views is a nail in the coffin of the CISSP.

Re: Let a candidate ask the community something?

jhamm1016 — Sat, 07 Sep 2019 00:13:35 GMT

^I agree with a lot of what you are saying, but I think you are doing a lot of people, including myself, a disservice when you are saying there is a lower caliper of candidates directly correlated to the CAT exam change. I and others in my position have bitten the bullet and done the months of studying and multiple attempts to pass the exam. As someone who has taken the traditional test and new CAT, I can assure you the difficulty is still there. You are going to see more passes because the target audience has been expanded, and just because someone earned the credential does not mean they can pass an interview. That has always been the case with any certification. As the security field grows in popularity, the crop of candidates is going to expand. You are going to have a few great security professionals and a slew of terrible ones.

Re: Let a candidate ask the community something?

AlecTrevelyan — Sat, 07 Sep 2019 07:39:38 GMT

To be frank, the difficulty was never really there. It's a multiple-choice, generalist exam that tests for a shallow level of knowledge across a fairly broad set of security disciplines. Any potential difficulty came from the broadness which typically required most people to have to learn new things to cover the domains in which they had no experience. That's not my concern though.

I see the bar having been lowered mostly in relation to the length of the test. When it was 250 questions and potentially going to be a 6-hour marathon, that would put off all but the most determined. I know the CAT version is supposed to allow a person's level of understanding to be more quickly ascertained so there is supposedly no need for 250 questions. However, due to this, people now think they can finish the exam within an hour so more people are willing to attempt the exam - especially if the cost is being borne by someone else like their employer.

When you factor in test taking strategies, the fact the knowledge level required is fairly shallow to start with, a greater willingness from more people to take the exam due to the shorter length, and the fairly lax endorsement process, you end up with hordes of people passing who are just devaluing the certification. Also, in terms of passing an interview, it's often the biggest charlatans that perform the best in those.

Prior to the CAT version, I had the utmost respect for the knowledge and capabilities of all of the CISSPs I knew. I can no longer say that now.

Re: Let a candidate ask the community something?

DavidMelnick — Sat, 07 Sep 2019 17:27:49 GMT

With the conversation on the exam, I dont want to loose sight of your comment regarding ongoing communication/engagement with the Board and Member or the ongoing ability for the Board to be able to take into consideration the thoughts of the membership. There has not always been an easy way to gauge the point of view of the membership. Perhaps there might be a way to get regular feedback from a broader audience, e.g. running surveys/polls on key questions/decisions facing the Board? However, the broad membership isnt always willing to volunteer there time (they have busy jobs with lots of responsibility and may or may not even take the time to respond to an issue). Curious your thoughts on the tools/techniques which could allow for ongoing engagement by the 100k+ membership?

Re: Let a candidate ask the community something?

chuck_kesler — Tue, 10 Sep 2019 03:30:55 GMT

Hi All! I'm another board candidate jumping into the fray here. First, thanks David for posting this question! It was very similar to the question I was thinking about posting when I jumped into this discussion board for the first time yesterday morning. I hope you don't mind me tagging in here.

And thanks everyone else for the great feedback that you've provided. Your comments are very much in line with my own personal experiences as an (ISC)^2 member for the past 8 years, and align with the reasons I wanted to run for the board.

Here are a few points that I want to amplify from the discussion:

Streamlining processes and improving the user experience for members. Many may only interact with (ISC)^2 once or twice a year to renew their membership and update CPEs. This process should be as painless as possible. (I wonder how many people end up dropping their certifications and memberships simply due to frustrations with maintaining them.) Improving user experience is a space that my current employer works in, so I hope that I could bring some of what I've learned from our product managers to this discussion.
Making sure that the value of our certifications remains high. Sadly, many other CISOs and senior-level security professionals I know have been intentionally letting their CISSPs and other certifications lapse because they no longer see value in paying the dues to maintain them. I believe there are multiple facets to this problem, not just that the perceived value of the certification is lower because more people are capable of getting it, but also because they are not seeing a personal return on the investment from their membership dues. I'm not going to claim to have the answers to this problem right now, but it is something that I strongly believe needs to be closely analyzed by (ISC)^2 management and the board to ensure we are on the right track for delivering value to members.
Transparency and engagement are also key for me. I've been on both sides of this issue before - as a member of organizations that lacked these attributes, and as an executive or board member of groups that were striving for it. I understand how a lack of transparency and engagement by leadership can poison the well for an organization, with the resulting distrust causing unnecessary friction that can prevent the organization from reaching its goals. While fiduciary responsibilities may not allow full transparency on some sensitive matters, I would strive for as much openness as possible. I would also commit to being engaged with the (ISC)^2 community through as many channels as possible, starting with being active on these message boards. I will acknowledge here the "one voice" challenges mentioned on another thread; I do not interpret this as something that would prohibit me or any other board member from engaging with and capturing the feedback, concerns, and questions of the members.
I would add to the above one additional concern that I've heard from others: making sure that (ISC)^2 certifications and programs are designed to recognize the needs of the international community instead of being focused on the US.

I'm also fairly certain that the management and the current board are all acutely aware of the above issues as well, so I don't mean to imply that they are not already digging in to try to solve them. I'd simply like to add my shovel to the efforts.

Thanks again David for starting the conversation, and to everyone reading here for considering me as candidate for the board!