@JoePete Health of the association does seem to be taking a hit, I think that ISC2 is probably not putting in enough effort to enhance and sustain certifications Forensics/Healthcare, and perhaps as well as looking for a mass market true cookie cutter that still provides fifty buck per year AMF. I do see ISSA taking more of lead in the UK, but ISACA and IAPP also seem to do grassroots professionals better.

I've quoted Paul's planner/roadmap/chart here previously, and I think the one super striking think certification takers should look at is the number of listings asking for Security+, SSCP and CC are far behind on a linked in job search, and while ISC2's approach to exams works well at the more advanced level. I concur that they are not nailing it with CC, maybe not even with SSCP though that does resonate better with folk wanting a junior SoC analyst etc.

I think that your reading is correct, but I feel that ISC2 won't be able to break Security+'s gold standard as a to do this to get into the industry, it's to you point riding on CISSP's recognition but probably ceding that ISACA in some sense and even perhaps to CompTIA for it's CASP+.

Three decades ago, eh? Maybe they'll pull up a sandbag or two for crusty old kippers like us, moldering up on the shelf, long past our best before, just waiting for the AIs to get all badged up and replace our functionality... 😛

@Early_Adopter wrote:

@JoePete Health of the association does seem to be taking a hit, I think that ISC2 is probably not putting in enough effort to enhance and sustain certifications Forensics/Healthcare, and perhaps as well as looking for a mass market true cookie cutter that still provides fifty buck per year AMF. I do see ISSA taking more of lead in the UK, but ISACA and IAPP also seem to do grassroots professionals better.

---

Yes, another sore spot may be abandoning the specialized certs for the entry level. But this returns to the question of (ISC)2 health and how the current board defines it. It is interesting that we had more than a $10 million jump in administrative expenses for 2022. This strategy seems rather costly.

Yes other organizations do good work. CompTIA has always done a great job certifying specific skill sets, especially toward the entry-level employee, and, as you note, ISSA and ISACA carry plenty of water in this industry. Howevver, our current strategy seems to say "we want the whole pie" of certification. Very little of our management is in the security industry, and for that reason, maybe they misread the ethos that is distinct to our profession. It's evident from the moment you step into any con and observe the standard of fashion and hygiene - appearances are secondary (maybe even tertiary) to substance. That also describes how we view our certs; we want them to vouch for someone's capability to do the job. Experience and endorsement are huge in that regard and were founding principles of the (ISC)2.

One of the other issues at work is that as the membership grows less experienced professionally, we will have fewer people with board or senior management experience. Those of us with gray (or no) hairs who have spent time in board rooms, have a good sense of how to facilitate or correct direction. As we become diluted, the ability of the members to responsibly shepherd the organization may be diluted as well.

So while there are some governance and ethical questions we each must weigh, I'd also caution that these dovetail with our 501(c)(6) nonprofit status (i.e. finances). Experience really does matter, especially in the board room. While someone might present a convincing argument in a limited context, you need the experience to look at all the contexts.

@JoePete Concurrence.

Ten million dollars is very significant forgive my ignorance here - does it break down what it was for? Is there a link to the audited accounts for general consumption? What did the previous set of accounts look like?

Anyhow - horses for courses, the landscape is what is, and I can't see ISC2 pushing the water uphill and back time Vs CompTIA, ISACA, SANS et al, or if it did they'd need to sell a lot of tickets going to happy, swiftly employed C'n'C holders.

Edit: Adding the link to the 2022 report: ISC2-Annual-Report-2022.ashx

---

@Early_Adopter wrote:

 

Ten million dollars is very significant forgive my ignorance here - does it break down what it was for? Is there a link to the audited accounts for general consumption? What did the previous set of accounts look like?

---

Audited financial statements in the 2022 Annual Report:
https://www.isc2.org/-/media/ISC2/About/Leadership/Annual-Reports/ISC2-Annual-Report-2022.ashx?la=en

And if you look at the reports over several years, you can discern the patterns of things. Financially we have ample resources ($110 million or so in net assets) and prior to last year, we were churning out net revenue gains pretty easily. On one level, I like that our revenues and expenses are closer to each other now, but I also note that we cut the Security Professional magazine and seem to be constraining expenses in other member benefit areas. This all gets back to the perception of a shift in the organization. Change is both natural and inevitable. I just wonder how well we looked before we leaped. Seemingly small decisions can have huge consequences - arguably that is one of tenets of what we all do for a living.

@gidyn

With the best will in the world, I'd rather be fair to candidates than to certifications...

The point when comparing a certification is to gauge its utility to holders in the marketplace right now, as folk would be getting an entry level certification to help them with a job in the industry right now, rather than a in a few years.

Comparing the data on job adverts as it is now Is really the best objective metric we have now, right demand wise it doesn't look ready to recommend to someone with limited time and money as their first entry level certification.

Now that might change "in a few years" - let's take three as an example, could it be on par with the Security+? We'll find out, but I think very unlikely as first mover advantage has long gone and Security+ is very dominant there. SSCP has been around for a while and still doesn't have anything like the pull - and you get the benefit of an ISC2 member endorsing your experience.

I'm not sure is having a large candidate pool with the cert(around 15K right now, approx 100% YoY growth, which is impressive) will affect this. On two polls maybe hiring managers will embrace it, or maybe the supply will kill the demand. let's revisit a year or two?

Some considerations from OpenAI:

Yes, candidates may have legitimate complaints if they believe that their scores were inaccurately calculated or if there were discrepancies in the reporting of their results in a computer adaptive test (CAT). It is crucial to have reliable scoring procedures and transparent reporting mechanisms in place to address such concerns and ensure the accuracy and fairness of the scoring process.

Here are some considerations related to scoring and reporting in CATs:

Scoring Algorithms: CATs use sophisticated scoring algorithms to determine a candidate's final score based on their responses to the adaptive test items. These algorithms take into account the difficulty level of the questions answered correctly, the number of correct responses, and the overall item response pattern. It is important that the scoring algorithms are well-designed, validated, and align with the intended scoring objectives.

Calibration: CATs often employ item calibration techniques to establish the difficulty levels of the test items. Calibration involves analyzing the performance of a large sample of test takers to determine the relative difficulty of each item. Proper calibration helps ensure that the scoring is fair and accurately reflects the candidate's abilities.

Transparency and Explanation: Candidates have the right to understand how their scores are calculated and how their performance is evaluated. Test developers should provide clear explanations of the scoring process and reporting methods, including information on how item difficulty and response patterns are considered. Transparent reporting helps candidates understand their strengths, weaknesses, and areas for improvement.

Quality Assurance: Regular quality assurance measures should be in place to monitor the accuracy and consistency of the scoring and reporting process. This may involve conducting statistical analyses, reviewing item performance, and ensuring the integrity of the scoring algorithms.

In the event that candidates have legitimate concerns about the scoring or reporting of their CAT results, it is crucial for test administrators to address these concerns promptly and transparently. This may involve conducting a thorough review of the candidate's test data, engaging in a dialogue with the candidate to understand their specific concerns, and taking appropriate actions to rectify any identified issues.

Overall, the scoring and reporting processes in CATs should be designed and implemented with the utmost care to ensure accuracy, fairness, and transparency in evaluating candidate performance.

---

@gidyn wrote:
Considering how long CC has been out, it doesn't seem fair to compare the number of job listings to well-established competing certifications. Give it a few years, then you can compare.

---

That is an excellent point, but it is nowhere in the marketing that has been distributed to these individuals. To the contrary, it is been promoted as instant entry in the cybersecurity profession. It doesn't seem to carry anywhere near that weight currently, and even a few years down the road, I'm unsure it will.

Some humor, and a dash of inaccuracy here and there with this video, but there's some nice editing and I think it illustrates the point well for today's Zoomers breaking in, with a US bent:

https://youtu.be/YeWYlp9JP6g