Not sure this is the right place for this discussion...but, as a member of ISC2, I'm a bit skeptical of the work being done by the "Center for Cyber Safety and Education."
I understand that ISC2, as a nonprofit, needs to a charity/public service function, in order to maintain the tax status. I agree that working with kids may be a good avenue for ISC2 to fulfill that requirement.
I am not sure the message we've chosen is optimum. Or that we're delivering anything of substance.
Case in point: the latest member email from the Center. The Subject line was: "Bullying rates up 35% from 2016." Now...I have no idea what that means. Nothing about that topic was included in the email itself. The source wasn't mentioned.
And I can't imagine a useful, specific metric for assessing "bullying"-- sure, I can easily assume that what was really being measured was "survey responses about bullying." Maybe more kids reported being bullied between 2016 and 2019. That's possible-- it's hip to be a victim right now. But does it accurately portray the amount of "bullying" that is happening? Did any of the survey respondents mention that they did the bullying? Did the increase in both metrics go up? (A spike in bullying would suggest both an increase in victims and bullies...unless the same number of bullies are doing 35% more bullying per capita...which kind of should be lauded-- I mean, they're working much harder than they used to, way back in 2016...maybe we should study them, and figure out how they're able to be much more productive than they were just a couple years ago.)
What is "bullying"? I've seen many definitions...and none of them seems to distinguish between, say, "bullying" and "critique." Do we want young people to be less critical? Do we want to reduce the ways they communicate, and what they talk about? Would this be considered a manner of chilling free expression?
What is our desired outcome, here? Teaching kids not to be "victimized"? What, exactly, does that mean? Stranger Danger in an Internet age? Not losing all their data to people they don't know? (That ship has sailed-- as adults, we've already ceded control of all our electronic information by tacitly allowing total surveillance of our online activity to our government and other entities-- do we expect children to behave differently?)
As members, what do you think about the Center and the efforts toward "helping" young people? Honestly, I could see more value in teaching them to use anonymizers, VPNs, and proxies to be "safer" online than in teaching them that some types of expression are "bad."
We could do worse things to keep our organization's tax status...but I think we could do better, too.
Thank you for your comments. I’ve asked our Center team to provide additional insight into the great work they are doing to help keep kids safe online.
I would like to address one point you make, however. (ISC)² is recognized as tax-exempt under 501(c)(6) of the Internal Revenue Code. This designation is utilized for the exemption of business leagues, among others, which are not organized for profit and no part of the net earnings of which inures to the benefit of any private shareholder or individual. Trade association and professional associations, like (ISC)², are business leagues. Under this structure, (ISC)² can conduct its certification and association activities, which furthers our mission to certify and support cybersecurity professionals around the world, but it may also conduct charitable and other 501(c)(3) activities. However, 501(c)(6) organizations may not receive contributions deductible by donors for tax purposes.
(ISC)² recognized this limitation and chose to create the Center (formerly the (ISC)² Charitable and Educational Foundation) as a separate but controlled fund specifically exempt under 501(c)(3) to conduct its charitable and other 501(c)(3) activities so that such work may receive contributions deductible by donors as charitable contributions. This allows members of (ISC)², and the general public, to better support the Center’s initiatives and possibly receive a tax benefit for their contributions. While this a benefit for the Center, it is important to note that the creation of the Center, in and of itself, is not specifically a requirement under 501(c)(6) of the Internal Revenue Code. Rather, the Center is organized to carry out this charitable and educational work, including the development of its educational programs, scholarships and research to ensure people across the globe have a positive and safe experience online.
I’ve asked the Center team to add their thoughts and share some of the amazing progress they are seeing with their lessons and volunteers around the world.
I hope this helps clarify the difference between the non-profit status of (ISC)² and the Center.
Thanks
Jarred
Hello Ben,
I am sorry for any confusion our recent email may have caused, and thank you for the opportunity to clarify a few things about the work we are doing at the Center for Cyber Safety and Education. We believe we are making a major impact on making people safer online and would enjoy the opportunity to share with you and other members more about our programs and the results we are seeing and hearing from teachers, parents and members.
The research we quoted in the last email we sent to members was not done by the Center, but rather the Cyberbullying Research Center. You can find the complete study at https://cyberbullying.org/school-bullying-rates-increase-by-35-from-2016-to-2019. It is our practice to list where stats come from and this unfortunately didn’t get included in that email. I apologize for the confusion and we will do our best to make sure that doesn’t happen again.
You mention that we as “adults have already ceded control of our electronic information” and I wouldn’t argue with you on that. While we at the Center haven’t given up hope on adults, we recognize that there is a great opportunity ahead of us to change that path for the next generation which is why we have a heavy focus on educating children about these very topics when they are just starting their connected journey.
I hope you and others will take the time to look over all our outreach programs at www.IAmCyberSafe.org and will help us in our quest to make it a safer cyber world for everyone. Please let me know if you have any questions or need additional information.
Pat
Thanks, Jarred-- that does help clarify quite a bit. But it does bring up additional questions, such as:
- If not because of regulatory mandates, what was the reason for creating the Center? PR?
- Did the Board make this decision (to both create the Center and the Center's purpose)? I don't remember it being up for a vote of members.
Thanks again!
Thanks, Pat. Having the source is really useful. I found it particularly interesting that "cyberbullying" rates have only minimally changed from 2016 to 2019 (although the source, again, leaves the term undefined), but in-school bullying is the cause of the headline:
"In 2019, over half (52.3%) of students said they had been bullied at school in the past 30 days, compared to 38.6% in 2016 (a 35% increase). In addition, almost one-third (30.4%) of students said they had bullied others at school in 2019, compared to just 11.4% in 2016."
Sounds to me like the problem is traditional schooling (as it often is), not so much online predation.
I'm interested in hearing more about the goals of the Center, though. I have looked at the various websites/content offered in the past, and couldn't quite sort it out. I'll take a look at the link you mentioned, and hopefully resolve some of my misapprehension. Thanks again!
The real number to focus on is ONE. If one child is bullied that is too many. If one more child takes their life because of being bullied, that is too many. If we can keep one child from becoming a bully, that is a victory.
Since we launched the Garfield program in October of 2016, he has helped us deliver over 100,000 safety lessons to children around the world. That is in addition to our programs for middle school kids, parents and seniors. All designed and delivered by (ISC)² members to help teach cyber safety basics that can help protect themselves and their families.
Our goal is to make is a safer cyber world and we can only do that one person at a time.
Thank you, Patrick. That's laudable...if not necessarily practical. In security, we no longer go for the "zero incident" goal, simply because it's neither statistically achievable nor a proper allocation of effort/resources. For instance, if our goal is zero child fatalities, motor vehicles pose a far greater threat to kids than suicide (https://www.cdc.gov/nchs/data/nvsr/nvsr68/nvsr68_09-508.pdf [see Table 6 for causes of death, by age]). I don't think we're going to recommend children completely avoid riding in motor vehicles.
As far as preventable goes, maybe we should work with schools to ban sports. Every year, school-aged children die in sporting activities (63 high school kids in 2017: https://nccsir.unc.edu/files/2018/09/NCCSIR-35th-Annual-All-Sport-Report-1982_2017_FINAL.pdf).
But no, I get it: going to school and playing sports are perceived as "positive" activities, and therefore worthy of incurring risk (including risk of child death)...while "bullying" (which includes as-yet undetermined specific activity) is perceived as a negative activity, and therefore not worth the risk of even one child dying.
Purely emotionally, that's an appealing outcome. But I think it's worth asking (because of our industry): how do we know that the work we're doing is achieving that outcome? What metric are we using? How do you measure the success of a program intended to "make...a safer cyber world" or assist children to "protect themselves and their families"? How do you measure suicides that haven't happened?
It's a tough subject, and the deaths of children are not to be taken lightly. That's all the more reason we should give the matter the seriousness it deserves, which includes defining the problem, charting causation, conceiving solutions, and testing outcomes, in a rational, scientific manner, avoiding the use of fear and panic as motivators. All of which is exactly what our members do, as practitioners, in the security industry, when addressing threats, risks, and incidents.
So the Center has been doing this work for 10 years, and "over 100,000 safety lessons to children around the world"-- what are the results we've ascertained? According to the 2018 Annual Report (https://www.isc2.org/-/media/ISC2/About/Leadership/Annual-Reports/2018-Annual-Report.ashx?la=en&hash...), ISC2 members have funded the Center, at $600,000 per year since 2016. Have we used some of that to test the efficacy of the program? Again-- how do we measure success?
The goal is great. I don't mean to sound as if I'm denigrating the intention. But when I get an email with a Subject line that seems designed to conflate the reality of the situation and induce fear, that chafes against my nature as a practitioner and a human being. And using photos of smiling kids and a cartoon cat to somehow suggest we're meeting the goal of eliminating situations where "one child is bullied," "one more child takes their life because of being bullied," "one child from becoming a bully," seems flippant, dismissive, and not affording the proper weight and approach to the issue.
@Ben_Malisow wrote:Thanks, Jarred-- that does help clarify quite a bit. But it does bring up additional questions, such as:
- If not because of regulatory mandates, what was the reason for creating the Center? PR?
- Did the Board make this decision (to both create the Center and the Center's purpose)? I don't remember it being up for a vote of members.
Thanks again!
Hi Ben,
as a board member that was present when these decisions were made, I'm happy to clarify this.
The Center (previously the ISC2 Foundation) was created, with the approval from the board, to run programs such as Safe & Secure Online, the scholarships, etc. It was clear that the membership wanted to give back to society in a variety of ways and a 501c6 is not set up to fulfill such a mission. Rather clumsily the board also became the board of the foundation. This was not ideal for several reasons:
(1) The board of ISC2 is composed of security professionals. They are not necessarily invested in charity and more importantly, they don't volunteer for that role. Additionally, a primary role of a 501c3 director (or trustee) is fundraising. Not every ISC2 board member has the network, bandwidth, or resources to serve that role. This basically became an inhibitor for the 501c3.
(2) Especially in the US, 501c3's are often created as tax vehicles. I could easily create the Wim Remes Foundation as a 501c3 and dump a chunk of my taxable income into it. To prevent that, there are some IRS rules that put limitations on how much can be contributed. The Foundation being so heavily tied into ISC2 meant that it was restricting itself. Running it as a separate entity altogether and rebranding it as The Center, under the expert leadership of the late Julie Peeler and now Patrick Craven made it much clearer to communicate. Installing a board of trustees that understand their responsibility to raise funds and are invested in the goal of the center in and of itself also was a sensible step in that process.
(3) Today The Center largely runs independently with some shared resources (HR, Finance, etc.) with ISC2 for efficiency's sake. The board of trustees reports on a quarterly basis through the chair of a dedicated committee. Where the center used to rely only solely on donations from ISC2 (restricted in amount by IRS rules), they now have built relationships with a broader set of donors that are equally invested in its mission. I believe, but am not certain, that there is at least one ISC2 board member on the board of trustees at all times.
I hope this clarifies some of the questions you asked.
I am not an expert on bullying but I agree that some mailings bear the traits of standard marketing that may not be appropriate for a charity. Then again, as a regular donor to The Red Cross, I often receive emails titled "XXXX people die of diarrhea every day". I guess that getting the attention of possible contributors to a charity (in kind or financially. Volunteering for Safe and Secure Online is awesome btw!) is a particularly slack rope to walk.
Thanks, Wim-- this explains so much, and I'm very pleased to see those questions addressed. I really appreciate you taking the time to lay it all out; I don't think I remember seeing anything clarifying these topics either at the time of creation, or up until now.
And yes, you're probably right about the marketing schtick; getting past the eyeballs in the Inbox has got to be a tough job. I'm probably a bit jaded when it comes to this stuff (especially because of our field).
Thanks again-- this was extremely insightful and useful.