Very good, Sir!
As you noted, expectations are not being managed properly, and that is antithetical to how cybersecurity professionals should manage their clients, customers, and co-workers. (ISC)2 has set a very high bar for how cybersecurity practitioners perform their craft and communicate with their stakeholders, yet they are not practicing what they preach.
To tell your customers that a task of 4 to 6 weeks' duration has been elongated by stating that "...due to a system upgrade, we are currently running closer to 8 weeks." is unacceptable on many levels:
Forgiveness may be forthcoming, as I noted in my post, but true admission of the root cause is a prerequisite (and the upgrade, however poorly implemented, can never be called the root cause). In my decades of experience, the root cause analysis frequently traces back to a person, or people, either not doing something that they should have done, or doing it incorrectly. Further examination reveals this to be a training issue. A lack of training, or improper training, is ultimately the responsibility of the leadership. That is where root causes live.
With that said, I'd rather not invest more effort to get them to justify what happened in the past; of more interest to me is the current state and their future intentions. Thus, if (ISC)2's leadership will take a moment to explain the steps they've taken - and are going to take - to permanently resolve this, and just as importantly, to regain the credibility they lost, I'm listening.
the root cause analysis frequently traces back to a person, or people, either not doing something that they should have done, or doing it incorrectly..
The focus of root cause is best limited to reducing the likelihood and/or impact of future occurrences. Figuring out what went wrong only matters to the extent that it furthers this goal. In what I consider to be a healthy environment, root cause stops at a faulty process, equipment failure, poor configuration, etc. It does not take that final step of identifying a person to blame. That is counterproductive because it creates hostility and a a CYA atmosphere. Although the technicians often know who's fingers were on the keyboard, a name should never make it into any report and the blame should be shouldered at a much higher level.
Calling out individuals (or even small groups) is best left to accolades.
In general, I agree with you. There is a reason why it is a good leadership practice to "reward in public and reprimand in private." Otherwise, it can indeed be "...counterproductive because it creates hostility and a CYA atmosphere," as you pointed out.
In my world of government contracting, an exception to this policy often manifests. While stopping the RCA at a "...faulty process, equipment failure, poor configuration, etc." may be sufficient toward "...reducing the likelihood and/or impact of future occurrences," it would not satisfy the legal or contractual requirement of identifying the person, or people, who are responsible, accountable or both. Thus, the root cause analysis is performed as part an investigation, along with the collection of evidence.
In a private entity, or a government organization where a small transgression has occurred, the investigation may end with a reprimand, or better yet (in my opinion) training. A more serious or costly transgression, or one with a public impact, may end with dismissal, unless a civil tort or crime has been committed (whereupon I reach out to my counterparts in the agency's police department.)
In my world, when something with a larger financial, operational, or reputational impact occurs, dismissal is the least of a person's concerns. As an outside consultant, with a law enforcement background coupled with strong technical knowledge, I'm sometimes brought in to conduct these investigations at federal agencies and/or clean up the mess. Depending upon the evidence that my team collects, a report to the agency's Inspector General, or a Congressional Hearing are potential outcomes. Thus, when we perform an investigation (which includes a root cause analysis) on behalf of one of my government clients, we do "name names."
Each of us may have a different take on the seriousness of this problem, and how much the delays have cost us in terms of non-reimbursable expenses, or a lost job opportunity, so we'll each have to consider this issue in light of the ramifications we have - or have not experienced. Personally, my wife and I came to the realization that we'd be absorbing the cost on this one, and I'm fortunate enough that I'm in a position to do so. I'm not happy about it, nor about the fact that my annual leave (which also would have been restored) is gone forever.
I don't expect (ISC)2 to make amends, so I'm not going to sue them. However, I would like them to:
Of course, they're under no obligation to do any of these things, and I won't cancel my membership if they don't. I do depend on my certifications to earn a living, and even though my wife wants me to retire, I'll be earning more as time goes on.
I understand how it can be confusing, especially with the situation that you were in specifically. Let me explain a little further here to let you know why there is still a wait. All applications including CCSP application were the applicant is already a CISSP go into a queue and are reviewed in the order received. We are reviewing this process. To be fair and consistent we process/review application in regards to certification in the order received so that no one application is handled ahead of one that is been in the queue longer.
While CISSP members that are earning the CCSP, do not have to complete a full endorsement application. There are some applicants that have been waiting the full eight weeks and we cannot jump over their applications. As you know, we must make sure that we are reviewing the applications completely and verifying individuals records.
I appreciate the response. Interestingly enough it is almost word-for-word the same as the email I received from another person at (ISC)2 earlier today. This is the second time today that I have received messages from two different people that are virtually identical. That doesn't come across very well, because it makes the recipient feel that they're getting a form letter, and that at least two different people are sending out said letter.
My response to her was longer, but I do want to point out that I, and others on this forum are painfully aware that "There are some applicants that have been waiting the full eight weeks and we cannot jump over their applications," as you and your colleague noted in your messages. We have been writing about this in several places on this forum.
With that said, I have waited the full eight weeks, and longer. I passed the exam on Tuesday October 23, 2018 and received confirmation from (ISC)2 the next day, where upon I was notified that I could expect to wait 6 weeks. Accordingly, I immediately submitted my endorsement application and received a notification from the website that I should anticipate an 8 week response time. Thus counting from that day - Wednesday, October 24th, I waited exactly 8 weeks until December 19th. However, believing that two additional days might have been required by (ISC)2 for the Thanksgiving holiday, I waited until Friday, December 21st before emailing my first query as to the status of my application.
Today, Wednesday, December 26th, is the end of week 9. Since it 5:30 PM (I'm in the same time zone as (ISC)2 Florida Office) I know that this process will roll into week 10 tomorrow.
So no, having waited longer than 8 weeks, I have no desire to "...jump over their applications" - I am already in front of those poor souls.
Interestingly enough, I received a notification at 12:04 PM today that I have earned the CCSP Badge. Obviously there is a disconnect between the notification system here, the main website, and the emails I'm receiving. I respectfully recommend that you look into that issue, as more communication mishaps are the last thing you need right now with so many mixed messages going out. As a result of that notification, I don't know whether I've been confirmed as a CCSP or not.
I can understand how it might be frustrating to receive a similar message multiple times. Around this, and any other issues or questions that come in to our teams, we do want to remain consistent in our messaging. Specific to this instance and many other member facing issues, I personally lean on my colleagues in Member Services to help me understand the issues that are being brought up in the Community so that I can relay the most accurate information possible to everyone here. In the Community we have a unique position, all of our responses are public. We often receive messages individually that are also posted here on the Community, too. In these cases, we want to ensure that anyone who may be following a specific thread or anyone who comes across the thread will see our response. With this being a regular occurrence, there are times when messaging is duplicated/used repeatedly to ensure that consistent message for all parties who may see it – whether it is more one on one in an email or public on the Community.
I will also be following up with you individually about your endorsement.
I hope this helps to explain why our messaging is the same. If you have any other questions about this, please let us know.