---

@CyberLead wrote:

the root cause analysis frequently traces back to a person, or people, either not doing something that they should have done, or doing it incorrectly..

The focus of root cause is best limited to reducing the likelihood and/or impact of future occurrences.  Figuring out what went wrong only matters to the extent that it furthers this goal.  In what I consider to be a healthy environment, root cause stops at a faulty process, equipment failure, poor configuration, etc.  It does not take that final step of identifying a person to blame.  That is counterproductive because it creates hostility and a a CYA atmosphere.  Although the technicians often know who's fingers were on the keyboard, a name should never make it into any report and the blame should be shouldered at a much higher level. 

 

 

Calling out individuals (or even small groups) is best left to accolades.

In general, I agree with you.  There is a reason why it is a good leadership practice to "reward in public and reprimand in private."  Otherwise, it can indeed be "...counterproductive because it creates hostility and a CYA atmosphere," as you pointed out.

 

In my world of government contracting, an exception to this policy often manifests.  While stopping the RCA at a "...faulty process, equipment failure, poor configuration, etc."  may be sufficient toward "...reducing the likelihood and/or impact of future occurrences," it would not satisfy the legal or contractual requirement of identifying the person, or people, who are responsible, accountable or both.  Thus, the root cause analysis is performed as part an investigation, along with the collection of evidence.

 

In a private entity, or a government organization where a small transgression has occurred, the investigation may end with a reprimand, or better yet (in my opinion) training.  A more serious or costly transgression, or one with a public impact, may end with dismissal, unless a civil tort or crime has been committed (whereupon I reach out to my counterparts in the agency's police department.)

 

In my world, when something with a larger financial, operational, or reputational impact occurs, dismissal is the least of a person's concerns.  As an outside consultant, with a law enforcement background coupled with strong technical knowledge, I'm sometimes brought in to conduct these investigations at federal agencies and/or clean up the mess.  Depending upon the evidence that my team collects, a report to the agency's Inspector General, or a Congressional Hearing are potential outcomes.  Thus, when we perform an investigation (which includes a root cause analysis) on behalf of one of my government clients, we do "name names."

 

Each of us may have a different take on the seriousness of this problem, and how much the delays have cost us in terms of non-reimbursable expenses, or a lost job opportunity, so we'll each have to consider this issue in light of the ramifications we have - or have not experienced.  Personally, my wife and I came to the realization that we'd be absorbing the cost on this one, and I'm fortunate enough that I'm in a position to do so.  I'm not happy about it, nor about the fact that my annual leave (which also would have been restored) is gone forever.

 

I don't expect (ISC)2 to make amends, so I'm not going to sue them.  However, I would like them to:

1. Publicly detail what went wrong.  Not to embarrass them, but as a lesson learned for the membership.
2. I'd like to know what steps they're taking to resolve this.
3. I'd like to know how they'll prevent this with the upgrades they're supposedly planning for 2019 and beyond.
4. I'd like them to solicit member input before they commit to making changes.  With us, they have a tremendous base of knowledge and experience, why not use it?
5. Regarding your final point, "...the blame should be shouldered at a much higher level," I agree; the leadership always bears the ultimate accountability and responsibility, so I'd like the courtesy of an public apology from them.

Of course, they're under no obligation to do any of these things, and I won't cancel my membership if they don't.  I do depend on my certifications to earn a living, and even though my wife wants me to retire, I'll be earning more as time goes on.

We understand your frustration. At this time, we are experiencing a higher application volume than normal. Each application must be reviewed thoroughly and experience must be verified before we can approve the application. We must verify that the information provided meets our high standards of qualification in order to hold an (ISC)2 certification. Please note that not all applications are approved.

Similar to the CISSP, the CCSP application must be endorsed be a member in good standing. Although (ISC)2 will act as your endorser, the review process must still take place.

Again, I am sorry that the application review and approval is taking longer than you had hoped. Not too long ago, it took up to 16 weeks including waiting for your examination results. We are transitioning into a new system that will assist us in improving the review time.

@SamanthaO_isc2,

Hello @CyberLead, 

 

I understand how it can be confusing, especially with the situation that you were in specifically. Let me explain a little further here to let you know why there is still a wait. All applications including CCSP application were the applicant is already a CISSP go into a queue and are reviewed in the order received.  We are reviewing this process.  To be fair and consistent we process/review application in regards to certification in the order received so that no one application is handled ahead of one that is been in the queue longer.

 

While CISSP members that are earning the CCSP, do not have to complete a full endorsement application.  There are some applicants that have been waiting the full eight weeks and we cannot jump over their applications.  As you know, we must make sure that we are reviewing the applications completely and verifying individuals records.

 

Best, 

 

@SamanthaO_isc2,

 

I appreciate the response.  Interestingly enough it is almost word-for-word the same as the email I received from another person at (ISC)2 earlier today.  This is the second time today that I have received messages from two different people that are virtually identical.  That doesn't come across very well, because it makes the recipient feel that they're getting a form letter, and that at least two different people are sending out said letter.

 

My response to her was longer, but I do want to point out that I, and others on this forum are painfully aware that "There are some applicants that have been waiting the full eight weeks and we cannot jump over their applications," as you and your colleague noted in your messages.  We have been writing about this in several places on this forum.

 

With that said, I have waited the full eight weeks, and longer.  I passed the exam on Tuesday October 23, 2018 and received confirmation from (ISC)2 the next day, where upon I was notified that I could expect to wait 6 weeks.  Accordingly, I immediately submitted my endorsement application and received a notification from the website that I should anticipate an 8 week response time.  Thus counting from that day - Wednesday, October 24th, I waited exactly 8 weeks until December 19th.  However, believing that two additional days might have been required by (ISC)2 for the Thanksgiving holiday, I waited until Friday, December 21st before emailing my first query as to the status of my application.

 

Today, Wednesday, December 26th, is the end of week 9.  Since it 5:30 PM (I'm in the same time zone as (ISC)2 Florida Office) I know that this process will roll into week 10 tomorrow.

 

So no, having waited longer than 8 weeks, I have no desire to "...jump over their applications" - I am already in front of those poor souls.

 

Interestingly enough, I received a notification at 12:04 PM today that I have earned the CCSP Badge.  Obviously there is a disconnect between the notification system here, the main website, and the emails I'm receiving.  I respectfully recommend that you look into that issue, as more communication mishaps are the last thing you need right now with so many mixed messages going out.  As a result of that notification, I don't know whether I've been confirmed as a CCSP or not.

Hello @CyberLead,

 

I can understand how it might be frustrating to receive a similar message multiple times. Around this, and any other issues or questions that come in to our teams, we do want to remain consistent in our messaging.  Specific to this instance and many other member facing issues, I personally lean on my colleagues in Member Services to help me understand the issues that are being brought up in the Community so that I can relay the most accurate information possible to everyone here.  In the Community we have a unique position, all of our responses are public. We often receive messages individually that are also posted here on the Community, too. In these cases, we want to ensure that anyone who may be following a specific thread or anyone who comes across the thread will see our response. With this being a regular occurrence, there are times when messaging is duplicated/used repeatedly to ensure that consistent message for all parties who may see it – whether it is more one on one in an email or public on the Community.

 

I will also be following up with you individually about your endorsement. 

 

I hope this helps to explain why our messaging is the same. If you have any other questions about this, please let us know.