cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer III

Re: CCSP Endorsement Time

Very good, Sir!

 

As you noted, expectations are not being managed properly, and that is antithetical to how cybersecurity professionals should manage their clients, customers, and co-workers.  (ISC)2 has set a very high bar for how cybersecurity practitioners perform their craft and communicate with their stakeholders, yet they are not practicing what they preach.

 

To tell your customers that a task of 4 to 6 weeks' duration has been elongated by stating that "...due to a system upgrade, we are currently running closer to 8 weeks." is unacceptable on many levels:

 

  • Essentially, they are attempting to distinguish blame for the source of the ongoing delay by shifting the focus from themselves to the upgrade.
  • If one is to blame the upgrade, one is really blaming the leadership that authorized such a poorly executed upgrade.
  • As a PMP, making such a statement to my clients would have been grounds for my dismissal, and rightly so.  Such a statement would have demonstrated my incompetence as a project scheduler, risk manager, contingency planner, communicator, and leader.

Forgiveness may be forthcoming, as I noted in my post, but true admission of the root cause is a prerequisite (and the upgrade, however poorly implemented, can never be called the root cause).  In my decades of experience, the root cause analysis frequently traces back to a person, or people, either not doing something that they should have done, or doing it incorrectly.  Further examination reveals this to be a training issue.  A lack of training, or improper training, is ultimately the responsibility of the leadership.  That is where root causes live.

 

With that said, I'd rather not invest more effort to get them to justify what happened in the past; of more interest to me is the current state and their future intentions.  Thus, if (ISC)2's leadership will take a moment to explain the steps they've taken - and are going to take - to permanently resolve this, and just as importantly, to regain the credibility they lost, I'm listening.


Lloyd Diernisse
CISSP | CCSP | LSSBB | PMP | CSM | CMMI-A | ITIL-Fv3
Cybersecurity Consultant to the U.S. Government
Tags (1)
Community Champion

Re: CCSP Endorsement Time


@CyberLead wrote:

the root cause analysis frequently traces back to a person, or people, either not doing something that they should have done, or doing it incorrectly..

The focus of root cause is best limited to reducing the likelihood and/or impact of future occurrences.  Figuring out what went wrong only matters to the extent that it furthers this goal.  In what I consider to be a healthy environment, root cause stops at a faulty process, equipment failure, poor configuration, etc.  It does not take that final step of identifying a person to blame.  That is counterproductive because it creates hostility and a a CYA atmosphere.  Although the technicians often know who's fingers were on the keyboard, a name should never make it into any report and the blame should be shouldered at a much higher level. 

 

 

Calling out individuals (or even small groups) is best left to accolades.

Newcomer III

Re: CCSP Endorsement Time

In general, I agree with you.  There is a reason why it is a good leadership practice to "reward in public and reprimand in private."  Otherwise, it can indeed be "...counterproductive because it creates hostility and a CYA atmosphere," as you pointed out.

 

In my world of government contracting, an exception to this policy often manifests.  While stopping the RCA at a "...faulty process, equipment failure, poor configuration, etc."  may be sufficient toward "...reducing the likelihood and/or impact of future occurrences," it would not satisfy the legal or contractual requirement of identifying the person, or people, who are responsible, accountable or both.  Thus, the root cause analysis is performed as part an investigation, along with the collection of evidence.

 

In a private entity, or a government organization where a small transgression has occurred, the investigation may end with a reprimand, or better yet (in my opinion) training.  A more serious or costly transgression, or one with a public impact, may end with dismissal, unless a civil tort or crime has been committed (whereupon I reach out to my counterparts in the agency's police department.)

 

In my world, when something with a larger financial, operational, or reputational impact occurs, dismissal is the least of a person's concerns.  As an outside consultant, with a law enforcement background coupled with strong technical knowledge, I'm sometimes brought in to conduct these investigations at federal agencies and/or clean up the mess.  Depending upon the evidence that my team collects, a report to the agency's Inspector General, or a Congressional Hearing are potential outcomes.  Thus, when we perform an investigation (which includes a root cause analysis) on behalf of one of my government clients, we do "name names."

 

Each of us may have a different take on the seriousness of this problem, and how much the delays have cost us in terms of non-reimbursable expenses, or a lost job opportunity, so we'll each have to consider this issue in light of the ramifications we have - or have not experienced.  Personally, my wife and I came to the realization that we'd be absorbing the cost on this one, and I'm fortunate enough that I'm in a position to do so.  I'm not happy about it, nor about the fact that my annual leave (which also would have been restored) is gone forever.

 

I don't expect (ISC)2 to make amends, so I'm not going to sue them.  However, I would like them to:

  1. Publicly detail what went wrong.  Not to embarrass them, but as a lesson learned for the membership.
  2. I'd like to know what steps they're taking to resolve this.
  3. I'd like to know how they'll prevent this with the upgrades they're supposedly planning for 2019 and beyond.
  4. I'd like them to solicit member input before they commit to making changes.  With us, they have a tremendous base of knowledge and experience, why not use it?
  5. Regarding your final point, "...the blame should be shouldered at a much higher level," I agree; the leadership always bears the ultimate accountability and responsibility, so I'd like the courtesy of an public apology from them.

Of course, they're under no obligation to do any of these things, and I won't cancel my membership if they don't.  I do depend on my certifications to earn a living, and even though my wife wants me to retire, I'll be earning more as time goes on.


Lloyd Diernisse
CISSP | CCSP | LSSBB | PMP | CSM | CMMI-A | ITIL-Fv3
Cybersecurity Consultant to the U.S. Government
Tags (1)
Community Manager

Re: CCSP Endorsement Time

We understand your frustration. At this time, we are experiencing a higher application volume than normal. Each application must be reviewed thoroughly and experience must be verified before we can approve the application. We must verify that the information provided meets our high standards of qualification in order to hold an (ISC)2 certification. Please note that not all applications are approved.

Similar to the CISSP, the CCSP application must be endorsed be a member in good standing. Although (ISC)2 will act as your endorser, the review process must still take place.

Again, I am sorry that the application review and approval is taking longer than you had hoped. Not too long ago, it took up to 16 weeks including waiting for your examination results. We are transitioning into a new system that will assist us in improving the review time.
Samantha O'Connor
(ISC)² Online Community Manager
Newcomer III

Re: CCSP Endorsement Time

@SamanthaO_isc2,

 
Thank you for your response.  I am still a bit confused, however.  When I received the email from (ISC)2 informing me that you had received my test results from the exam I’d passed the day before, I immediately submitted the endorsement form.  The system picked up my CISSP automatically and notified me that by virtue of having a current CISSP in good standing, I automatically met the experience requirements for the CCSP.  I signed the Code of Ethics, as part of the endorsement process on the website.  
 
Thus, with receipt of my passing grade from PearsonVue - confirmed by (ISC)2 - the automatic acknowledgement from (ISC)2 that I met the experience requirements with my CISSP, and my signature on the Code of Ethics, what else is left to verify?

Lloyd Diernisse
CISSP | CCSP | LSSBB | PMP | CSM | CMMI-A | ITIL-Fv3
Cybersecurity Consultant to the U.S. Government
Tags (1)
Community Manager

Re: CCSP Endorsement Time

Hello @CyberLead

 

I understand how it can be confusing, especially with the situation that you were in specifically. Let me explain a little further here to let you know why there is still a wait. All applications including CCSP application were the applicant is already a CISSP go into a queue and are reviewed in the order received.  We are reviewing this process.  To be fair and consistent we process/review application in regards to certification in the order received so that no one application is handled ahead of one that is been in the queue longer.

 

While CISSP members that are earning the CCSP, do not have to complete a full endorsement application.  There are some applicants that have been waiting the full eight weeks and we cannot jump over their applications.  As you know, we must make sure that we are reviewing the applications completely and verifying individuals records.

 

Best, 

 

Samantha O'Connor
(ISC)² Online Community Manager
Newcomer III

Re: CCSP Endorsement Time

@SamanthaO_isc2,

 

I appreciate the response.  Interestingly enough it is almost word-for-word the same as the email I received from another person at (ISC)2 earlier today.  This is the second time today that I have received messages from two different people that are virtually identical.  That doesn't come across very well, because it makes the recipient feel that they're getting a form letter, and that at least two different people are sending out said letter.

 

My response to her was longer, but I do want to point out that I, and others on this forum are painfully aware that "There are some applicants that have been waiting the full eight weeks and we cannot jump over their applications," as you and your colleague noted in your messages.  We have been writing about this in several places on this forum.

 

With that said, I have waited the full eight weeks, and longer.  I passed the exam on Tuesday October 23, 2018 and received confirmation from (ISC)2 the next day, where upon I was notified that I could expect to wait 6 weeks.  Accordingly, I immediately submitted my endorsement application and received a notification from the website that I should anticipate an 8 week response time.  Thus counting from that day - Wednesday, October 24th, I waited exactly 8 weeks until December 19th.  However, believing that two additional days might have been required by (ISC)2 for the Thanksgiving holiday, I waited until Friday, December 21st before emailing my first query as to the status of my application.

 

Today, Wednesday, December 26th, is the end of week 9.  Since it 5:30 PM (I'm in the same time zone as (ISC)2 Florida Office) I know that this process will roll into week 10 tomorrow.

 

So no, having waited longer than 8 weeks, I have no desire to "...jump over their applications" - I am already in front of those poor souls.

 

Interestingly enough, I received a notification at 12:04 PM today that I have earned the CCSP Badge.  Obviously there is a disconnect between the notification system here, the main website, and the emails I'm receiving.  I respectfully recommend that you look into that issue, as more communication mishaps are the last thing you need right now with so many mixed messages going out.  As a result of that notification, I don't know whether I've been confirmed as a CCSP or not.


Lloyd Diernisse
CISSP | CCSP | LSSBB | PMP | CSM | CMMI-A | ITIL-Fv3
Cybersecurity Consultant to the U.S. Government
Community Manager

Re: CCSP Endorsement Time

Hello @CyberLead,

 

I can understand how it might be frustrating to receive a similar message multiple times. Around this, and any other issues or questions that come in to our teams, we do want to remain consistent in our messaging.  Specific to this instance and many other member facing issues, I personally lean on my colleagues in Member Services to help me understand the issues that are being brought up in the Community so that I can relay the most accurate information possible to everyone here.  In the Community we have a unique position, all of our responses are public. We often receive messages individually that are also posted here on the Community, too. In these cases, we want to ensure that anyone who may be following a specific thread or anyone who comes across the thread will see our response. With this being a regular occurrence, there are times when messaging is duplicated/used repeatedly to ensure that consistent message for all parties who may see it – whether it is more one on one in an email or public on the Community.

 

I will also be following up with you individually about your endorsement. 

 

I hope this helps to explain why our messaging is the same. If you have any other questions about this, please let us know.

Samantha O'Connor
(ISC)² Online Community Manager