As I've been asked questions through different forums recently, I decided to write down my personal thoughts in long form here : https://www.linkedin.com/pulse/isc2-fees-price-being-professional-wim-remes/?published=t
I am not a board member, I do not speak for the board, I do not speak for the organization. Everybody is free to reach their own conclusion and decide accordingly. I just thought my perspective could be helpful to some.
Well thought out and good words, Wim ( @wimremes ). Thank you.
One point you make deserves discussion here: you said (ISC)2 does a poor job of communication. Actually, it does a TERRIBLE job of communicating.
The process for changing the rules and amounts for AMF should have been open in the lead up to a board vote, with the membership notified of financial situation, and what the board would be considering. As it happens I think the payments should have been in advance, not in arrears, all along. I never understood that part of our process. The need for an increase, and discussion on the necessary or advised level of increase would have been in open discussion among the membership prior to a board vote.
Agree with CraginS, there should have been member involvement not only with price increase but the decision to cut the exam time in half.
I mentioned to an ISC2 friend recently that I felt the past few years ISC2 is focused too much on revenue. Case in point:
1. Cut exam in half making it more palatable for people to approach the exam - more people taking the exam is more revenue.
2. I've noticed many articles the past few years where ISC2 is teaming with education providers to create the myth that there is an enormous shortage of qualified people for security jobs. By enticing people about the huge number of opportunities more revenue is realized.
3. I've been receiving a lot of spam the past few years from ISC2 about hundreds of cost savings for things I'll never use. The emails are identical to AAA discounts, AARP, and every other association. I'm not a CISSP seeking to get discounts for merchandise. How much revenue is realized by this marketing partnership?
4. Raising our rate 50% while describing all the benefits we can utilize. What if we don't want to use them? We're again paying. What revenue is realized by partnerships? Also, it's mentioned conferences like Congress are a benefit. I've worked on the financing for conferences and if they are smart they always make a profit. So we shouldn't need to raise the rates if conferences make a profit.
We need transparency and stop cheapening the certification with every marketing scheme tried by most corporations.
(Replying to both of you in one post)
On communications ... it is not that simple. ISC2 has very good people that definitely do not suck at communications. Fact is that a large part of the membership (the majority) chooses not to communicate with ISC2 apart from logging into the portal, pay their AMFs, and submit their CPEs. If there was some kind of referendum, it would be a small vocal minority that would call the shots. If ISC2 had followed, as an example, the process used for Bylaws changes, it would also be a small vocal minority that calls the shots. This minority would also be very US-centric, disregarding especially our APAC and LATAM colleagues. With the board, you at least have representation for all regions. Against all assumptions, the board - first and foremost - represents the interests of the membership as a whole. I can, in all honesty, say that even the slightest allusion to the contrary would be massively unfair. So, I disagree with you that an open discussion would have yielded better results.
Becoming a member of ISC2 is significantly easier than managing the membership. Billing in arrears was a choice made in the past and definitely not the best choice. However, turning that around comes with huge risks and isn't just flipping a switch. Over the past 3 years ISC2 overhauled all its back-end systems, including accounting and member management systems. In another forum I've referred to sticky prices. The increase and change to upfront billing, probably should've happened years ago but doing that would have been more expensive than what it would add to the member management budget.
On the exam time reduction, your representation is severely underinformed. This is most likely, again, the result of a lack of communication from the organization. ISC2 introduced CAT, Computer Adaptive Testing. This doesn't only make the exam more difficult to cheat at, it also ensures for better testing thus resulting in higher quality certified professionals. More importantly, the use of CAT reduces the number of items (questions) exposed to exam takers. Exam items, for a certification organization, are the single most expensive items on the books. If there was one big driver behind the move to CAT, and as a result the shorter exam time, it was this.
I work as a virtual CISO with a number of clients. The lack of security talent is not a myth in my humble opinion. If you have data to the contrary, I am happy to take a look at it.
The member benefits is also something I've brought up in my post I believe. I think it is a good idea but the implementation can definitely be improved on. the PDI (Professional Development Institute) that was announced last year is something I eagerly look forward to.
Yes, ISC2 should keep a closer finger on the pulse of the membership. They do have the tools now so there are few excuses left. We're a very diverse bunch and what counts as a benefit for you might not be the same as for me.
I again strongly disagree with your points about a pure commercial approach. As a board we always have, and I'm sure the current board continues that practice, asked "why is this good for the membership?" on every decision. I'd encourage every single member to engage with the organization. Through the local member management representation, through ISC2 management, through the board. This organization exist for and because of us.
@Coming to this a bit late, as I spent a few months not being particularly bothered, but Wim is pretty sensible on this.
to point to Wims post - the increase in AMF is pretty much in line with other certification professional membership bodies(I’ve more than one certification with ISC2, so I guess it benefits me, so I’d probably be supportive anyway). I’m not sure why there is so much wailing and gnashing of teeth on this one(one you get over sticker shock - maybe some A/B testing on the site would help there) it does seem that the profession is pretty well paid, and folks ISC2 do not seem to me to be taking a purely commercial approach, it’s NPO status’s covered by Wim would seem to preclude that. There are people working full time and they do need to be fairly compensated for their time, they need health plans etc, and they might want a holiday - so personally I’m comfortable with the increase.
Maybe we should look at options to address the concerns of members who have issues paying the AMF or indeed the exam fees.
Communications wise I feel it’s OK, I gave feedback in October, it was considered and some changes were made for it and they got back to me.
On the CISSP exam - frankly CAT overall makes it harder to pass as you see less questions so there are less cribs to helpfully jog memory... Glad I didn’t have to sit the CAT test when I wrote the CISSP. Good confirmation of knowledge does not need to be an endurance test, and probably shouldn’t be.
CYBERSECURITY SKILLS SHORTAGE SOARS, NEARING 3 MILLION
If there was really a shortage there wouldn't be unicorn job postings and MBA Cybersecurity graduates wouldn't be coming to my meetups asking how they can get work. With a three million shortage I would be developing plans to bring my company to $100 million in sales and compete with the likes of Cognizant with an eye on making billions.
1998-2001 were the best. (Had to delete link because error msg: invalid HTML).
Oh, I agree when it comes to that. Based on the survey more than 80% of those reqs would exist in APAC, which isn't really relevant for EU and US job seekers. Claiming 3 million based on a survey of (maybe?) 15k respondents is also not statistically honest.
Remember that a cyber-security skills shortage doesn't always mean an open job position. There are plenty of people in "cyber-security" or "IT" jobs that are woefully under skilled in cybersecurity. When you view it like that, you can see why the number is so high.
I think that we may see a few waves of automation come in and dent that, and take up some of the easier to describe roles fairly soon, so first line SOC Analysts should probbaly look to add some esoteric niches that are not so worth training learners or creating automated playbooks. Of course with every new idiocy/outrage there comes a push to do something so who knows - devils advocate - maybe three million is conservative? On thing I can conclusively point to is folks in data protection would really like to involve a lot of their own workforce in remediation, which broadens the term of what a security role is or can be.
I’d suspect recruiters in countryies could provide more accuracy/ better data:
Asia is special case, numbers of people are large, throwing bodies at problems is quite common even though a lot of people are trying to get away from that. Two million is a lot, However there are some data points that support this ballpark:
If India, ASEAN, Japan, Korea and Aus/NZ needed about the same as China in the Tencent report states, then it’s plausible.