Re: "Socialism" in fees 😉 I had three certs w ISACA, and they really loaded on the fees. On top of that, I was getting audited EVERY year for a different cert, even though I typically had 100+ hours / year, and they applied to all three certs.
Tried to explain that they should audit the individual - not the cert, to minimize their work and mine. Fell on deaf ears. Needless to say, am not an ISACA member anymore, and they lost MANY years of their future "annuity" in fees.
Re: "Socialism" in fees 😉
Perhaps a 'cold war' between (ISC)2 and ISACA is inevitable...
I'm thinking of not renewing. I work in product management and probably don't need my CISSP to remain "in good standing" even if I have to look for a new job. Getting this certification was something I did out of interest in the field, as a challenge, and also thinking that it won't hurt to have it in my CV. Most likely if I look for another job it will still be in product management, and not necessarily for a security company.
With this in mind, do you think I should bother renewing my membership and continue with the annual CPE hunt?
@BlackmaltMy personal perspective is we are dealing with an increasingly complex set of environments, including supply chain issues i.e. back to the manufacturers. What does the ISC(2) give you apart from normal benefits, it provides evidence, you are a certified security practitioner and that you are held to account to a set of ethics, which are in alignment with those of a professional Medical Practitioner. Therefore what you say to the board, means you know your material, you have been tested and you maintain your skill set. The vast majority of information security, or cyber security is about making the business understand the associated risks, impacts of not putting in place an appropriate framework to reduce the likelihood of being compromised, and having to deal with the associated incident handling and ensuing mess that follows.
If you are thinking of going to a production or manufacturing environment - then many of the current issues i.e. IoT stem from them and we need good people, like yourself to make them fully understand the implications of their decisions, which are often based on deadlines, costs and taking short cuts, without understanding the ramifications of their decisions. From a recent report 50% of all IoT devices, are inherently vulnerable with little or no security controls put in place by default. Plus given the increasing demand for security practitioners cited 3.5 million by 2021 currently, without people like yourself, organisations will have very little insight or impact of their decisions purely based on costs and resources. Security is a business issue, fundamentally, and we have to tackle it head on.
Regardless of which organisation or direction you wish to take, security and privacy will affect all organisations, even today it was announced in another report that 60,000 cases have been raised for GDPR related issues within the European Union. Wait until the Californian CCPA comes into full play - both security and privacy become an inherent way of thinking and designing systems.
I have seen colleagues have a foolish moment, and state the same thing - my job role does not require to have these certifications any more - well six months down the road, they suddenly realised after they ditched them - they needed them to get management to listen to them from a strong position of knowledge and capability.
My take, you worked hard for it, don't ditch them - they will be needed, even though currently you don't believe this is the case. You will need them to be the voice of rationale reason soon enough in any organisation you join these days. The world actually needs you, believe it or not;