At the encouragement of many friends, I have decided to throw my hat in the ring and become a member of the ISC^2 Board of Directors, an organization for computer security professionals, who sponsor the CISSP (Certified Information Systems Security Professional) certification.  The first step is to get 500 confirmed ISC^2 members to nominate me.

The approved ISC^2 process states you must send me an email to my address – – from the email address you use to log into the website.  This email must contain your ISC^2 membership number and your name.  I would appreciate it if you used tabs in the email’s body:

Your ISC^2 membership number can be found by mousing-over “Members Only” header, clicking “My Profile”, and then clicking “View Profile”.  Find the line “Contact Number/ Certification Number” to obtain your ISC^2 number.  All nominations are due to me by 11:00 AM New York City time on Tuesday 17 September 2013 after which I’ll compile into a spreadsheet (ergo, tabs) and send to ISC^2.  [Note: on Windows, use numpad ALT+009 to insert a tab in web-based emailers. thx Paul]

My Platform

As a member of the ISC^2 board of directors, I will work to:

  1. Discontinue the CISSP Certification.  It is dead. It is a joke in the Infosec community.  It cannot be saved.  Bury it and create a new one.
  2. Publish the detailed budget and financials for members to see for all years since since the ISC^2’s founding.  With 88672 CISSPs @ $85/yr, where does our $7.5million go?
  3. Donate part of the hoarded funds to other security organizations or worthy open source projects.

About The CISSP

I’ve held my CISSP for seven years, dutifully paying my $85 and filling out the CPE form every year.  I’ve been a penetration tester, SAS70/ISAE3402 guru, system security architect, risk analyst, and lead security auditor with side training in forensics, firewalls, network security, secure coding, and system administration while working for boutique security companies and for internal security at a Big 4 accounting firm; I’ve seen much of the Infosec world.  However, each time I go through the annual renewal process, I try to remember how the CISSP relates to any of my daily Infosec jobs and I come to the same conclusion every year: the CISSP is a meaningless thing.

Like many people in the industry, my employer required me to earn and keep my CISSP certification as a condition of employment.  We asked “why” and were told that company leadership needs to tell our clients the Infosec department is CISSP-certified; basically the CISSP is a marketing buzzword.  We never used the CISSP as a means for job candidate filtering, in fact, we hired more people without CISSP than with; so it didn’t help with recruiting efforts.  Sometimes vendor personnel had CISSP certifications, but that was usually non-technical sales people; so we wondered if working for five years at a security vendor is good enough.

Maybe the ISC^2 website can give me more information on what the CISSP is about; but it looks more like a sales website where I buy books, exams, and attend training conferences.  I would go to my local ISC^2 chapter meeting, but my “small town” of New York City started a chapter under a year ago and appears to have not had a meeting since.


You’d think there would be a link to the budget in the member’s only section of the website, but I don’t see one.  You’d think a 501(c)6 not-for-profit would spend more money on educational programs (24%) instead of administration and sales (61%) (2012, page 28), but they don’t.  We can be thankful that much was published, who knows what it was in 2011 (page 22).   And with a $7million dollar profit between 2010 and 2011 and $25million in the bank, what’s going on?  If we really have that much money, why are we hoarding it?  [Update: FY11 tax return says about $400k for the executive director, but what is the whole budget?  thx Thistle]

Who Am I?

I’ve been doing Infosec for 10 years in many capacities. I have a SANS GIAC GSNA, ISACA CRISC, and the ISC^2 CISSP along with traditional BS and MS degrees.  I volunteer for OWASP, participate in ISACA, and am a member of various computer & security meet-ups.  I’ve been to Black Hat, Defcon, HOPE, and other random conferences.  I’ve taught Infosec to newbie pen testers and to people in the boardroom. I’ve found security issues in software and hardware in your data center and got the vendors to fix it.

In other words, I’m just like you and I’m sick of paying $85 for nothing.  I appreciate your nominations for ISC^2 Board of Directors.  If you have questions, drop an email otherwise, please nominate me to appear on the ballot.

-jay ball, GSNA, CRISC, CISSP

[Updated 2013-08-21 19:17 – added tax return]

11 comments on “isc^2 board of directors 2013

  • Rather than investigate and fix you are running on a platform of ‘It’s broke and it should go away.’. If you feel that CISSP is dead; why do you send in your $85? Why do you continue to accumulate and report CPEs? I could support investigating and improving ISC2. I can’t support your platform. Sorry.

    • Many people are required to have a CISSP as a condition of employment at their firms. When I’ve asked why, it generally comes from some non-IT VP hearing about it and saying we need to require it of our Infosec staff like his peers’ firms.

      I said the CISSP is dead, I did not say ISC^2 is dead. Do we replace the CISSP with something completely new? Do we have a phasing where old-CISSP is replaced by new-CISSP over a few years? Are legacy CISSP allowed the new CISSP until being re-tested? Do we have retests? Do we tell people to get a different certification from ISACA, SANS, or someplace else and just audit the various certifications as ISC^2 approved? I don’t know; that would be part of any discussion. But what is out there now is a joke and needs to go.

  • I agree improvements are needed and a potential revamp of the CISSP designation. I don’t believe it should be trashed, though. You could say much the same thing about JDs, CPAs and the like – certification is needed for some employment opportunities and that’s not going to change any time soon. As with any designation or degree it is what you do with it at the end of the day (or decade). Doing away with the certification will give rise to another, as you put it, equally worthless designation.

  • I love you!
    and… my main business is teaching CISSP preparation courses.

    Instead of #1, I would say: cut marketing and administration, lower the price of exam and annual fee to the minimum amount not to make a profit (and adjust it per country… developing world should be given a break)

    #3 would be: change the organization chart so that it stays like that.

    and a new #4: change the way the board is nominated so it is not a “friends club”, but real elections.

  • Jay, While I would vote for you. I see your idea of the discontinuing the CISSP as a bad choice. It might make for a better idea/platform to make the CISSP a base certification to a path for higher more valued certification. Some thing like CCNA is to the CCSP for Cisco. Thus many memebers haven’t wasted their time or money on a certification that you wish to kill.

    I see the CISSP as a 10K view on security and maybe making a higher cert that focuses on different directions such as technical (CISA type) or management (CISM type) might be the right direction.

    But asking people to just throw away a cert/money they worked for I don’t think is the right way…. Use it as a building block to bigger and better.

  • Granted improvements are needed at ISC but not disposing of the CISSP. Raise the bar on the requirements and make it more relevant and up to date. A CISSP, like any other certification needs to be current and relevant. Given the world we live in and what’s coming down the pipe we should be making our certifications better instead of suggesting they be tossed. Your platform is not helpful to the industry and discredits those of us who worked hard to attain it. I cannot support your platform and running on a such a platform without any real supporting arguments is probably not a good career move for you. As a CIO and CISSP I would be very hesitant hiring someone who is ready to throw in the towel and complains instead of trying to fix it.

  • Thank you to the many people who have emailed the nominations, there are still many more to go.

    I am actually surprised that people are defending the CISSP. I have never spoken with anyone who thought it was more than a joke or scam. This includes coworkers, peers, security meetups, conferences, etc. I appreciate your insights.

    When you read the “About Us” page on ISC^2’s website, it alludes to the CISSP being the Gold Standard. Thus, it is the übersecurity certification. So if you have it, you know everything? This is the marketing that everyone is being subject to and why most people think it is a joke. The Vice Chair of Operations hears about it on a golf course and mandates everyone in Infosec get a CISSP (even those in Infosec to whom this certification isn’t relevant).

    Andrew, you say the CISSP is basic security and should be a building block towards more advanced things. Tony says we need to make the CISSP encompass more current topics and raise the bar on it (i.e., make it less basic). Neither of you are happy as it is now and have conflicting thoughts on fixing it. Ergo you both agree with me: kill it as it stands today. Replace it with something else. It could be an enhancement, modification, or outright new thing; but right now, it doesn’t work. What needs to be done next should be a long discussion and then debated in a committee or even a CISSP constitutional convention, not be in a simple blog post.

    As for thinking the CISSP is a scam, Mathieu is essentially say, “what do we get for our money and why is it so expensive?” For the 501(c)3 charity branch of ISC^2, we pay the executive director $400k to hand out $60k in scholarships. This same person is also executive director of the full 501(c)6 ISC^2 organization, does he get additional salary for having a second job? Is this considered two full time jobs? Is the charity a part time job? It sounds like we’re just paying a bunch of people to be permanent directors. And the nomination process: “we want you to vote for these endorsed people, but if you email us your name, we’ll send a message to everyone 10 days later after the nominating process is 30% over.” As Mathieu said, “friends club” indeed.

  • Your platform is just addressing a symptom – if CISSP is the primary landmark of ISC2, and it’s so bad you need to end it, the other certifications aren’t even as “valuable” as CISSP. Compare CISSP to CSSLP on, career builder, monster, or indeed – there’s 100x more CISSP listings. There’s a systemic problem across all the certifications in turning them into something more than a “nice to have” on a recruiter checklist.

  • I agree there is an issue here, and I think it’s worth trying to address. Although I agree the issue isn’t the CISSP itself, but rather with certifications in general and the environment that breeds it. Working for the DoD, it is particularly bad.

    @davidknorman makes a good point. The larger question is, how do you solve the systemic issues surrounding the CISSP and certifications in general? Even getting rid of the CISSP and making a new one – how will it not be prone to the same issues?

    Regardless, visibility and transparency are both good place to start. You have my nomination.

Comments are closed.