(ISC)2 Inc., a nonprofit provider of security training and certificates such as the Certified Information Systems...
Security Professional (CISSP), is electing members to fill four positions on its board of directors. All (ISC)2 members are eligible to vote by the cutoff date, Nov. 30, 2014, and the organization has made information available on the seven candidates up for election. For the first time, (ISC)2 has also opened a forum on LinkedIn where members can communicate with candidates.
Wim Remes, who was select ed as the chairman of the (ISC)2 board in January, is up for re-election after serving out his first three-year term on the board. In this exclusive interview with SearchSecurity, Remes detailed (ISC)2's election process, provided an update on the board's ongoing efforts to restore the value of the organization's certifications and boost engagement among members, and the changes the organization has already undergone in his three years on the board.
How many members typically vote in (ISC)2 elections, and is voter 'turnout' up this year?
Wim Remes: It may sound funny, but as a board, we don't get the numbers of the vote. Because we want to run it independently, the election is actually managed by our general council and we don't have access to those numbers either. We just get a list of the people that are elected. That is completely audited, we just don't get the numbers.
Is that process -- having a third party manage the election out of the sight of the public without releasing vote totals -- indicative of a lack of transparency on the part of the organization?
Remes: I don't believe so. The platform we use to collect the votes is run by a third party, but all the numbers and verification is done by our general council. So he does have access to the numbers, but we as a board don't get those numbers. They are properly audited, and the platform we use is audited as well. We don't want to give the impression that the board is inbreeding, and we don't see it as a benefit to have the numbers.
But as a result, doesn't that mean the members also don't get the vote totals?
Remes: At the moment, that is true. But this year, when I became chair, I founded a committee that is looking into how those numbers can be properly communicated. You could give all the raw numbers, but then some people will do independent analysis that might not be indicative, and if you only work with percentages, people will ask questions about where your numbers come from. So that's a thin line we're walking. We're definitely looking into what can be communicated using which media.
The last time we spoke, you mentioned that you were focused on helping turn (ISC)2 into a more member-focused organization. How is that work going?
Remes: Over the past few months, we've increased our number of chapters around the globe [to over 150]. We see members taking charge in creating a chapter and taking leadership there. As a board, we reach out more to members, we get much more feedback, and feel that the membership is much more engaged and wants us to work for them.
What kind of feedback have you been receiving from membership this year?
Remes: I've seen very positive feedback on workshops and activities around renewing credentials. We see a lot of diversity in the membership, there are a lot of people from all around the globe taking part in activities, including a survey around our content. [There are] a huge number of members that is engaged and provide feedback, and the organization and board works with that.
Before your term, there were rumblings among (ISC)2 members that the organization no longer provided value for them. Do you think members' attitudes towards the organization have changed during your term?
Remes: I think as a team, we've definitely turned it around. I would say three years ago, you would not have seen (ISC)2 at a B-Sides conference, for instance, but now we engage with B-Sides. We also open up a lot of our security events around the globe for both members and non-members to participate in, so I feel in that sense that we are much more engaged and get a lot of positive feedback for those events from members and the information security community at large.
You originally ran as an outsider in the 2011 (ISC)2 election, but now as the board chair, you've become arguably the ultimate insider. I'm curious if you can boil down how you think your three years on the board has changed you as a candidate, and your view of the organization?
Remes: I ran from the perspective of a member that was disappointed in the value I got from my membership. Then coming to the organization, I think the first thing I noticed was that the style of the management team is incredibly impressive. They are 100% focused on providing support and value to the members. And then when you are on the board, you look at everything from a much more strategic perspective as well as the landscape of other organizations within the security community. Now, most of the credentialing organizations are for-profit organizations. We have to rely on the more than 100,000 (ISC)2members now to influence the community. Obviously, some people who aren't happy with the organization maybe see me as part of the problem now. I think for me, being part of the board has changed me and made me look more strategically at the opportunities in the credentialing landscape. I think being part of an organization like (ISC)2, we have a lot of opportunities to have a positive influence.
One of your goals was to change the board's role, specifically to be less involved in the day-to-day running of the organization and become more strategically focused. Have you achieved that, and are there specific changes to the way the board operates that you can cite?
Remes: When I joined the board, the organization was going through a process of change where basically several board members had more experience running an organization than some of the staff members. There was a reliance on board members to guide and be involved in some matters of management. In the past few years, this has drastically reduced, especially after our COO [David Shearer] joined. That involvement lessened when he took charge and as a team we are much more focused on the strategic matters.
In a recent announcement, there was a very interesting quote from W. Hord Tipton [executive director of (ISC)2]: "(ISC)2 has moved from a certifying body to a global organization focused on the bigger picture of filling the global need for more qualified cybersecurity professionals." What is your reaction to that statement? And does it signal a turning point for the organization?
Remes: First, yes, it is a turning point. I'm in total agreement, and one example I can give is our Global Academic Program. We see a lot of universities struggling with developing security content for their curriculums, and that is why we created the program to basically work with universities and providing our content to basically kick start their security topics in their computer science programs. In that sense, we're not more focused on getting more members and selling more certificates, but we're enabling the universities to teach security to their graduates.
Other security industry groups like ISACAand the ISSA have recently launched new programs that seek to address the dire shortage of new information security practitioners joining the field. (ISC)2 has, in terms of its membership, remained focused on a highly qualified group of experienced infosec pros. Do some of these new initiatives from other organizations put (ISC)2 at risk of losing its influence by not doing more to cater to those people looking to join the field?
Remes: I don't want to sound contentious, but if some other organizations -- I will not name names -- set the price of their credentials from $500 or more down to $59, I don't think that helps in getting more people into the security workforce … We're looking at synergies with existing organizations and initiatives that we can vet ourselves and put our stamp on it. So the way (ISC)2 works right now, we look at initiatives that have value. We are not lagging behind other organizations. We're much more focused on working with [partner] organizations rather than by ourselves.
Need to learn more about the CISSP? Read the first entry in our essential security school lesson on security management practices and security information and assets.