TL;DR
If you support me in this endeavor, please send an email containing the following information to wim [at] remes-it.be before September 1st 2022:
Your name and surname as it is known at (ISC)2
A statement endorsing my candidacy
Your (ISC)2 member number
This email needs to be sent from your email address that is on record with (ISC)2. If that is not the case, the endorsement will be rejected.
Wim Remes For (ISC)2 Board
(ISC)2 is, by its own words, “an international, nonprofit membership association for information security leaders like you”. Its vision is to “Inspire a Safe and Secure Cyber World”.
My name is Wim Remes and I am a security professional just like you. This is my petition for the 2022 (ISC)2 board elections. To be added to the election slate, I need to gather 500 endorsements for my candidacy before September 2nd.
I am, and always have been, a proud member of (ISC)2. I obtained my CISSP in 2006 and have always retained a sense of accomplishment. I believe it is worthwhile to be a member of an association that represents my, and my profession's, interest. In fact, I have volunteered for the (ISC)2 board before. I was a board member from 2012 to 2014, and again from 2016 to 2018. With my fellow board members I ensured continuous growth both financially, in membership numbers, and as an organization.
There are many non-profit and for-profit organizations in the security industry that represent – part of – our profession. I feel that (ISC)2 is the only organization that has the ability and stature to represent our profession's interest boldly and relentlessly. While I will further detail my ideas and platform on this website, my goal is to represent our membership and advocate for our profession at the (ISC)2 board level unapologetically. While me and my peers are in the trenches protecting organizations every day, I feel that (ISC)2 has failed tremendously in achieving its vision over the past 4 years. Its board is largely absent and anonymous. Its leadership does not take up the gauntlet. Companies and individuals around the world become victims to cyber-attacks every single day, at great expense to themselves, their stakeholders, and society at large. We cannot stand by and watch. It is time to act, to inform, and to empower. Tomorrow's (ISC)2 is an association of committed members that help to protect society. Tomorrow's (ISC)2 is an association that affects change. Tomorrow's (ISC)2 is an association that boldly leads and represents. Tomorrow's (ISC)2 is your (ISC)2. It is our (ISC)2. It is the world's (ISC)2. I have a strong desire to do this together with you, my fellow member, and with full accountability to you.
My Platform
As you know I have been an (ISC)2 Board member before. I was arguably the most accessible board member for my fellow professionals and the broader information security profession. While I made myself available it still proved extremely difficult to get feedback from the membership, or professionals. For this election, I want to change things up a bit. I believe it is necessary.
I will work with a group of people that have committed to being part of this project. These are not close friends of mine but people I have sourced from within the membership. They are volunteers, just like me, that feel change is necessary and are willing to put in the work. They will work with me to fine tune our program, to support feedback loops with the membership, and to keep me accountable. This will allow me to execute on our platform, to bring member concerns directly to the board at a regular pace, to efficiently communicate with and listen to the membership, and to represent our profession.
I am currently working to identify these individuals and will update a separate page with their names and bios.
For a board, and organization, communicating with the membership at large is not an easy task. There are privacy regulations that allow members to limit what (ISC)2 can communicate to them about and then there is the fact that the membership speaks different languages and has different expectations. I will advocate for a strategic membership communication plan that clearly outlines what is communicated, at which cadence, and through which media. This plan should be clearly separated from pure marketing efforts and should address both what the organization is doing in general and what the organization is doing specifically for the membership.
The board should separately communicate clearly about its activities and its accomplishments. This should happen at the very least after every board meeting for general board business. For committees I will advocate for a regular status report.
Lastly, the board should facilitate a medium through which the membership can provide feedback, express grievances, and submit motions for board consideration. The board's agenda should, at least partially, be directed by the membership.
I feel I need to add that there are some things that the board will never communicate publicly about. This includes very personal things such as Ethics committee decisions that directly impact an individual but also strategic discussions or decisions before they are executed. In essence, the approach here is very simple. The board discussed certain items in "Executive Session" which is 100% confidential. For me, anything outside that "Executive Session" should be shareable with the membership, barring some exceptions on a case by case basis.
Many countries, or their governments, are actively pursuing licensure for security professionals. This is an item that I have regularly spoken about with fellow security professionals, members I have come across, and other audiences over the past few years. I strongly believe that (ISC)2 should do more to represent the membership in public debate about licensure in all jurisdictions. The organization is currently not equipped to do this and that should change.
I am convinced that there is value in setting a bar for certain professions but this requires a thoughtful approach. There are two main concerns at this very moment that, in my mind, prohibit a successful licensure implementation. Firstly, there is a continued shortage of qualified security professionals. We can not risk disqualifying a group of very capable professionals just because they don't hold a specific piece of paper. Secondly, our profession is extremely fragmented. There are dozens of roles across organizations that qualify as "cyber security". There isn't a single license that works for all of these roles. The things we expect from a security auditor are very different from what we would expect from a security architect or a penetration tester. At best, we should envision a system similar to the one we know for pilots where pilot certificates exists but beyond that there are additional ratings one has to obtain to fly certain types of aircrafts.
All that if I can be convinced that licensure is the actual solution to the, mostly ill-described, problem. The fact that remains is that if a profession with significant societal impact does not self-regulate, it will be regulated by outside forces. I will advocate for the organization to strongly and decisively represent the membership's interest in the licensure debates around the world.
When I first joined the board in 2012, the first committee that I volunteered for was the Ethics committee. Also because it seemed like the most accessible committee to effectively and actively contribute to but also because I am a strong proponent of the (ISC)2 Code of Ethics. Among organizations with similar goals, our Code of Ethics stand out. Why? Because it was very conciously written to support the security professional in their daily challenges as a professional but also because the majority of other Codes of Ethics are primarily focused on protecting the intellectual property of the respective organizations. The ethics committee was also the last committee I remained active on. I decided to roll off this committee by choice in 2021 for reasons that I can not publicly discuss.
Suffice to say that I believe it is time that the board reinvigorates its support of the (ISC)2 Code of Ethics, how we interpret it as professionals, and how we ensure that we adhere to it. The board has a Ethics committee that still operates the way it did when (ISC)2 was founded and the world has fundamentally changed. So has our diverse membership. I want to ensure that a broad debate is started, through an Ethics advisory board, for at least 2 years to ensure that the board and the membership at large are aligned on the priorities, the code itself, and how we apply it.
Wicked problems are problems for which the solutions and the economics around them are not easily understood and implemented. They happen to be my favorite problems and our profession has quite a few of them. I believe ISC2 can be a catalyst in driving our industry towards possible solutions or, at the very least, great improvements. Here are but a few.
Within the security community and the security industry, the topic of diversity has been top of mind for quite a while now. I don't feel ISC2 has been at the front on this topic even though the organization has a lot to offer.
Firstly, as I have been able to witness first hand on my international travel, the ISC2 membership is extremely diverse. Especially in non-western geographies, the membership leads in this area. It would help the organization if we celebrated these members more by giving them a voice if they are willing. At the same time, the organization has multiple regional "advisory councils". It would help the organization if we created a "diversity advisory council" that brings together individuals from across the globe to address the diversity issues our industry needs to solve.
Secondly, diversity means more than representing “more” of a certain group of people. Personally, I do not come from an affluent background. While I am well aware that where I was born and being a man most likely played a significant role in where I am today, I have to recognize that my dedication to information security was my ticket to (some level of) success. At the same time, over the years working with and leading teams in a variety of companies, I also have to recognize that teams with members from a variety of backgrounds perform better and make better choices. ISC2 should be an enabler for people that may not choose our profession otherwise. Not just by giving stuff away for free but my actually engaging with partners that can help us build a sustainable pipeline of talent from underrepresented populations.
ISC2 can't afford to be a pure "performance" player but needs to speak loudly through actions on a broader stage than North America.
When looking at the leadership page of ISC2 at https://www.isc2.org/About/Leadership, it seems like there are just 2 members of the leadership team that are not based in North America. This is extremely disappointing for an organization that operates on a global level. Of course it is "easy" to lead and manage a very centralized team but we should not go for easy just because we can. As an international organization we should aim to have an international leadership team. There is sufficient talent in the EMEA, APAC, and LATAM regions for ISC2 to build a performant leadership team that isn't North America centric.
The membership at large often debates what the justification is for a $125 AMF and what is in it for them. Here is where I might disappoint quite a few people.
I am not convinced that the value of the certification for a member is to be expressed in a financial sense. The lack of value to the member is still ISC2's failure though.
This section is meant to shed a light on my interpretation of that value as well as touch on several things the organisation can do in order to increase the actual value for the membership.
From a personal perspective, I obtained my CISSP in 2006. At that point I was working in IT for 8 years and almost 5 in information security. I had been eyeing the CISSP for quite a few reasons but its requirements were, at that time, daunting. After 5 years of working with other security professionals, I always felt unworthy because they had Computer Science or other degrees that always carried the awe of customers or fellow professionals. Imposter syndrome was running deep at that time. From a knowledge and skill perspective I held my own but I felt that something was missing. For me, the CISSP was a personal achievement and confirmed that I could hold my own in my chosen profession. I have never seen it as something that makes me better or more worthy than someone else but it confirms that I am a security professional, to me. That, in itself, is sufficient value for myself but when time comes to fork over another $125 to ISC2, nostalgia can only justify that much and I doubt it can convince many of you. This side of value, to me, is extremely personal.
I also think it is extremely worthwhile to be part of a membership organisation that is built to represent my interests and that is bound by the same code of ethics. ISC2, to this day, still is that organisation but can do so much more in order to represent our memberships’ interests. I’ll dedicate a separate post to that in the next few days.
Even before I became a board member in 2012, I was extremely disappointed by how little interaction there existed between ISC2 members and how little we, as a group, did together to “Inspire a Safe and Secure Cyber World”. Where we carry the benefit in numbers, the ISC2 membership does not use that benefit to create impact. Over the years the organisation has created different tools to support such efforts but we have not leveraged them sufficiently. To give a few areas where we could ACT:
Creating guidance for underserved populations to support them in protecting themselves and their families more.
Creating guidance for small and medium businesses to support them in building basic defences against ransomware.
Training up newcomers, interested people, underrepresented demographies, etc.
Creating tools, documents, and guidance for our fellow security professionals to be more effective and efficient in their job.
Somehow we pay $125, or more, and expect ISC2 to do it for us? I think that is a horrible mistake. As ISC2 members we *are* the organisation. It is our responsibility to have ISC2 be impactful.
True. Over time all certifications have been adopted by HR professionals as checkbox items that allowed for easy triage. This includes the ISC2 portfolio of certifications. While this may be one of the drivers that got ISC2 to 150k members, it has also led to a less engaged membership. We noticed this when Hord Tipton was still CEO and started efforts to get closer to the members while also engaging with a variety of HR organisations to level set on what information security certifications mean and how they should be interpreted. This work continued under David Shearer’s leadership but it feels like that focus has not survived the most recent leadership transition. I believe it needs to be carried forward and strengthened. Security Professionals are not defined by the papers they hold but by the value they deliver to their principals, and the world, every single day.
ISC2 should extend its cooperation with organizations such as OWASP and be supportive of community and open source efforts that attempt to affect change on a global scale.
This year, ISC2 has decided to open board election nominations to all ISC2 members. I believe this was a mistake. First and foremost, logistically. The board has 13 members and traditionally fills the nominations committee from board members. There is no indication that this has been different this year. At the same time, ISC2 has around 150.000 members. If 1% of the membership would self-nominate, the small committee would be tasked to process 1500 applications. Even 0.1% would be an almost impossible workload for the committee.
Additionally, an organization such as ISC2 has an humongous challenge as its membership is primarily composed of specialists at a certain trade (information security) and very few among its members are equipped to serve on a governing board that understands the scale at which ISC2 operates, the laws that the organization is subject to, and the management of a high performing Chief Executive that has certain expectations from their board.
I learned this first hand when I joined the board in 2012. It took me a lot of discovery and learning to understand all the moving parts on the board. The workload, throughout my 6 years on the board, took a significant chunk out of my personal life in order to deliver the quality I expected from myself. Most of my evenings and weekends were dedicated to board work. I may hope that is still the same for current board members.
I believe there are several things that should be considered:
The board should put effort in identifying qualified candidates outside the traditional nomination cycles and involve them in committee work and other board work.
The board, per the current bylaws, should be no less than 7 members. At this time there are 13. I believe the board should downsize itself to 9 members or less and consider the onboarding of more non-voting and/or advisory board members. This can support the identification of new board talent but can also support the board in areas where the board members' experience and knowledge falls short.
The board should be more communicative about the work they are doing on a regular basis. This communication should be formal and centralized. The membership deserves more clarity about how the organization is run, taking into account some strategic sensitivities that can't be communicated about.
My name is Wim Remes. I am an (ISC)2 member from Belgium and this is my petition to be added to the board election slate for this year's (ISC)2 board election. If you support me in this effort please send an email containing the following information to wim [at] remes-it.be before September 1st 2022:
Your name and surname as it is known at (ISC)2
A statement endorsing my candidacy
Your (ISC)2 member number
This email needs to be sent from your email address that is on record with (ISC)2. If that is not the case, the endorsement will be rejected.
The Committee
Work in progress...
Copyright @2022 Wim Remes