Tuesday, January 1, 2013

A “tax” time rant.

January first, and I got my annual “pay up for the privilege of being able to put potentially embarrassing letters after your name” note from the (ISC)2, also known as my annual member statement and invoice for AMFs (annual maintenance fees).  I consider many certifications, especially the CISSP, to be an InfoSec career tax; you have to pay it if you want to participate in many parts of the field, especially to get past hiring issues where blind adherence to checklists prevents rational hiring decisions (see US DoD 8570 for one example of  this mentality).

Some folks may have noticed that I’m not very fond of the (ISC)2, or its alleged “ethics” process, or elections process, or stale content.  If you want some back story on this, I’ll refer you to these posts by Robert Graham and the Security Curmudgeon over at Attrition.  I won’t add any details of my own, and everything here should be understood as just my *opinion* (because I’m terrified that (ISC)2 will sick the legal terriers, or worse, on me- and I can’t afford all the new socks that would be required after that much ankle-biting).

I think that the (ISC)2 ethics “problem” is simply that their goal is to protect (ISC)2, not to protect the value of the certifications, and certainly not to protect the InfoSec community or our customers and clients.  In other words, what I (and many others) see as a problem is in fact their desired outcome. I believe that (ISC)2 hides behind disqualification of complaints, and secrecy, to shield itself from having to take action or provide full accountability.

Here’s my fantasy for the ethics process: transparency.  (My real fantasy is the dissolution of (ISC)2 and abandonment of all of its certifications, but that one seems even more unlikely than this one, so let’s move on).  I understand one rationale for secrecy around ethics complaints, protection for the falsely or erroneously accused.  I reject that- ethics challenges can and should be published and the results of investigations should be made public.  False or erroneous charges would be publicly addressed, and the air cleared.  Ethics complaints which are rejected for a failure of the complainant to meet the requirements of procedure or standing should be published, with reasons for rejection- if the standards or grounds for “standing” to bring complaint seem onerous, it will be visible, and can be addressed through the Board of Directors or other means.  I have not had faith in some of the people entrusted to review ethics complaints, and opening the process to scrutiny would help to either assure us that all participants are acting in good faith- or expose them so that action could be taken to address concerns.

I am sick of (ISC)2 hiding behind policy and being able to weasel out of admitting that complaints have been filed by hiding behind intentionally restrictive policies- apparently if a “complaint” isn’t accepted, it isn’t a “complaint”, according to the (ISC)2- and if someone says a complaint was filed (ISC)2 can reject that assertion because the complaint wasn’t accepted.  In my opinion that’s unethical and dishonest.

By the way, when I say published, I mean publicly, not behind an (ISC)2 login, the aggrieved parties are not always members.  More importantly, since the CISSP is used as a de facto public standard it should have transparency.

Jack