isc^2 board of directors 2013

21 Aug 2013

At the encouragement of many friends, I have decided to throw my hat in the ring and become a member of the ISC^2 Board of Directors, an organization for computer security professionals, who sponsor the CISSP (Certified Information Systems Security Professional) certification.  The first step is to get 500 confirmed ISC^2 members to nominate me.

The approved ISC^2 process states you must send me an email to my address – – from the email address you use to log into the website.  This email must contain your ISC^2 membership number and your name.  I would appreciate it if you used tabs in the email’s body:

I would like to nominate Jay Ball for the ISC^2 Board of
     Directors.  My ID, email, and name are:

     isc2number    registered isc2 email    your name

Your ISC^2 membership number can be found by mousing-over “Members Only” header, clicking “My Profile”, and then clicking “View Profile”.  Find the line “Contact Number/ Certification Number” to obtain your ISC^2 number.  All nominations are due to me by 11:00 AM New York City time on Tuesday 17 September 2013 after which I’ll compile into a spreadsheet (ergo, tabs) and send to ISC^2.  [Note: on Windows, use numpad ALT+009 to insert a tab in web-based emailers. thx Paul]

My Platform

As a member of the ISC^2 board of directors, I will work to:

  1. Discontinue the CISSP Certification.  It is dead. It is a joke in the Infosec community.  It cannot be saved.  Bury it and create a new one.
  2. Publish the detailed budget and financials for members to see for all years since since the ISC^2’s founding.  With 88672 CISSPs @ $85/yr, where does our $7.5million go?
  3. Donate part of the hoarded funds to other security organizations or worthy open source projects.

About The CISSP

I’ve held my CISSP for seven years, dutifully paying my $85 and filling out the CPE form every year.  I’ve been a penetration tester, SAS70/ISAE3402 guru, system security architect, risk analyst, and lead security auditor with side training in forensics, firewalls, network security, secure coding, and system administration while working for boutique security companies and for internal security at a Big 4 accounting firm; I’ve seen much of the Infosec world.  However, each time I go through the annual renewal process, I try to remember how the CISSP relates to any of my daily Infosec jobs and I come to the same conclusion every year: the CISSP is a meaningless thing.

Like many people in the industry, my employer required me to earn and keep my CISSP certification as a condition of employment.  We asked “why” and were told that company leadership needs to tell our clients the Infosec department is CISSP-certified; basically the CISSP is a marketing buzzword.  We never used the CISSP as a means for job candidate filtering, in fact, we hired more people without CISSP than with; so it didn’t help with recruiting efforts.  Sometimes vendor personnel had CISSP certifications, but that was usually non-technical sales people; so we wondered if working for five years at a security vendor is good enough.

Maybe the ISC^2 website can give me more information on what the CISSP is about; but it looks more like a sales website where I buy books, exams, and attend training conferences.  I would go to my local ISC^2 chapter meeting, but my “small town” of New York City started a chapter under a year ago and appears to have not had a meeting since.


You’d think there would be a link to the budget in the member’s only section of the website, but I don’t see one.  You’d think a 501(c)6 not-for-profit would spend more money on educational programs (24%) instead of administration and sales (61%) (2012, page 28), but they don’t.  We can be thankful that much was published, who knows what it was in 2011 (page 22).   And with a $7million dollar profit between 2010 and 2011 and $25million in the bank, what’s going on?  If we really have that much money, why are we hoarding it?  [Update: FY11 tax return says about $400k for the executive director, but what is the whole budget?  thx Thistle]

Who Am I?

I’ve been doing Infosec for 10 years in many capacities. I have a SANS GIAC GSNA, ISACA CRISC, and the ISC^2 CISSP along with traditional BS and MS degrees.  I volunteer for OWASP, participate in ISACA, and am a member of various computer & security meet-ups.  I’ve been to Black Hat, Defcon, HOPE, and other random conferences.  I’ve taught Infosec to newbie pen testers and to people in the boardroom. I’ve found security issues in software and hardware in your data center and got the vendors to fix it.

In other words, I’m just like you and I’m sick of paying $85 for nothing.  I appreciate your nominations for ISC^2 Board of Directors.  If you have questions, drop an email otherwise, please nominate me to appear on the ballot.

-jay ball, GSNA, CRISC, CISSP

[Updated 2013-08-21 19:17 – added tax return]
Original post by veggiespam - check out veggiespam