[This post is primarily meant for ISC2 Members but it might be interesting for security people in general, as I think what we need to do is not limited to a particular organization within our industry. It is a fight we need to fight together. For better or worse.]
You can read about the general idea behind my campaign for the ISC2 Board of Directors here.
You can read about what I've already done in my first "tour" on the Board here.
The past is the past. Between November 16th and November 30th, ISC2 Members vote for 4 new directors and they will have their work cut out for them. As much as you may believe that being a board member is a job without responsibility and a token position, it definitely is not. To my own detriment, I take this uncompensated responsibility very seriously and I want to make a difference. First and foremost for the membership, but also for our profession and our industry.
1. ISC2 needs to represent our interests. Left, right, and center.
I've said this before and I'll say it again : In all the important debates about information security - whether they are held in Washington DC, in the European Parliament, or anywhere else - ISC2 is absent and silent. As the organization that represents the largest amount of security professionals in the world, we can not afford to leave our voice unheard. On topics such as securing the Internet of Things, Export Control, and other legislative issues involving information security, we need ISC2 to be vocal and taking the responsibility to inform all parties without bias.
How can we do that?
The first step is engaging the membership. ISC2 will need to leverage the active membership it has to keep a finger on the pulse on all things information security around the globe. This can happen through a closer relationship between the organization and the chapters. The structure we built through the chapters is our biggest asset to create one voice that represents members, and industry, globally.
Secondly, ISC2 needs to strengthen its relationships with peer organizations in the industry. This has happened over the last few years, but I strongly believe we can do more. At this moment our profession is represented by "cavaliers seuls" and does not have the credibility it should have.
Third, we need to engage individuals outside the membership to weigh in on topics that ISC2 doesn't traditionally have a lot of credibility in so the organization can represent a balanced opinion, educate policy makers, and positively influence society.
One of the topics at hand is security research related to exploit development and export controls. Here I call for the immediate creation of an advisory council that has the ability to help the organization form the language on much-needed global education on the topic. The members of this council do not necessarily need to be ISC2 members. They need to be recognized experts on the topic that are willing to devote their time to doing the right thing.
2. We need to define what Security Engineering means.
[I understand that Engineering is a term some people are passionate about. I am not trying to find an alternative to the formal engineering science. I am open to suggestions to replace engineering with a better term.]
Some of my friends have heard me talk about this topic for a while now. It is something I wanted to kickstart in my first term on the Board, but that didn't happen because there were other priorities. I want to make it a priority in my next term, if allowed.
Security today is no longer a tale of firewalls and antivirus. As we build and use technology that influences our very lives, security is present on every level of those technologies. Starting at the hardware level, over the network and operating systems, through to the database and application technologies.
Saying that a single certification covers all of those areas is a lie. Fact is that we have no way to identify and recognize the security engineers that organizations so sorely need.
What I want ISC2 to build is a certification track that is aligned with engineering principles to provide certifications that allow us to educate, train, and certify those security engineers.
This will not be a certification that you can go to a bootcamp for and pass. The people that go through the whole track, eventually, will be the people organizations can rely on to build a secure IoT, secure vehicles, secure web technologies, secure ICS environments, etc. etc.
It is something we are missing, and it is something we sorely need. I will make it my priority from the moment I rejoin the board.
3. Make a more efficient Board of Directors
Without a doubt the most frustrating part of my first term on the Board of Directors was the significant amount of time we, as a Board, spent on managing ourselves. This Board's time should be spent on the strategic issues affecting the organization and its membership.
Currently the Board has 13 members while the ISC2 Bylaws prescribe a minimum amount of 7 members. There is no way for the members to evaluate the effectiveness of the individual Board members and make an informed decision on whether they are representing their interests. From my personal experience, not all Board members contribute to the common goals and in many cases the number of uninformed opinions actually detract from the tasks the Board has.
There are 3 things I want to achieve here :
1. I want the Board to reduce it's number of members to 9 over the next 3 years. That is 2 more than the Bylaws prescribe and 4 less than there are now. This will considerably lowers the cost related to the Board by itself. It will also force the Board members to be active because in a larger board, there is more room to hide in the shadows of those that do the work. Additionally, it forces the Board to rely on other members for the committees. This also feeds the leadership pool that the Board draws from, which is needed with the new and stricter term limits.
2. I want the Board to develop transparent communications about the performance of the Board in general and individual Board members specifically. Just like you know about how your representatives in government perform (absence, voting record, involvement in committees, bills proposed, etc.), ISC2 members have the right to know what their Board and its members do (or don't).
3. I need the membership to become more engaged with the Board of Directors. With 100000 members, we have a lot of brainpower, great ideas, and unlimited motivation to do positive work in our industry. Without the contribution of the membership, the Board can not be efficient. If I make it back to the Board in 2016, I will do my utmost to bring the Board to the membership and the membership to the Board.
I hope you are with me, because I am going all in on this one.