Former chair bemoans ‘coup by governance’

Former chair accuses security certification body (ISC)2 of promoting a series of undemocratic changes to its bylaws

Security certification body (ISC)² is being accused of promoting a series of ‘undemocratic' changes to its bylaws.

(ISC)² – the International Information System Security Certification Consortium – is a non-profit organization providing training and certification for cybersecurity professionals.

Over the last two years, it has been carrying out a review of its practices around committees, nominations, and governance. The aim, it said, is to create a more inclusive organization that is better positioned to serve the needs of the security profession.

Bylaw amendments

The proposed bylaw amendments, announced earlier this month, include allowing the establishment of other non-voting membership classes, adding the chair as an officer of (ISC)², and updating standing committees to include ones overseeing audit, compensation, CEO succession, nominations, and risk.

There is also a new mission statement, reading: “(ISC)² exists to strengthen the influence, diversity, and vitality of the cybersecurity profession through advocacy, expertise, and workforce empowerment that accelerates cyber safety and security in an interconnected world.”

However, some of the proposed changes have raised concern.

Member engagement shortcomings

According to Wim Remes, a former board member who spent three years as (ISC)² chair, the organization currently has a poor record on member engagement, with election turnout averaging only around 4%.

As things stand, 500 endorsements are required for members to raise a petition. However, the new proposals would see this figure raised to 1% of the 170,000-odd members.

“This effectively shuts down an important relief valve in corporate governance, in my opinion, and is not in the interest of the membership,” Remes told The Daily Swig.

“It’s already impossible to get up to 500. It’s unthinkable anybody would make it to 1,600, [or] to 2,000.”

Membership slate

Also in the pipeline is a significant change to the process for electing the board of directors. If approved, this would remove the option for a write-in candidate and witness the board submitting a slate of qualified candidates to the membership that would be equal to the number of open seats.

“Combined with making the petition process harder – if not impossible – this is as close to a coup by governance as one could get,” Remes argued. “They still call it an election, but it is officially a coronation.”

Meanwhile, the Ethics Committee is to be eliminated as a standing committee of the board.

“I don’t know what the plan here is, but our profession stands and falls by ethics,” Remes explained. “I can’t find a rationale that would explain how we, as members, would not want the board to ensure that professional ethics are maintained by members.”

Case for the defense

Clar Rosso, CEO of (ISC)², defended the changes, stating they are aimed at making the organization more inclusive and globally representative.

“The proposed bylaw changes, which members will vote on, reflect not only creating a more inclusive organization, for example, eliminating the English fluency requirement and introducing best practices in term limits and nominations processes, but also modernize the bylaws by using gender neutral references to board officer position and moving our ethics process from one that is majority board-run to a process that is adjudicated by a broader cross-section of members,” Rosso told The Daily Swig.

“Additionally, many of these bylaw changes are reflective of best practices of other similarly-sized associations, and some simply provide clarity and ensure legal compliance with applicable state and federal laws. The (ISC)² board of directors, comprised entirely of member volunteers, supports the proposed changes.”

Members can vote on the proposed bylaw amendments from now until November 19, with proxy votes applied to a final bylaw vote due to take place during the annual meeting on December 14.

YOU MAY ALSO LIKE ‘We don’t teach developers how to write secure software’ – Linux Foundation’s David A Wheeler on reversing the CVE surge