The Home of ISC 4 The People

To content | To menu | To search

Wednesday 5 September 2012

Why vote for me to be on the Official ballot for the ISC (2) board this year

By Christopher on Wednesday 5 September 2012, 17:22

I am going to be as direct as I can. I don't need to waste time with an empty promise list just to try and inspire someone who doesn't know me or is on the fence, to vote. Here are the things I wanna see happen:
IMAGE OF THE BOARD: Who is the board? ( I dunno? I think they are the ones that spam us with election stuff but I can't name a single one of them!): 

Until last year, when Wim Remes got elected to the board I did not know the name of one ISC(2) board member. That's a pretty big problem to me. It is much akin to people not knowing who a senator is or a governor or even the mayor. For a body that has control over my certification and has the ability to take it away, I would think I should know who the board members are. Moreover, If I don't know who they are, how can I know they are acting in my best interest as a certificate holder? In this same breath, I'd like to ask "If I don't know them and I don't know what they are doing, and out of the 80k+ CISSPs that are certified, what if only 2500 vote?" This is a massive issue. I am not real comfortable saying 3% is an "ok" majority to determine the leaders. The problem here isn't just "how do we get more people to vote", but how do we get people to see that voting will matter and their vote will count for something. All of this boils down to the feeling that I have had since I got my CISSP. To me the board has always been this "Ivory Tower" organization with little or no connection to the community at large practicing InfoSec on a daily basis. THIS MUST CHANGE. It can't only change for the vote to actually represent the people but it must change to increase the value of the certification in the first place. CISSPs all over the world need names and faces of people they can go to when all else fails. The marketing and FAQs on the site are a great start, but it is time we take a bit more pride in this community. No more hiding behind the curtain. If you are a Board member, I am calling every one of you to the mat to prove YOU are going to make a difference. If you think that is going to take too much time or impede your life (since this is a volunteer position) then guess what?.Gracefully bow out and let someone willing to take the hands on approach that most seem to have cowered away from.

Resolutions:

Well, this one is going to take a lot of work from each individual board member. People are going to have to figure out how "IN" they really are. I'll tell you this, I will have an email address set up and in many cases will be happy to give you my cell phone number if there is something I think I can do to help change. Hell, I'd like to set up a monthly town hall meeting to hear what's going on in the CISSP world around the globe and get some actual feedback from those of you in the trenches every day. I don't want some survey company or form, I want to talk to REAL people with REAL issues and have them be on the docket for the board to attempt to address. ***"Oh Chris, you are creating so much work!"** * Tough shit. Life is hard. No more free passes! Name and signature on the line y'all?. It's long since time for the board to do some WORK for this organization!

Transparency: What does the board do?

Well, they make rules? I think? Or they decide how money is spent? Um? Or they make test questions? Or they decide how ISC(2) will stay in business? Maybe they ... um?. Uuhhh?. Forget it?. 
"The (ISC)² Board of Directors is comprised of information security professionals from around the world representing academia, private organizations and government agencies. All volunteers and (ISC)²-certified, the Board provides governance and oversight for the organization, grants certifications to qualifying candidates and enforces adherence to the (ISC)² Code of Ethics."
Well, that's what they say they do. How? Magic I'd imagine. There is little to no mention (unless you dig for hours) on how this governance works or even the real objectives. Again, NOT ACCEPTABLE. I firmly believe that this organization that is there to provide governance and oversight should have transparency at all levels. Without the ability for members to see how those principals are being carried out, we are being governed by an absentee tyrant. If the organization attempts to have a pseudo democracy then they need to follow some of the basic tenants of a democratic process. Democracyweb says it best: 

"In a democracy, the principle of accountability holds that government officials, whether elected or appointed by those who have been elected, are responsible to the citizenry for their decisions and actions. Transparency requires that the decisions and actions of those in government are open to public scrutiny and that the public has a right to access such information. Both concepts are central to the very idea of democratic governance. Without accountability and transparency, democracy is impossible. In their absence, elections and the notion of the will of the people have no meaning, and government has the potential to become arbitrary and self-serving."

So why am I so hot on this topic? Well, a simple Google search will let you know how "transparent" the org is. How many CISSPs are there in the world (69,489 in August, 2010, but why no numbers available since)? What is the budget? How are their dues spent/allocated? What is the 1 year plan? 3 year plan? 5 year? How about a basic value proposition? Anything??? I am sure it's out there somewhere but it is not easy to find and THAT unto itself shows the lack of transparency that exists. This is an organization that took in US$9.827 million in 2010; what did they do with that money to add value to our certification, and more importantly, our security community?

Resolutions:

* Create an open and publically viewable accounting ledger. I'd love to see where my certification money goes and I am sure you would as well! * Live meetings: The senate and house have been doing this for years. Why can't the board give a live feed into their meetings? What secrets are told behind the closed doors. I am sure there are things that are competitive (thought I don't know the competitor too well) or trade secret info, and I can dig why those things have to be in private, but EVERYTHING? Come on! Let's be a little less shady and show as a board that we are dealing with some of the issues/concerns of certificate holders. Let's even let em watch!! Imagine that? We can have town hall meetings and feedback forms.. THEN you could see them actually being discussed?! Crazy?!

Community involvement:

I don't need a cocktail party once a year at some conference I wouldn't attend in the first place. That doesn't help me. It doesn't show me your value, it shows me that you are trying to buy my love. No thanks. How about we reinvigorate the local groups? How about we spend that money on continuing education instead of Hors d'oeuvre. How about we start INVESTING the money back into the community instead of lining another hotel pocket? After starting BSides with an amazing crew of passionate InfoSec people, I learned that it is not how much you spend, rather it's how much work you put into it. Again, hard work and dedication is gonna bring this one to a close. Not just buying me off with a crappy well drink and a preso about how much other stuff ISC(2) is doing to promote a new certification. Just imagine if we could inject a little of the BSides love into the org? Free conferences, seminars, workshops, and people getting together because they share a passion for the industry, not just to have their cheesepuff and bounce before the preso starts. The CISSP community has a wealth of TALENT AND EXPERIENCE. Let's tap into it instead of tapping it out.

Resolutions:

  • Sponsored/free events
  • Increased education
  • Networking connections and career enablement
  • ISC career center? A place to help get work/skills and move forward in the profession
  • Working on reinvigorating the energy of the organization ( which to me, has been coasting on its laurels for a LONG time (10+ years).
  • Providing a mentorship program for perspective and present members
  • Increasing the value of the certifications through clear definition of their purpose
  • Overhaul the CBK to emphasize Current
Further, tear down of the "Good Ole boy's club". There are more CISSPs than ever before and many of the board members have been in a seat for YEARS! Some of them have even been a president before. Where has It gotten us? To a place where respected professional are willing to burn their cert in protest because the board doesn't have a connection to the InfoSec industry of today. It is a different world out there, and the lack of real world and relevant RECENT experience is driving the reputation into the ground.
While this may come across as a rant, I am simply calling it like I see it. I own a company, I'm not afraid to get fired, and I am sure as hell not afraid to speak my mind. Guess what? I'll prolly swear, get emotional, make a fuss, and talk out of turn. I'll also be the first one to cheer over any small win that is had. This is a passionate field and there is no place anymore for an exclusively formal process. Security is a feeling.. time to have some. 
If you want to know more, or add to the things that need to change, or just chat about what is going to happen moving forward, please reach out to me. If you think that some of the things that I am talking about resonate with you and want me on your side then I humbly ask for your signature in the petition to allow me to run for the board and your vote when it comes time. 
To support the petition, please send me an email from your ISC(2) registered address requesting my name to be added to the election ballot, along with your CISSP# as these are required per board rules. Please send this to:
cnickerson@isc4thepeople.com 
by September 17, 2012.
 You can also reach out to me on twitter to start a discussion about improving the ISC(2): 
 @isc4thepeople or @indi303 
Remember, there are FOUR board spots open this year, and if you REALLY want to see change, there are others that are running for the board that come from a similar background and idea level! 
I implore you to check them out and give them your vote to make our change as dramatic and swift as possible: 
 
Dave Lewis

@gattaca <http://twitter.com/gattaca>

Vote for Dave <http://www.liquidmatrix.org/blog/vote-for-dave/>

votedave@liquidmatrix.org

 

Scot Terban

@krypt3ia <http://twitter.com/krypt3ia>

ISC2 Board Candidacy<https://krypt3ia.wordpress.com/2012/08/23/isc2-board-candidacy/>

drkrypt3ia@gmail.com

 

Boris Sverdlik

@jadedsecurity <http://twitter.com/jadedsecurity>

Vote for Boris <http://jadedsecurity.net/2012/08/22/isc2-bod-vote-2012/>

isc2board@jadedsecurity.com

 

80 comments no trackback

I’m Chris Nickerson, and I am running for an ISC(@) board position. Before i go into what I plan as my patform, I’ll give you a little background on me.

By Christopher on Wednesday 5 September 2012, 14:44

I am the son of a construction worker and a hairdresser. I grew up in Connecticut in a town called Rockville. We had a high crime rate, a diverse and giant class, an awesome marching band and jazz program, tons of crazy fights and gangs, and a myriad of other things that landed our reputation to be a bit unsavory. Through all that, a few of us in the area would get together on a regular basis to tinker with a PC junior that a buddies dad had starting when I was in gradeschool and kept it up well into highschool. We helped start the first 2600 meeting at Buckland hills mall in CT just so that we could learn more. I have had my head in a book, burning my eyes on the monitor reading, or asking questions of the people so much smarter than me ever since then. *You can ask my mother about our $800 phone bill after I got my first TURBO mode 300/900 baud modem and again… when I got that super rockin USR 19.2 later on*

It has been one amazing tidalwave of information since those days. One of my first jobs was working in a movie theater cleaning up and trying to get enough money to get a computer of my own. Then I got smart and got a job with a newly opened GATEWAY computer center as a tech. From there, I helped open a tech support bench for BestBuy (how else was I gonna afford all the toys?). After working at Gateway and BestBuy I realized I was hooked. I wanted to learn more. I took a few swipes at college (KState) but couldn’t find the courses that would teach me the things I was looking for. At the time I was very interested in telephony, networking, and even how exploitation worked. I had followed BBS’s, groups like L0pht, and others for years. I even went out to Las Vegas to Defcon to try and find a place to learn and was met with an entire community of people “like me.” I think that was the turning point, after learning more than I had ever imagined at Defcon, going back to highschool and college seemed “too slow.” I spent a brief stint in the military (NAVY) before getting a medical discharge, hoping I could get a little closer to the technology and subject field I was craving information for. When I healed up and got back, I immediately started on the path to get in the IT field. At the time the MCSE was hot and it was in my sights. I took the entire MCSE+I for nt4/2000 in 4 weeks. I sat in my little apartment reading all day and taking tests every Friday and sometimes 2 a week. That eventually landed me a job at Shook, Hardy, & Bacon (1998). I got pulled on as a trial site coordinator. I was the one who would fly out, set up the entire office and connect them back to the main office. Then one dreary night my boss (Sherwood Archibald, a man I consider a mentor still today) called me when a core switch went down *thanks 3com* and there was no one around to get it fixed. From that long night covered in books in manuals used to fix the problem I was baptized by fire in my networking career. Within a few weeks, Arch had promoted me to Sr network engineer. From a full network redesign/rebuild to our first internet connection (With a Sidewinder firewall). I had offices to support all over the world, tunnels, security, design, hardware, and more. From the work I did there, I moved on to Sprint to work in corporate security. I came into sprint as a Sr Security Architect. We had an amazing team of infosec professionals that was allowed to make opinions and help design just about every solution going in or out of the company globally. We managed security devices, built new technology, and worked in just about every domain of security possible. This is where I got my CISSP. Our whole team was encouraged to get a cissp in 2000 and we went into study mode immediately. About 1 month later we sat the test and passed. Later on in my time at sprint I held positions and workied in the SOC, SERT,Pentesting, Executive services and other areas. At the end of my term I was the Sr. compliance manager as I started to see the value in testing/assessment as a way to trend a security program and inspire growth (2005). I then moved to Denver to take on a position with KPMG. They were looking to up their technical testing side within assessments and I wanted to help out. I learned a great amount about the formal procedure of audit and the stringent guidelines of how they execute. The entire time, I had been going to defcon/blackhat and many other security conferences all over the globe. Needless to say, as much as I learned I found out quickly I AM NOT A SOX AUDITOR! So, I worked at Alternative Technology (now Arrow electronics a 12bn VAR/Distributor). I built a security services team that conducted Risk Assessments, Penetration testing, Application Testing, and even FULL SCOPE Red Teaming. Working there I was able to build an unknown practice from 1 person to 10 people due to hard work , awesome teammates and a passion for what we do. (During this time is also when they decided to make the TV show about us “Tiger Team.” I eventually branched out and started my own firm to get deeper into the testing and protection of my clients. Today I am the CEO of LARES, I work on projects from pentesting to risk assessment and red teaming, and I am a member of an absolutely amazing team of people I respect immensely.

Why tell you all this, well… I want you to know where I come from. I have been working in almost EVERY single domain of security for 14 years, and could even claim that since I was 12 I have had my head in networking and operating systems every day. I grew up working hard and have done so throughout my career with the values instilled in me by my parents and mentors. I am willing to fight for what I believe in and dig in until it gets done. I came from the bottom and had an amazing community around me to teach every aspect of the infosec domains. I am finally at a point where I can give back to the amazing community that got me where I am today and pay respect to the industry that has grown around it.

So that's me in a nutshell, and I’m running for an ISC(2) Board position to make a change, give back to the all of you who helped build the industry we are in , and create an open venue to invite the new professionals into the field.

89 comments no trackback

Thursday 30 August 2012

I can FEEL a change

By Christopher on Thursday 30 August 2012, 13:30

Many of you may have seen through the other AWESOME candidates that the ISC is requiring we have ALL petition support EMAILED opposed to using a web form So lets get that out of the way. My email address is

cnickerson@isc4thepeople.com

Ok... now, This lil snafu has brought up some great conversation that has even further given me the hope that the organization can change. I was contacted directly by Dan Hauser (who is currently on the board) and he informed me that we MUST have email to help with fraud prevention. I have to say i was a bit shocked that he was proactive about it and it recharged my hope that this whole campaign to petition could actually help out. So... thanks dan! I figured you guys would spring it on us at the last second =)

There is a reason for that tho. I am a security person. It is really ALL i do and ALL I've done my entire life. From living in the hood to working the InfosecSaltMines, when there is some magic group of people that I don't know controlling some part of my life I think its shady. I immediately jump to conclusions (/me pulls out my jump to conclusions mat) and think

  1. 1 they are out to get rich
  2. 2 they are planning on fucking me over....that is why they don't let me get to know them
  3. 3 they are doing something shady, that is why they are hiding

In reality, to me, the board is an unknown. I DON'T TRUST THE UNKNOWN!!!!! I have a feeling that most of you don't either. this little email snafu has clarified one HUGE point I intend to make on the board. TIME TO GET OUT INTO THE REAL WORLD. Look, if the people who hold certs don't know you then how the fuck can you represent them? Really? I have been a CISSP for 10+ years and this last year was the first time i knew a board members name. That is not OK.

We need, as a board, to be able to represent the needs of the people and architect methods of communication that let them know their voices and concerns are heard. We need to act in a SELFLESS manner and be spokespeople FOR the people. There shouldn't be this idea that just one sect of people, based on how voting occurs,bylaws, and overall interactions... get voted in over others. We need to represent the ENTIRE COMMUNITY, not just the ones with enough time to make fictitious charts to show dots in some quadrant and steer hard working companies to burn money on shit that has never been PROVEN to work in the real world.

I wear t-shirts I swear I drink I smoke (sometimes) I am loyal to my own detriment I have a RELENTLESS PASSION for my profession I stay up all night working (often) I drive a truck I screw up I yell I lose my temper sometimes I wear my heart on my sleeve

I think there are more of us with traits above than we are willing to admit. Time to get some representation from the ditch diggers and have some REAL conversations where EVERYONE is held accountable for THEIR words..... not just a group of unknown people sitting in a tower wondering how to next inspire the Gen X, Millenials, and whoever else...to join their club.

Also, for all of you that don't know, there are others like me hoping to get in this year. The more of us from this sect of security, the more we will have in numbers to enforce change. I implore you to check em out....decide on your own... and vote. You can get up to 4 of us in. So lets get this shit going and stop with the paperwork.

Dave Lewis @gattaca Vote for Dave votedave@liquidmatrix.org http://www.liquidmatrix.org/blog/vote-for-dave/

Scot Terban @krypt3ia ISC2 Board Candidacy drkrypt3ia@gmail.com

Boris Sverdlik @jadedsecurity Vote for Boris isc2board@jadedsecurity.com http://jadedsecurity.net/2012/08/22/isc2-bod-vote-2012/

388 comments no trackback

Monday 27 August 2012

Renderings from one of my favorite artists @sudux Mar Williams

By Christopher on Monday 27 August 2012, 11:42

Change

2615 comments no trackback

Thursday 23 August 2012

Transparency.... that's how this starts

By Christopher on Thursday 23 August 2012, 08:54

So, I put in a Board applicaton for 2012 and was denied. Here it is! Maybe this blog will let me explain myself clearer.

2012 Board Candidate Application Form

Name Chris Nickerson_ Phone Country/ Region United States Address Street unit C Denver,Colorado 80203 Email: Cnickerson@laresconsulting.com (ISC)² Certificate # _xxxxxx (ISC)2 Certification(s) Held and Certification Date: CISSP: 2000/2001? (was looking for this info on the member site but could not confirm) Other Certification(s) Held and Certification Date: CISA : 04 ISRM IEM/IAM MCSE CCNA NSCE

1. Education:

Some College @ KState Certifications

2. Information Security Experience : Infosec Practitioner since 1998, Experience OTJ in all Domains during various held positions

3. Leadership/Management Experience: 98-01 shook Hardy & Bacon: Sr Infosec/Network Administrator, 01-06 Sprint: Lead Security Architecture Engineer, Sr Compliance Manager, 06-07 KPMG Lead Infosec Assessment Analyst, 07-09 Alternative Technlogy: Director information Security Services, 09-Curr: LARES: CEO

4. Relevant Business Experience and/or Employment: Same as above

5. Why are you interested in serving on the (ISC)2 Board of Directors, and where would you like to lead (ISC)² as a Member of the Board of Directors? For far too long, the board has been seen as an “Entity in the sky.” I believe that this lack of perception that the board members are in the trenches has caused the overall slide in reputation. While I do not believe this is true, I feel that the board needs to grow its “street” presence and I would love to help lead that charge. The community at large was built in a grass roots way and the reconnection to its origins can reinvigorate the org, brand, and value of the certification process overall.

6. What are the specific areas of expertise that you bring to the (ISC)2 Board? Being the CEO of a high end, boutique security consultancy offers me an intimate view of what is working and not working at the Global 10 and below. This unique position of being both an advisor and a mock adversary of the organizations allow us a broad view of the industry and its practices. In addition, I have worked in the largest major areas of security (Carrier environments, Big 4 audit firms, Legal, and advanced/industry leading edge services.)

7. What would you like to see done to improve the (ISC)2 contribution to the information security community? ISC2 needs to work on its brand image. From the trenches, the average CISSP has questions to the value of the cert as well as the support of the organization. To begin to fix this, ISC needs to contribute its amazing resource of “RELATIONSHIPS” and begin to leverage that to benefit the community. Community outreach programs, grassroots functions, better social media tone, increased branding awareness, defining a common goal that is supported in tone by ALL efforts and more. The Organization needs to learn from the success of the Obama campaign *no tie to my political views… just was an amazing case study in branding and awareness* Buying drinks and appetizers at an event only lasts an hour or two, teaching and sharing the connections of ISC2 will last an entire career.

8. What experience do you have working within a volunteer/charitable organization? As one of the Founders of BSIDES and board member of other Not for Profit organizations, I have a very clear view of what is required to build, market, brand, maintain, and grow charitable organizations. If a record is required please take bsides : a FREE string of conferences held around the globe for the growth of knowledge and connection of the Infosec community. 3 years ago we had 2 events. Today we have thrown over 70 events with 10 that repeat year over year, launched 15 Not for profits to support the events, and touched every single continent.

9. Other volunteer commitments: I am involved in BSIDES at a global level still, but the time commitment has been significantly reduced, as I have passed on the torch of “MY” events to others wanting to run the daily effort. This position is the only one in consideration currently for my time allotted to community improvement and a reconneciton to its roots.

164 comments no trackback