My visit to ISC2 HQ in Alexandria, VA

I was at ISC2 HQ in Alexandria, VA on 1/31/2023 and met with

·????????Clar Rosso, CEO

·????????Yiannis Pavlosoglou, Board Chairperson

·????????Tammy Georgelas, Board of Directors Counsel

?

1.???We each gave brief introductions of ourselves and backgrounds. Yiannis seemed generally surprised at the amount of experience I have in the field and the many things I have worked on over the years, I explained that having been affiliated with NSA all these years, I generally kept a low profile, but since I am nearing retirement now, that doesn’t matter as much. I gave him some specific things he could look up if he was not familiar with what I have accomplished, including being the technical lead for the CARNIVORE evaluation, the NSA evaluator of the original RADIANT MERCURY guard, and having implemented an NSA proprietary PKI algorithm in the early 1980’s before the techniques were even widely known. I think that put him in a different frame of mind, as I think he thought I was just some troublemaker.

?

2.???The petition submission to call for a special meeting to vote on the alternative proposals for the By-Laws has been accepted.

The initial submission of 530+ had 498 valid signatures. I was given a list of those that were not accepted, and a list of general reasons why they wouldn’t be accepted. I submitted another 35 that came in while the original submissions was being validated. There were at least 2 of that group that were valid, putting the total number over the 500 threshold. The Board lawyer said that since there are no defined procedures for just submissions, there is no reason why the 500 could not come from multiple submissions, and because of the nature of the petition, there is no time limit for gathering the signatures, the petition drive is deemed successful. Details on next steps below.

?

3.???The BoD is forming a By-Laws Committee.

I was asked to serve on this Committee. I said that I would do so, but not until after the vote on the proposals submitted. I suggested that the work of that Committee should wait to see the results of that vote, so they know the baseline from which to start. Yiannis tried to convince me that I should just work with the Committee. I explained that the proposals are not just mine. I coordinated them with dozens of people that made suggestions for improvement, many of which were accepted. Therefore, while I am representing this effort, I am hardly the sole author and therefore cannot simply set aside the work of others just to work with the new Committee instead. I also noted that over 500 members have ask to have a vote on these proposals. It is not up to me to simply set aside the wishes of over 500 of our members.

Yiannis said that in accordance with the by-laws, he would within 90 days set a date for the meeting and vote. First steps though are to have the lawyer and the Committee to review the proposal to ensure that the proposals do not create conflict with Massachusetts Corporate Law or create undue risk for the corporation.?He does not know of any based on his reading, but it is a necessary step. Estimated time for the review is no more than a month. At the end of that review, we will get together again to discuss the results and how to proceed. If there are minor tweaks to be made or if the proposals move on as is. Yiannis will set the special meeting date after this has been completed.

I noted that I should not be part of that review, and they agreed. However, I offered that if there was any question of intent of the by-laws changes that was not already adequately explained in the rationale, I’d be happy to participate from that respect.

Bottom line is that progress is being made.

4.???I was given a number of documents to review, including the minutes of all the 2022 Board meetings. The minutes are written at such a high level that there really isn’t much to be gained by reading them. There were one or two interesting tidbits, which because of my NDA, I cannot disclose. Nothing too exciting.

?

5.???We then turned to free flow discussion.

First topic was the election. I expressed that I thought the open call for nominations was a great change because in the past, there was nothing to explain how people got nominated in the first place. However, submitting oneself was pretty much a “fire and forget” exercise. There was no information provided to anyone on what the process would be from the point of submission and forward. Clearly I understood that they did not have the time to interview all 87 candidates. There had to be a down-selection to narrow that focus. I asked if the developed and used some kind of Rubric to score the initial applications (they did, but not discussed), how they reconciled scoring differences between evaluators. Supposedly they got together to review the individual scores, and those kinds of discrepancies. Once they got to 17 candidates, 1 dropped out, and 1 they could never agree on a time for interviews, so only 15 people were actually interviewed. They claim that each candidate was asked the same set of questions. It was also noted that they were careful to recuse themselves for any members with which they had prior knowledge or affiliation. Yiannis noted that all this explanation was coming from Clar, as he recused himself from the whole process due to being a candidate.

Then we got to the contentious part of only 5 candidates being selected for 5 open positions. I said that while I was disappointed not to have been chosen for the ballot, with as many people that submitted, I was sure there were plenty of qualified people. What really upset me was that the membership was having their voice taken away by not having a choice. The perception is that the Board and the Nominating Committee think they know what is best for the organization and the membership is not qualified to make that judgement. It created the perception that they knew in advance who the candidates would be, and simply got them to self-submit and what do you know, they popped out the back end of the process as the candidates. Whether or not that is the way it happened, that is the perception, and perception is often reality.

I then moved on to the request that we made for a one-time email announcing that we would be trying to petition our way onto the ballot. It was rejected because we were told the rules had changed. I noted that I just finished reading the 2022 minutes of the Board meetings, and there was no mention of this. Yiannis said it was true that they did change that rule. I pointed out that it was never announced to the membership and the Election FAQ still said that such an email would be sent. The FAQ was changed the day after our request without evening noting the update. I called that practice unethical. If the Board screwed up by not announcing the change and not updating the FAQ, then ethically and professionally they should have honored the request. The best I got from Yiannis and Clar was an admission that yes they screwed up and should have granted the request.?

I noted that one of the emails about the election or the results stated that the Committee interviewed more 80 candidates. Clar interrupted and said, “reviewed and evaluated submissions from over 80 candidates”.?I said that if it had said that, I wouldn’t be complaining, but it specifically said “interviewed”, which is a lie. If the organization is going to issue what is essentially a press release, the organization needs to ensure that facts are correct,.

There was then more discussion about “slate” vs. “ballot”. I said I didn’t want to debate the semantics of either word. The issue is that the selection choice was taken away from the membership. I was certain there were plenty of qualified people to present 10 people for 5 open positions. Clar stated there were dozens of qualified people. I then asked why the Nominations Chair, Jill Slay (now vice-chair of the BoD) was quoted as saying, “We were never in the situation where we had to exclude really good people as far as I am concerned.” I noted that I personally took that as an insult and so did many of the other candidates that were not selected. I said that if she really feels that way then she is not fit to serve on the Board of Directors and should resign. I offered to get them to the exact minute and second of the BrightTalk session in which she said that. They declined, but insisted she must not have meant exactly what came out, but I noted that it was her justification for only 5 names.

Conversation moved onto the by-laws proposal. It has been stated by Zach Tudor that the Board did engage with membership before submission. I have yet to find anyone that knew the contents of the proposal until the day it was released, which was right as the vote opened. Yiannis asked how the Board should have engaged. I said there were multiple ways. First, there is a members-only section of the Community Boards on the ISC2 website. A perfect place for such collaboration. However, except for a few “Hi, I’m running for the Board, ask me anything” posts, the Board has never used the Community Board. I noted the Board has always been invited to the [email protected] discussion group. There are groups on LinkedIn, Reddit, and other places that are more public, but would still reach the membership. Even an email blast that explained that this has been proposed, we want you to review and provide feedback would have been helpful. I noted that the proposals submitted with the petition were coordinated using several of those methods. Yiannis agreed there needs to be much better interaction between the Board and the Members, but did not state any particular initiative to make that happen.

That pretty much wrapped things up. I did have a conversation in private with the attorney in which I discussed the makeup of the Ethics Committee and what is required by the By-Laws. She agreed that the plain English reading calls for 1 Director and 2 or more non-Directors as members of the Committee. I said that the current Committee was not validly constituted, and hasn’t been for some time, since there are multiple Directors on the Committee. I noted that the Committee was designed to hear ethics complaints against members and thus it was to be a committee of their peers, not discipline by the BoD. Thus it was set up to have a Board member run the Committee, but all the other members to be non-Directors. She agreed to look into this.

I think this meeting had much useful discussion, but the proof of whether it really was useful will be seen in what happens going forward.

?

Steve Mencik