(ISC)² has increased the annual fee for its CISSP certification for security professionals by 47% from $85 to $125. The new fee is fixed, whether the professional holds one or multiple (ISC)2 certifications. For individual cert holders it is an increase; for multiple cert holders it will be a decrease. In tax terms, this makes it a ‘regressive’ fee: the holders of a single cert (which will include the less affluent members) will be subsidizing those who hold multiple certs (likely to be the more affluent members).
The fee is also being switched from payment in arears to payment in advance. The next payment for all members will consequently be $125 more than their last payment.
In a statement, (ISC)² told SecurityWeek, “Annual membership fees (AMFs) are used by (ISC)² to directly support the costs of maintaining the (ISC)² certifications, related support systems and management of the association. For many years, (ISC)² has managed to avoid raising these fees while maintaining the highest standards in support of our certifications and systems despite rising costs.”
It added, “We feel that our members receive a very strong return on this annual investment through the many valuable benefits they enjoy including new immersive professional development courses, discounts on learning materials, conferences, services and support, and much more.”
The members themselves, however, do not currently seem to agree. On Wednesday, one posted a question to the member support forum: “Your new annual membership Fee is now $125! How do you feel about that?”, adding “I think this is disgusting… Its extortionate.” At the time of writing this, there are now 49 comments on this thread, almost all of them critical — and some highly critical.
But not all — some members will benefit. One commented, “With (ISC)² I have 3 certs right now, so I’m one of the few who will actually benefit from the change. I will probably get more (ISC)² certs because I already have to pay the AMF, so as many have guessed for me it’s an incentive.”
SecurityWeek approached a leading CISO holding multiple certifications for his take on the issue. He asked to remain anonymous. “ISACA provides better material and more real-world training (including COBIT),” he said. “(ISC)² has always felt like a cash cow.” His concern is that organizations like (ISC)² — which are commercial enterprises, not educational establishments — are transforming cybersecurity from a profession into a business where possession of a certificate is valued more than practical skill.
To be fair, this CISO’s views are echoed by many of his peers commenting on the forum. Concerns range from belief that the price rise is unjustified and unfair to disparaging comparisons with other organizations.
One pointed out that the certification is required by many employers, such as the DoD with reference to DoD 8750, who won’t pay the fee out of their own funds. Another added, “Is (ISC)² really so out of touch with the US Federal space that they think this is wise timing? Contractors have lost a month of pay – with no end in sight.” Many feel they are a captive revenue source, because even outside the federal space, their employers require the certification. They fear, no cert, no job.
There is also a smattering of more militant members. One commented, “What exactly does (ISC)² do for us members? What exactly do they do for us worth $125/year? The only way this can possibly change if we all collectively stand up and say no more. We do have the power. I know a lot of us are scared to drop a (ISC)² cert for fear of losing a job opportunity. If we as a community stand up, we change that.”
The final comment at the time of writing says, “I would not be surprised if a legal challenge is being considered against this price increase and the (ISC)² board; possibly crowdfunded by the members. Some people will accept the hike, some people will leave (ISC)², and some may fight it.”
But while the overriding sentiment on this forum is negative, one simple fact remains. At this point, less than 50 members out of a U.S. membership of 84,557 (as of December 31, 2018) have complained in the online forum.
Related: CISSP Code of Ethics: With Power Comes Obligation and Responsibility
Related: Addressing the 3 Million Person Cybersecurity Workforce Gap
Related: Professionalizing Cybersecurity Practitioners