Information Systems Security Association (ISSA) is not the only organization failing to act and protect people
Arlene Yetnikoff wrote on LinkedIn that ISSA-International was not taking anonymous complaints that were detailed and factual because “Several fear, with justification, physical and defamatory reprisals for speaking out.” (emphasis added)
On November 12, 2023, we broke the initial story that the current ISSA-LA Chapter President, Richard Greenberg, CISSP, was Accused of Fraud, Malfeasance, and Breach of Fiduciary Responsibility. We also wrote that several organizations were notified of this fraudulent and unethical behavior. Several organizations refused to act on detailed and factual complaints, including the organization International Information System Security Certification Consortium because the submissions were anonymous.
International Information System Security Certification Consortium better known as ISC(2) is the organization behind the industry certification Certified Information Systems Security Professional or CISSP. The CISSP is marketed as “the gold-standard information security certification.”
We at vBTruth interviewed one individual in early November and reviewed months of email correspondence from one individual begging both ISC(2) and ISSA to act. Despite ISC(2) and ISSA being told in writing, that they have “fear of reprisal, retaliation, retribution, duress, intimidation, malice”, the concerns were shut down and caught in procedural technicalities that centered on the need to disclosure the victim’s identity to the perpetrator, despite the fears being shared and justified. This article focuses on ISC(2).
Months Long Ordeal
On August 31, 2023, ISC(2)’s Ethics Committee received a whistleblower email sharing concerns about ethics and compliance violations, citing violations of the ethical rules to “acting honorably, honestly justly, responsibly, and legally”. The whistleblower email included a comprehensive, detailed description of the victim’s concerns, including several artifacts such as legal filings and screenshots.
ISC(2) declared in multiple Internal Revenue Service (IRS) Form 990s tax filings that they do have a whistleblower policy. vBTruth was unable to locate such a policy online and appears there were similar requests made in the past by other individuals.
On September 5, 2023, Assistant General Counsel Alex Rosenfeld responded to the victim that they must submit a signed, notarized complaint and that they intend to disclose the victim’s identity to the ISSA-LA Chapter President despite being informed of the fear of retaliation. Unusually, Assistant General Counsel Rosenfeld asked for evidence despite previously being provided the evidence in the August 31, 2023 whistleblower email.
On September 6, 2023, the victim responded to Assistant General Counsel Rosenfeld that they were seeking another process because the ISC(2) policies do not protect their identity. They cited the confidentiality agreement on ISC(2)’s website does not adequately protect them:
The board and its agents undertake to keep the identity of the complainant and respondent in any complaint confidential from the general public. While disclosure of the identity of the complainant will be avoided where possible, upon filing a complaint, the complainant implies consent to disclose (their) identity to the respondent (perpetrator), where the board or its agents deem it necessary for due process. Actions of the board may be published at its discretion. Parties are encouraged to maintain confidentiality and certificate holders are reminded of their obligation to protect the profession.
The victim was unwilling to put their livelihood at risk because the concern of reprisals was too great. They immediately asked for an exception to the policy and asked to remain anonymous.
The emails between the victim and Assistant General Counsel Rosenfeld continued throughout the month of September negotiating with the victim. It appears Assistant General Counsel Rosenfeld had multiple conversations with members of the ISC(2) Ethics Committee, comprised of ISC(2) Board of Directors Samara Moore, Laurie-Anne Bourdain, Dan Houser, and Edward Farrell.
Starting on September 18, 2023, Samara Moore, Chair of the Ethics Committee at ISC(2) was included in the email conversation by the victim, urging, and begging for ISC(2) to resolve the impasse of mandating the disclosure of their identity.
In an email on September 18, 2023 to both Assistant General Counsel Rosenfeld and Ethics Chairwoman Samara Moore, the victim writes “If ISC(2) accidentally discloses my name or identity against my direct or indirect wishes, it will be very detrimental to my career. I very much doubt ISC(2) will be offering me a six-figure salary and a career at ISC(2) for the remainder of my life.”
On September 26, 2023, the discussion focused on “not disclosing the victim’s identity without their consent”, however, the responses do not appear to allay the concerns of the victim.
On September 27, 2023, Assistant General Counsel Rosenfeld wrote to the victim, “…as previously communicated, we undertake to keep the identity of the complainant and respondent in any complaint confidential from the general public. While disclosure of your identity will be avoided where possible, where/if the Committee deems it necessary for due process, we will reach back out to you for your consent to share your details. If you choose not to allow us to use your name, the committee will determine whether it can proceed with the available information with the necessary redactions.”
When we interviewed the victim asking why that was not satisfactory, the victim was concerned that their understanding of ISC(2)’s position was that the Committee would very likely need to disclose their identity as part of due process. They would need the victim’s name and a signed/sword affidavit. Given their unwillingness to disclose their identity, the whole endeavor would be a mere exercise in futility. ISC(2) would have the sole power to dictate terms to the victim.
On September 29, 2023, the victim appealed directly to the ISC(2) Board of Directors and requested that they remain an anonymous whistleblower and grant any exception to the policies at ISC(2). In the email to the Board of Directors, the victim writes:
“I continue to express concern that the confidentiality policy and process being proposed is insufficient because the accidental, intentional, or unintentional disclosure of my identity would be detrimental to my career.”
The victim also expressed that “The individual I am reporting shall and will view this as a great affront, escalate the situation, retaliate, and seek retribution” and that “Similar individuals who share similar concerns on this CISSP certification holder and ISC(2) member have unanimously agreed that to proceed with a signed affidavit and full disclosure of my identity …would effectively paint a target on me.”
The victim also expressed (emphasis added) that they “have a genuine fear and concern that should my identity be disclosed, there would potentially be a physical confrontation, altercation, and my physical life safety would be placed at risk.”
The email was sent to all members of the board, however, based on the emails we reviewed, only ISC(2) Board of Directors James Packer, Laurie-Anne Bourdain, Dan Houser, Rachel Guinto, Samara Moore, and Guy Ngambeket received the email because several emails were guessed and there was no list of emails published on the ISC(2) website. We observed a series of emails that show several emails were not properly delivered. Reasonably, six out of twelve Board of Directors received the appeal asking for a board consideration on anonymity and whistleblower status, three of which sit on the Ethics Committee.
On October 12, 2023, ISC(2) General Counsel Graham Jackson emailed the victim to schedule a call with the victim and discuss the nature of their concerns. Based on our conversation in early November 2023 with the victim, the victim felt there was some positive progress on their phone conversation on October 21, 2023, however, they still felt they did not have the necessary assurances their identity would be protected despite being assured their identity would not be disclosed without permission by ISC(2) General Counsel.
While the victim respects and understands the procedural hurdles to maintain integrity on the ethics process so that there is not a deluge of false ethical complaints, the victim still felt the hurdles were extremely advantageous to the perpetrator and not balanced.
Our Analysis and Thoughts
When we reviewed months of emails between the victim, the two attorneys, and subsequent conversations that included Ethics Chairwoman Samara Moore, and a direct appeal to the Board of Directors, one quote the victim wrote struck me deeply:
If ISC(2) does not act, chooses not to act, or fails to act, it puts our certifications at risk because the very core tenet of our profession is ethical behavior. To continue to not act means all holders of ISC(2) certifications will face devaluation of the certification because it now raises questions of integrity of all ISC(2) members. ISC(2) can no longer guarantee that its members are ethical.
While it is not mandatory for a nonprofit organization to possess a whistleblower policy to maintain its tax-exempt status, the IRS views the adoption of such a policy as a commendable governance measure. This practice aids in safeguarding the organization’s assets, ensuring their consistent utilization in alignment with its exempt purposes. The whistleblower policy can include volunteers and members.
Despite the Form 990s we reviewed stating there is a whistleblower policy, our impressions is there is no whistleblower policy. The response by ISC(2) is insensitive and callous at best, and seems to set the stage for a physical altercation and harm at worst.
It would seem ISC(2)’s Board of Directors, Assistant General Counsel, and General Counsel are holding steadfast to a process despite having a whistleblower policy. They seem unwilling to find a reasonable means to protect the victim’s identity while getting to the bottom of fraud, corruption, breaking the law, and clear ethics violations. The General Counsel, the Assistant General Counsel, and members of the Board of Directors seem unwilling to consider, let alone grant an exception despite being presented with overwhelming evidence. Even without the affidavit, it seems reasonable in this reporter’s eyes that given so much independently verifiable evidence, the Ethics Committee could move forward to evaluate the matter at hand. The emails we reviewed suggest that both the ISC(2) Ethics Committee and Board of Directors are choosing to ignore the matter on a procedural technicality because they must know the identity of the victim despite being presented with overwhelming evidence.
The victim is also directly telling ISC(2)’s Board of Directors and General Counsel they feared being harmed physically and losing their livelihood during tough, challenging, economic times should their identity be disclosed. The victim is forced to pick between filing an ethics complaint and losing their career, a tarnished reputation, unemployed, unemployable, and hungry on the streets. Adding insult to injury is the possibility of spending months healing from their physical wounds and emotional distress from potential assault and battery.
Any reasonable individual would pick their personal welfare over an ethics complaint because the ethics complaint yields no real tangible benefits, personal or professional.
The CISSP states the first priority is life safety. Human safety. Life Security has precedence and priority over above all else. That includes written policies.