Security Experts:

CISSP Price Hike Dismays Certified Security Professionals

(ISC)² has increased its annual membership fee (AMF) for security professionals by 47% from $85 to $125. This will include holders of the most popular professional certification, CISSP. The new fee is fixed, whether the professional holds one or multiple (ISC)² certifications. For individual cert holders it is an increase; for multiple cert holders it will be a decrease. In tax terms, this makes it a 'regressive' fee: the holders of a single cert (which will include the less affluent members) will be subsidizing those who hold multiple certs (likely to be the more affluent members).

The fee is also being switched from payment in arrears to payment in advance. The next normal payment for all members will consequently be $125 more than their last payment. If members elect to pay their next fee in advance of the due date, it will be pegged at the current $85 -- and the increase to $125 will not come into effect until the following year.

In a statement, (ISC)2 told SecurityWeek, "Annual membership fees (AMFs) are used by (ISC)² to directly support the costs of maintaining the (ISC)2 certifications, related support systems and management of the association. For many years, (ISC)2 has managed to avoid raising these fees while maintaining the highest standards in support of our certifications and systems despite rising costs."

It added, "We feel that our members receive a very strong return on this annual investment through the many valuable benefits they enjoy including new immersive professional development courses, discounts on learning materials, conferences, services and support, and much more."

The members themselves, however, do not currently seem to agree. On Wednesday, one posted a question to the member support forum: "Your new annual membership Fee is now $125! How do you feel about that?", adding "I think this is disgusting... Its extortionate." At the time of writing this, there are now 49 comments on this thread, almost all of them critical -- and some highly critical.

But not all -- some members will benefit. One commented, "With (ISC)2 I have 3 certs right now, so I'm one of the few who will actually benefit from the change. I will probably get more (ISC)² certs because I already have to pay the AMF, so as many have guessed for me it's an incentive."

SecurityWeek approached a leading CISO holding multiple certifications for his take on the issue. He asked to remain anonymous. "ISACA provides better material and more real-world training (including COBIT)," he said. "(ISC)² has always felt like a cash cow." His concern is that organizations like (ISC)² -- which are commercial enterprises, not educational establishments -- are transforming cybersecurity from a profession into a business where possession of a certificate is valued more than practical skill.

To be fair, this CISO's views are echoed by many of his peers commenting on the forum. Concerns range from belief that the price rise is unjustified and unfair to disparaging comparisons with other organizations.

One pointed out that the certification is required by many employers, such as the DoD with reference to DoD 8750, who won't pay the fee out of their own funds. Another added, "Is (ISC)² really so out of touch with the US Federal space that they think this is wise timing? Contractors have lost a month of pay - with no end in sight." Many feel they are a captive revenue source, because even outside the federal space, their employers require the certification. They fear, no cert, no job.

(ISC)² has contacted SecurityWeek to clarify that it will not seek payments from anyone impacted by the federal shutdown. This will include both employees and contractors. Externalities like the current U.S. government shutdown and associated political dynamics are a moving target. We are providing more than five months for our association members to work through this change, and can make accommodations for any members impacted by the government shutdown. Any members impacted by the shutdown should contact Member Services.” 

There is also a smattering of more militant members. One commented, "What exactly does (ISC)² do for us members? What exactly do they do for us worth $125/year? The only way this can possibly change if we all collectively stand up and say no more. We do have the power. I know a lot of us are scared to drop a (ISC)² cert for fear of losing a job opportunity. If we as a community stand up, we change that."

The final comment at the time of writing says, "I would not be surprised if a legal challenge is being considered against this price increase and the (ISC)² board; possibly crowdfunded by the members. Some people will accept the hike, some people will leave (ISC)², and some may fight it."

But while the overriding sentiment on this forum is negative, one simple fact remains. At this point, less than 50 members out of a U.S. membership of 84,557 (as of 31 December 2018) have complained.

*Updated to include clarification from (ISC)² on flexibility for those affected by the U.S. Government shutdown

Related: CISSP Code of Ethics: With Power Comes Obligation and Responsibility 

Related: Addressing the 3 Million Person Cybersecurity Workforce Gap 

Related: Professionalizing Cybersecurity Practitioners 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.