Try 3, after a hiatus...

My name is Seth, and I would like to run for one of the available seats on the (ISC)2 Board of Directors.

The first time I tried this, I learned about the election process right as it was announced. I'd recently been involved in a number of discussions about the CISSP exam, the certification, and its future, and I decided I wanted to do what I could to improve the certification and the (ISC)2 organization as a whole.

I quickly put up a site in an attempt to collect petition signatures to get myself on the ballot. I figured I'd try to get people's attention with an informal, offbeat way of presenting myself: as a member of a community, instead of a distant and inaccessible person, not much more than a name on paper.

Because I received many replies to my petition request, and they were almost all overwhelmingly positive, I tried again. I presented the same image: as a member of a larger community, trying to gain greater representation within the organization for those of us "in the trenches."

The second attempt resulted in more signatures, but it is overwhelmingly difficult to reach out to such a large number of people with a specific certification, given only one mass e-mail to the entire community. Once again, I did not reach the number of signatures necessary to get on the ballot. However, I learned a lot about using social media to target specific, small communities (it doesn't work so well). Since then, I've been working on targeting and engaging the CISSP community both on- and offline, at every event I attend.

What do I want to make happen?

Coming from a primarily technical background, I would like to help (ISC)2 improve the technical quality of its exams. I believe the management side, the policy and procedure side, is sufficiently well-represented within the Board of Directors; I'd like to see a minimal amount of representation from someone on the other side of the infosec divide.

I want to make the certification exams offered by (ISC)2 more respected on a technical level. While I understand that the exams are not focused on technology -- "Security Transcends Technology", even! -- this is not a valid reason for exams that have outdated, misleading, or incorrect material.

I want greater accountability from (ISC)2 to its members. This is focused on (but not limited to) exam procedure and feedback. If there is a problem, it should be acknowledged and addressed in a reasonably transparent manner.

I want the purpose and scope of the (ISC)2 certifications to be well-defined. The CISSP certification is considered the de facto standard for technical security jobs; if it is not designed to do this, there should be clear guidelines from (ISC)2 on where it is appropriate and inappropriate to be gauging the skill and qualifications of a job applicant depending on whether they have the certification.

I want (ISC)2 to stand behind the people who make it exist. I do not agree with the way (ISC)2 has handled a recent incident involving a computer security professional, Byron Sonne, who had his CISSP certification suspended on accusation of a crime. While I understand the motivation to protect the organization given the way the CISSP name was being used in the media, professionals are required to subscribe to the Code of Ethics to hold a certification; the organization should stand behind its members, and point to that Code, until it has been proven that the member violated it.

In summary:

I would like to improve the way the (ISC)2 certifications are viewed by the parts of the infosec community that are more technologically oriented: the innovators, the researchers, the hackers. I'd like for my demographic to be better represented within (ISC)2; I think it would benefit both us and the infosec community as a whole. There's a large divide right now, and it's growing. I'd like to fix this.

How you can help!

(ISC)2 has announced six candidates for the upcoming election for four board seats. In order to be added to the ballot with these six candidates, I will need 500 (less than 1% of the entire (ISC)2 member base, they have changed the policy to make it slightly easier) signatures for a petition. Signing the petition does not imply that you are voting for me, only that you would like to see me added to the official ballot.

The first step is to collect the 500 signatures. To sign my petition, send me an email at For it to count, you'll need to:

This needs to be done by 5:00pm EST on 19 September 2011.

While 500 people may not seem like a large number, getting the word out to this many people is a very difficult task. The first time I tried this, I received nearly 300 signatures, the second time just over 400. However, many members do not see the "e-blast" with people on the petition and have no idea that I am trying this. You can help by spreading the word in any way you can: forums, local meetups, Twitter, anything. This really is the most important thing you can do to help.

Finally, should I make it on the ballot, I'll still need to win the election. Don't forget to vote!

About me: my bio, where I talk about myself in the third person!

Seth Hardy is a Senior Security Analyst at the Citizen Lab, Munk School of Global Affairs, University of Toronto. Prior to the Citizen Lab, he worked for a large anti-virus vendor. Seth has worked extensively on analysis of document-based malware and AV evasion methods. Other areas of experience include: provably secure cryptography, random number generators, and network vulnerability research. Seth has spoken at a number of security conferences including Black Hat, DEF CON, SecTor, and the CCC.

Seth has degrees in both Mathematics and Computer Science from Worcester Polytechnic Institute. He enjoys teaching and getting up in front of an audience; he's presented his work at a number of meetings and conferences worldwide, ranging from security group meetings, to high school classes, to large conferences such as Black Hat, DEF CON, ShmooCon, and the CCC Congress. He holds the (ISC)2 CISSP certification as well as the GIAC GREM Gold certification.

In his spare time, Seth provides free Internet services such as email and web hosting for over 100 people, and has developed a strong community called aculei animi around this technical core. He is one of the founders of the Toronto hackerspace HackLab.TO, and the makerspace Site 3 coLaboratory. He currently serves on the board of directors for Site 3 and for another local arts non-profit.

More information about me instead of Google-stalking:

Seth's Resume

Seth's LinkedIn page

Questions, comments, thoughts?

Please feel free to email me with questions, to make suggestions, or to share your thoughts.

I'll do my best to respond to every email, but please be patient and understanding if it takes a while. I got a lot of emails last year.