Hiring Qualified Professionals
What does CISSP® stand for?
It means certified information systems security professional, the premiere standard in the field of information security.
Who is responsible for the certification?
(ISC)² is the clever name for the non-profit organization, the International Information System Security Certification Consortium, (IISSCC) or, more succinctly, (ISC)².
What’s so special about (ISC)²?
It has been called the world’s largest IT Security organization. In 1988, a coalition of several organizations met in order to establish the desperately needed Common Body of Knowledge (CBK). Their goal was to create a standardized and unbiased certification program that was not tied to any vendor. It would establish structure and provide a clear measure of competence for the entire industry.
How long has it been operating?
The organization was officially founded in 1989 and finished developing the CBK in 1992. Two years later, the first credential, the CISSP, was launched.
How does hiring a CISSP benefit me or my company?
CISSPs, in order to maintain their certification, need to collect a certain number of “points” every year. This involves studying, reading certain texts, writing books, or acting as insightful critics of their fellow professionals.
This assures uniformity across the industry so that everyone is on the same page. CISSPs do not get surprised, because they’re constantly in touch with the industry and aware of new developments.
Best Hiring Practices
Requiring CISSP for positions is a terrific policy, but they may be just a little hard to find. Right now, there are only 106,000 (ISC)² members in the entire world who hold the CISSP certification. That number is spread over 160 countries. Best advice? If you encounter one of these men or women in the wild, hire him or her right away because, if you don’t, your competitor will.
Remember, the CISSP has been adopted as the baseline for the NSA’s ISSEP (information system security engineering professional) program, which was developed in conjunction with the NSA.
Once someone is fully certified, they have to maintain the credential by recertifying every three years. They must also submit 40 continuing professional education (CPE) credits each year, for a total of 120 CPEs over the three-year period.
Thus, the CISSP certification is not to be taken lightly. The examination takes six hours to complete and has 250 questions; many are four-answer multiple choice, but they also include two new features since 2014 called drag-and-drop and hotspot questions.
As you can see in the example, drag-and-drop provides 60 opportunities to get the answer wrong, and only one to get the answer right. In this case you would have to drag both ElGamal and RSA, and none of the others, to be correct.
The scoring for the test remains the same, requiring 700 of the 1000 points for a pass. These new features do not change the length of the test, but they do measure more skills and higher cognitive levels and realistically simulate what would be encountered in the field.
Why Would an Employer Want to Hire a CISSP?
There are numerous ways that employees with CISSP certification improve the quality of the position. They have access to members-only resources that keep them apprised of, and allow them to research, vulnerabilities in tens of thousands of products. They use proprietary, cutting edge algorithms to identify, collect, index, and prioritize brand new threats to security systems.
CISSP-certified employees have other value-added services to enhance their value to your organization, including their organization’s partnership with the United Compliance Framework (UCF). This company developed a proprietary compliance data framework to offer an exclusive Common Controls Hub (CCH) that (ISC)² uses to access more than 90,000 mandates from more than 800 laws and standards from around the world.
This means CISSPs can define the scope and meet regulatory requirements anywhere on the globe. They can create custom control lists in mere minutes, defined by market segment, geography, or vertical industries.
Is There Justification for My Employees to Get Certified?
Of course there is! As mentioned, there are currently only 106,000 individuals with the CISSP certification in the entire world. There were over 65,000 positions listed last year in the United States requiring CISSP. The clearest benefit of certifying your own people is that it saves you the long, drawn-out searching time.
More important, your own people are familiar with your existing system. They know your priorities and they understand the intricacies of the way that your business works.
As a great side benefit, it increases your status with your customers if they know that you have a CISSP associated with your organization. They know that you take your security seriously and that any data they leave with you is in good hands.
Achieve CISSP certification by enrolling in a training boot camp like the one offered by InfoSec Institute. Fill out the form below for course details/pricing.
They Stay Up to Date
You don’t have to worry about their skills being up to date. As a condition of their CISSP certification, they are obliged to fulfill requirements every year, and recertify tri-annually, or they lose their certification.
That means they attend online (ISC)² e-Symposiums, ThinkTANK security analysis webinars, From the Trenches webinars, Security Briefings webinars, and three-hour EMEA webinars on a quarterly basis, acting as an international summit. They are also entitled to discounts to attend other industry-related conferences, saving you money.
They Reflect Well on Your Company
(ISC)² presents annual awards that confer status on your organization when your employee wins, such as the Harold F. Tipton Award, specifically celebrating individuals for their lifelong contributions to the advancement of the information security profession. Or consider the Information Security Leadership recognition programs, which give awards in the Americas and the Asia-Pacific, and to U.S. government workers.
They Benefit the Community
In addition, (ISC)² operates the Safe and Secure Online Program, where members volunteer their time to teach young children ages 7–14 how to protect themselves online.
They Advance Education
(ISC)² also presents the International Academic Program (IAP) in cooperation with institutions of higher learning to support the development of programs to teach about cyber, information, and software security. This means not only can universities enhance the professional development of their staff, but students can also pursue their (ISC)² CISSP simultaneously with their degrees so that they are fully prepared to be accepted into the working community as (ISC)² associates when they graduate.
Jobs with CISSP Certification
What types of jobs would benefit from a CISSP?
- Security analyst
- Threat vulnerability manager
- Cyber security specialist
- Information security analyst
- Information security manager
- Security consultant
- Director of accreditation & information assurance services
- Cyber security watch officer
- It or is auditor
- Cyber vulnerability specialist
- Endpoint security specialist
- Cyber security engineer
- Information security officer
- Information technology director
- Security architect, it
- Information security engineer
- Information security risk manager
- Penetration tester
- It security operations manager
- Global information security & compliance manager
Clearly this is not an exhaustive (or even particularly comprehensive) listing, but it gives the general idea. There are literally thousands of jobs going unfilled because of a lack of qualified candidates.
Lack of Understanding
Some employers don’t seem to grasp that CISSP certification cannot be obtained until someone has at least five years’ experience in the field. These employers seek CISSPs for entry level positions, which is silly because those people simply don’t exist.
A rich benefactor can’t simply buy a CISSP for their child or progeny; obtaining it requires both education and practical experience (and the ability to pass the exam). Even then, it requires continuing education for the rest of their careers to maintain the certification.
CISSPs are not lightweight neophytes—they’re experienced professionals who not only know their way around information security, but can prove it because of their familiarity with the Common Body of Knowledge, as opposed to being merely well-educated. They have tools that are available exclusively to them because of their certification and the nature of their profession.
They have a deep understanding of the security principles, concepts, and methodologies that can be put to work on the first day to improve your organizational security. These folks are not like daffodil bulbs that you plant in autumn and wait until spring to see if you got any results. They’re ready to go from the time they walk in the door, securing your business functions and infrastructure, enhancing the handling of your services or products, or implementing technologies and strategies for best practices to keep your company up to date and ready to take on the nasty cyber world.
They have expertise in numerous areas, including laws and regulations, forensics, computer crime, risk analysis, countermeasures, cryptography, disaster recovery plans, both physical and software security, network vulnerabilities, types of attacks, and so much more. They are a real bargain—if only they were not so hard to come by.
If you can’t find a CISSP to hire, you can always “grow your own,” and ultimately they’ll end up with a deeper and more comprehensive understanding of your business as a result. Have your own people trained, if they have the chops for it. Failing that, hire a brilliant new graduate and steer him or her towards CISSP certification. Just make sure that, once you have a CISSP, you hang on to them.
Remember: When you train your staff, it is an investment; don’t make the mistake of thinking of it as an expense. There is no better competitive asset than a highly skilled workforce.