Increasing Organization’s Credibility

May 12, 2016 by Infosec

When it comes time to hire professionals to work within your business, it’s crucial that you make the right decision. Obviously, there will be vastly differing criteria depending on the position in question – an office assistant will require a different skillset than, say, a mailroom employee.

However, when it comes to the information security professionals working within an organization, one thing applies to virtually all positions. CISSP certification is an essential consideration. Why? Really, it all comes down to credibility and protection.

Why Does Credibility Matter to Businesses?

Credibility – it’s a term that is bandied about a great deal today without a lot of explanation. What does it really mean, not just in the broadest sense, but for your organization?

Merriam-Webster defines it as, “The quality or power of inspiring belief; the capacity for belief”.

In the question of credibility for your business, the former is the driving force behind the choice to hire CISSP credentialed professionals.

Credibility is the “quality or power of inspiring belief”, but whose belief? Your customers. Your suppliers or vendors. Your clients. Even your staff and C-level execs. Credibility, or the belief that your organization can do what it promises, builds trust, which feeds into building your brand’s reputation and cementing customer or client loyalty.

Remember that people do business with those they trust and like. A credible business is liked and trusted. Therefore, trust is one of several components that go into creating trust. Of course, there are myriad reasons that credibility matters to businesses today, but few hit closer to home than information security – the safety of the personal, financial and proprietary information within your organization.

As the incidence of hacking, viruses, phishing attacks and employee missteps rises, the need to safeguard that data against breaches of all types becomes even more obvious.

In the Information Security Handbook, Fifth Edition, Harold Tipton and Micki Krause point out, “As part of the price of doing business, companies continue to span the bridge between the Internet and their own intranets with mission-critical applications. This makes them more vulnerable to new and unanticipated security threats. Such exposures can place organizations at risk at every level – down to the very credibility upon which they build their reputations.”

And, make no mistake. Your organization is at risk. Yes, there are obvious targets, like insurance companies, or major businesses like Home Depot or Sony. That does not mean a non-global organization does not suffer the same risks to its information security, though. According to ISACA, the threats facing businesses of all sizes in 2016 and moving forward include the following:

  • Social engineering
  • Insider threats/employee errors
  • Advanced persistent threats (APTs)

The organization goes further. In a news release, ISACA announced, “According to the findings, the cybersecurity skills gap continues to pose a significant obstacle to organizations seeking to expand their cyber workforce. Close to half of those surveyed worldwide report that they are hiring more cybersecurity professionals in 2016, yet fully 94% of those hiring say it will be difficult to find skilled candidates.”

CISSP certification is the answer to this conundrum. By ensuring that information security professionals hired possess their CISSP certification from ISC2, you build credibility, foster trust, and enhance your organization’s reputation, while providing greater protection for the information within your organization.

Due Diligence Jobs and Due Diligence Work

Like credibility, due diligence is a term more frequently heard than defined these days. Most have been told, “Do your due diligence,” but what does that actually mean? And how does it apply to information security?

Due diligence is defined by Merriam-Webster as, “The care that a reasonable person exercises to avoid harm to other persons or their property; research and analysis of a company or organization done in preparation for a business transaction (as a corporate merger or purchase of securities)”.

Really, it means “requisite effort”, or the effort required to ensure that what is being presented is accurate and true, and that there are no hidden pitfalls of which you are unaware. Depending on the industry in question, due diligence can take many different forms. For instance, the ICAEW notes that due diligence plays a key role in finances, in law, in commercial operations, in taxation, IT systems and more.

Due diligence is a crucial component of the CISSP exam that any would-be credentialed professional must pass. Professionals must understand not only what due diligence is, and how it might apply when working with an employer, but the difference between due diligence and due care, and how these two concepts integrate within an organization.

Due diligence can be thought of as the research, fact finding and information gathering that must be done prior to a decision being made. It involves risk analysis, fact verification, information aggregation and a great deal more. For instance, if you were to partner with an organization, part of the required due diligence would be to ensure that the potential partner organization is compliant with specific industry rules, regulations and laws (HIPAA, HITECH, ISO, etc.).

Due care, on the other hand, is the responsibility that must be taken to ensure that the services an organization offers follow the rules, regulations and laws as specified. The issuer behind CISSP certification, ISC2, states, “The lack of due care is often considered negligence, and in most countries is actionable under law. If an organization is legally mandated to comply with regulations or information security requirements, knowingly or unknowingly neglecting those requirements could lead to legal exposure from a due care perspective.”

Depending on the industry in which your organization operates, you may have any number of due diligence jobs that require skilled, certified professionals. A small sampling of such positions includes the following:

  • Cybersecurity compliance analyst
  • Information security senior analyst
  • Security engineer
  • IT security specialist
  • Lead information systems analyst
  • Security and information protection director
  • Security operations specialist
  • Security intervention specialist
  • Information systems security officer
  • Data analyst
  • Cyber threat and risk advisor
  • Chief information officer

These are just a few examples of due diligence jobs within a myriad of organization types. Each of these positions will require that the professional filling the role performs due diligence work. What does that mean, though? Obviously, the steps taken will vary from one position to another.

Due diligence work could involve ensuring that the right safety practices are in place for employees at workstations and those using their own devices to access company-held information in a BYOD situation. It could mean ensuring that prior to partnering with another company or purchasing a system or software solution, that the security of that platform is fully vetted, and all ramifications of use are completely understood.

In short, due diligence work on the part of a CISSP credentialed professional in a due diligence job ensures safety, protection, compliance and credibility for the organization as a whole.

CISSP Global Recognition

Given the number of information security credentials out there, it is natural to wonder why CISSP certification carries so much weight. There are several reasons for this.

According to ISC2, “CISSP is the gold standard information security certification and was the first credential in the field of information security, accredited under ISO/IEC Standard 17024. A CISSP is an information assurance professional who defines the architecture, design, management and/or controls that assure the security of business environments. The vast breadth of knowledge and the experience it takes to pass the exam is what sets a CISSP apart.”

One of the most important reasons to require this credential is that CISSP certification is actually the oldest in the industry. However, being the oldest does not equate to being stagnant.

The CISSP examination is regularly updated to ensure that credential holders are up to speed on historic, current and emerging information security threats and risks. In addition, the three decades in which the certification has been in existence ensure a vast body of knowledge is available to certificate holders.

Another reason is that, simply put, CISSP certification has become the gold standard for the information security sector. Today, an increasing number of employers require this certification in order to apply for most infosec positions, and even more state that holding such certification is preferable.

Of course, possessing CISSP certification ensures reliability and competency in a new hire. Perhaps this is the reason that it is now a requirement for the NSA.

The global recognition of CISSP certification is due to these factors and many others. As the gold standard of the information security industry, CISSP certification is accepted by global brands like Google and IBM, as well as by government agencies, nonprofit organizations and more.

Other benefits to hiring CISSP credentialed professionals include the fact that they will speak a “common language”. ISC2 provides vendor-neutral certifications. This means that credentialed professionals are not tied to a particular vendor’s language, and can communicate with professionals dealing with a wide range of platforms. This eliminates misunderstandings, ambiguity and more.

Due Diligence in Hiring

Now that you can clearly see the importance of hiring CISSP credentialed professionals for information security positions within your organization, a word or two should be said about the need for due diligence when hiring.

CISSP certification is crucial, but it is your responsibility as the hirer to ensure that certification is current. Like many other credentialed professionals, CISSP holders are required to undergo continuing education and ongoing training periodically.

Failure to do so results in the revocation of their credentials. However, that does not mean that a previous CISSP cannot pass him or herself off as a current CISSP. They would still possess a good deal of the required knowledge and specific skills, but they would not be up to date on current and emerging threats, which puts your organization in danger.

Since you cannot simply take an applicant at his or her word about the status of their CISSP certification, it is crucial that you’re able to verify its validity. ISC2 provides a centralized means of verifying this information online with the organization’s verification system.

To verify a potential employee’s credentials, simply visit the page, and provide their first and last name, as well as their certification/designation number, and then click the search button.

You’ll be provided with the applicant’s full name, as well as their city, state and country of residence. Beside the name, you will find a list of ISC2 certifications and designations that the individual holds. Note that the page will display identical matches for first and last name, as well as certification number.

Of course, this is only the first step in conducting your own due diligence during the hiring process. Many other steps may need to be taken, depending on the nature of your organization, the nature of the position in question, the type of information handled by your organization, and other considerations.

In Summation

It is more important than ever before that organizations are able to build credibility with their customers and clients, vendors, suppliers, partners and others. Increasingly, this means taking the steps needed to ensure the security of information within an organization’s network, including preventing both internal and external threats from compromising that security.

One of the best ways to increase credibility is to ensure that you have the right people in key positions within the organization. CISSP certification ensures that information security professionals have the knowledge, skills and abilities needed to perform due diligence work, and uphold the responsibilities inherent in due diligence jobs.

While numerous other information security credentials are available, only CISSP is considered the “gold standard”. Only CISSP certification guarantees vendor neutrality, and is globally recognized and accepted. No other certification carries the same mandate from global organizations, and no other certification is in the same demand.


Posted: May 12, 2016
Articles Author
View Profile

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117