Chapter 2
IN THIS CHAPTER
Staying active as an (ISC)2 member
Discovering the joy of giving back
Working with others in your local security community
Getting the word out about CISSP certification
Bringing about change in your organization
Advancing your career with other certifications
Finding a mentor and being a mentor
Achieving security excellence
Although this book is devoted to helping you earn your CISSP certification, we thought it would be a good idea to include a few things you might consider doing after you’ve earned your CISSP.
So what do you do after you earn your CISSP? There are plenty of things you can do to enhance your professional career and the global community. Here are just a few ideas!
Unless you work for a large organization, there probably aren’t many other information security (infosec) professionals in your organization. In fact, you may be the only one! Yes, it can feel lonely at times, so we suggest you find ways to make connect with infosec professionals in your area and beyond. Many of the activities described in this chapter provide networking opportunities. If you haven’t been much of a social butterfly before and your professional network is somewhat limited, get ready to take your career to a whole new level as you meet other likeminded security professionals and potentially build lifelong friendships. Remember: It’s not what you know, but who you know — well, what you know matters, too!
If you’re just getting started in your infosec career (regardless of your age or other career experience), you’ll likely meet other infosec professionals that have at some point in their own careers been in your shoes, who will be happy to help you find answers and solutions to some of those elusive questions and challenges that may be perplexing you. You may find that you’re initially doing more taking than giving, but make sure you’re at least showing your appreciation and gratitude for their help — and remember to give back later in your career when someone new to infosec asks to pick your brain for some helpful insight.
So, as you venture out in search of other infosec professionals, put your smile on and bring plenty of business cards (print your own if your employer doesn’t provide any). You’re sure to make new friends and experience growth in the security business that may delight you.
Being an active (ISC)2 member is easy! Besides volunteering (see the following section), you can participate in several other activities including:
http://congress.isc2.org
.www.isc2.org/chapters
. There are many great opportunities to get involved in local chapters, including chapter leadership, participation in chapter activities, and participation in community outreach projects. Chapter events are also great opportunities to meet other infosec professionals.(ISC)2 is much more than a certifying organization: It’s a cause, and you might even say it’s a movement. It’s security professionals’ raison d’être, the reason we exist — professionally, anyway. As one of us, consider throwing your weight into the cause.
Volunteers have made (ISC)2 what it is today, and they make important contributions toward your certification. You can’t stand on the sidelines and watch others do the work. Use your talents to help those who’ll come after you. You can help in many ways. For information about volunteering, see the (ISC)2 website (www.isc2.org
).
The state of technology, laws, and practices within the CISSP Common Body of Knowledge (CBK) is continually changing and advancing. In order to be effective and relevant, CISSP exams need to have fresh, new exam questions that reflect how security is done today. Therefore, people working in the industry — such as you — need to write new questions. If you’re interested in being a question writer, visit the (ISC)2 website and apply.
(ISC)2 now holds more security-related events around the world than it has at any other time in its history. More often than not, (ISC)2 speakers are local volunteers — experts in their professions who want to share with others what they know and have learned. If you have an area of expertise or a unique perspective on CISSP-related issues, consider educating others with a speaking engagement. For more information, visit the (ISC)2 website.
(ISC)2 puts on a fantastic annual conference that is called the (ISC)2 Congress. This conference is an excellent opportunity to learn new topics and meet other infosec professionals. But this conference doesn’t run itself — it’s powered by volunteers! Go to the (ISC)2 Congress website at http://congress.isc2.org
to find information about volunteering.
(ISC)2 publishes a quarterly online magazine called INSIGHTS that is associated with InfoSecurity Professional. You can find out more at www.isc2.org/News-and-Events/Infosecurity-Professional-Insights
.
The (ISC)2 Blog is a free online publication for all (ISC)2 members. Find the blog, as well as information about writing articles, at http://blog.isc2.org
.
The Information Security Journal is a fee-based publication that’s published bimonthly. Find information about subscribing and writing articles on the journal’s information page (www.isc2.org/Member-Resources/Journal
). The annual subscription is currently U.S. $45.
The Center for Cyber Safety and Education, formerly the (ISC)2 Foundation, is a non-profit charity formed by (ISC)2 in 2011. The Center is a conduit through which security professionals can reach society and empower students, teachers, and the general public to secure their online life with cybersecurity education and awareness programs in the community. The Center for Cyber Safety and Education was formed to meet those needs, and to expand altruistic programs, such as Safe and Secure Online, the Information Security Scholarship Program, and industry research — the Center’s three core programs. Learn more at www.iamcybersafe.org
.
(ISC)2 has developed focus groups and quality assurance (QA) testing opportunities. (ISC)2 is developing new services, and it needs to receive early feedback during the requirements and design phases of its projects. By participating in these groups and tests, you can influence future (ISC)2 services that will aid current and future certification holders.
(ISC)2 has developed a new interactive community that’s full of discussion groups. With more than 16,000 members in the first year, the community is well designed and easy to use. You can sign up and join discussions at http://community.isc2.org
.
Many communities have CISSP study groups that consist of volunteer mentors and instructors who help those who want to earn the certification.
If your community doesn’t have a CISSP study group, consider starting one. Many communities have them already, and the organizers there can give you advice on how to start your own. You can find out more at nearby (ISC)2 chapters and other local security groups.
In no way are we being vain or arrogant when we say that we (the writers of this book, and you the readers) know more about data security and safe Internet usage than perhaps 99 percent of the general population. There are two main reasons for this:
A legion of volunteer opportunities is available out there to help others keep their computers (and mobile computing devices) secure and to use the Internet safely. Here is a very short list of places where you can help:
Using a little imagination, you can certainly come up with additional opportunities. The world is hungry for the information you possess!
In addition to (ISC)2, many security organizations around the world have local chapters, perhaps in or near your community. Here’s a short list of some organizations that you may be interested in:
www.issa.org
www.isaca.org
www.simnet.org
www.infragard.net
www.owasp.org
www.asisonline.org
www.htcia.org
www.rims.org
www.societyinforisk.org
www.theiia.org
www.iapp.org
www.drii.org
www.ctin.org
Local security groups provide excellent opportunities to find peers in other organizations and to discover more about your profession. Many people find that the contacts they make as part of their involvement with local security organizations can be especially valuable when looking for new career opportunities.
You certainly can find many, many more security organizations that have local chapters, beyond the ones we include in the preceding list. Ask your colleagues and others about security organizations and clubs in your community.
As popular as the CISSP certification is, there are people who still don’t know about it. And many who may have heard of it don’t understand what it’s all about. Tell people about your CISSP certification and explain the certification process to your peers. Here are some facts that you can share with anyone and everyone you meet:
Promote the fact that you’re certified. How can you promote it? After you earn your CISSP, you can simply put the letters CISSP after your name on your business cards, stationery, email signature, resume, blog, and website. While you’re at it, put the CISSP logo on there, too (just be sure to abide by any established terms of use).
The (ISC)2 online store has a lot of neat stuff, from jackets to shirts to mugs to caps. There’s something there for everyone. The organization introduces new items now and again, and it runs closeout specials. http://isc2education.org/shop
.
Consider adding a few nice polo shirts that sport the (ISC)2 and CISSP logos to your wardrobe. Or really splurge and consider buying a CISSP leather jacket (be cool like the Fonz — except when you say “Aaa!” you’re of course referring to authentication, authorization, and accounting — which we discuss in Chapter 7) or backpack!
Like it or not, security professionals, particularly those with the CISSP, are role models for those around them. From a security perspective, whatever we do — and how we do it — is seen as the standard for correct behavior.
As a certified security professional, you’re an agent of change in your organization: The state of threats and regulations is ever-changing, and you must respond by ensuring that your employer’s environment and policies continue to defend your employer’s assets against harm. Here are some of the important principles regarding successful agents of change:
In business and technology, no one’s career stays in one place. You’re continuously growing and changing, and ever-changing technology also influences organizations and your role within them.
You shouldn’t consider your quest for certifications finished when you earn your CISSP — even if it is the highest-level information security certification out there! Security is a journey, and your CISSP certification isn’t the end goal, but a (major) milestone along the way. CISSP should be a part of your security lifestyle.
(ISC)2 has several other certifications, including some that you may aspire to earn after (or instead of) receiving your CISSP. These certifications are
(ISC)2 has developed follow-on certifications (think accessories) that accompany your CISSP. (ISC)2 calls these certifications concentrations because they represent the three areas you may choose to specialize in:
All the concentrations require that you first be a CISSP in good standing, and each has its own exam. Read about these concentrations and their exams on the (ISC)2 website at www.isc2.org/Certifications/CISSP-Concentrations
.
Organizations other than (ISC)2 have security-related certifications, one or more of which may be right for you. None of these certifications directly compete with CISSP, but some of them do overlap with CISSP somewhat.
There are many other certifications available that are not tied to specific hardware or software vendors. Some of the better ones include
www.isaca.org/cisa
.www.isaca.org/cism
.www.isaca.org/crisc
.www.isaca.org/cgeit
.www.asisonline.org/certification
. The CPP certification designates individuals who have demonstrated competency in all areas constituting security management.www.asisonline.org/certification
.http://iapp.org/certify/cipp
.http://iapp.org/certify/cippe
.http://ciso.eccouncil.org
.http://drii.org/certification/cbcp
.www.bcm-institute.org/certification
.www.pmi.org
, offers this certification.www.pcisecuritystandards.org
.www.pcisecuritystandards.org
.www.giac.org/certifications
. There are also several vendor-related GIAC certifications mentioned in the next section.We won’t even pretend to list all the technical and vendor certifications here. But these are some of the well-known vendor-related security certifications:
www.cisco.com/certifications
.www.checkpoint.com/certification
.http://cert.eccouncil.org
.http://cert.eccouncil.org
.http://cert.eccouncil.org
.http://cert.eccouncil.org
.www.cybersecurityforensicanalyst.com
for more.http://certification.comptia.org
.http://cert.eccouncil.org
.You can find many other security certifications out there. Use your favorite search engine and search for phrases such as “security certification” to find information.
Regularly, technology and security professionals ask us which certifications they should earn next. Our answer is almost always the same: Your decision depends on where you are now and where you want your career to go. There is no single “right” certification for everyone — determining which certification you should seek is a very individual thing.
When considering other certifications, ask yourself the following questions:
If you’re honest with yourself, answering these questions should help you discern what certifications are right for you. We recommend that you take time every few years to do some long-term career planning; most people will find that the answers to the questions we’ve listed here will change.
You might even find that one or more of the certifications you have no longer reflect your career direction. If so, give yourself permission to let those certifications lapse. No sense hanging on to old certifications that no longer exhibit (or help you attain) your career objectives. Each of us has done this at least once, and we may again someday.
If you’re somewhat new to infosec (and even if you’re not!) and you find yourself asking a lot of questions about your career, perhaps you would benefit from a mentor. A mentor is someone who has lived your professional lifestyle and been on the security journey for many years.
We suggest you shop around for a mentor and that you decide on one after talking with a few prospects. Mentors often have different approaches, from casual discussions to more structured learning.
If you’re not sure where to find a mentor, start with one or more of the local security organizations or activities in your area. If you live outside a major city, you may have to find a long-distance mentor. However, the experience can still be rewarding!
As you transition in your career from a security beginner to a security expert, consider being a mentor yourself. You’ll find that, although you’ll be helping another aspiring security professional get his or her career started, you’ll also learn quite a bit about security and yourself along the way.
We think that the best way to succeed in a security career is to pursue excellence every day, regardless of whether you’re already in your dream security job or just starting out.
The pursuit of excellence may sound like a lofty or vague term, but you can make a difference every day by doing the following:
If you make the pursuit of excellence a habit, you can slowly change for the better over time. You end up with an improved security career, and your organization gets better security and reduced risk.
3.145.35.247