Chapter 2

Putting Your Certification to Good Use

IN THIS CHAPTER

check Staying active as an (ISC)2 member

check Discovering the joy of giving back

check Working with others in your local security community

check Getting the word out about CISSP certification

check Bringing about change in your organization

check Advancing your career with other certifications

check Finding a mentor and being a mentor

check Achieving security excellence

Although this book is devoted to helping you earn your CISSP certification, we thought it would be a good idea to include a few things you might consider doing after you’ve earned your CISSP.

So what do you do after you earn your CISSP? There are plenty of things you can do to enhance your professional career and the global community. Here are just a few ideas!

Networking with Other Security Professionals

Unless you work for a large organization, there probably aren’t many other information security (infosec) professionals in your organization. In fact, you may be the only one! Yes, it can feel lonely at times, so we suggest you find ways to make connect with infosec professionals in your area and beyond. Many of the activities described in this chapter provide networking opportunities. If you haven’t been much of a social butterfly before and your professional network is somewhat limited, get ready to take your career to a whole new level as you meet other likeminded security professionals and potentially build lifelong friendships. Remember: It’s not what you know, but who you know — well, what you know matters, too!

If you’re just getting started in your infosec career (regardless of your age or other career experience), you’ll likely meet other infosec professionals that have at some point in their own careers been in your shoes, who will be happy to help you find answers and solutions to some of those elusive questions and challenges that may be perplexing you. You may find that you’re initially doing more taking than giving, but make sure you’re at least showing your appreciation and gratitude for their help — and remember to give back later in your career when someone new to infosec asks to pick your brain for some helpful insight.

So, as you venture out in search of other infosec professionals, put your smile on and bring plenty of business cards (print your own if your employer doesn’t provide any). You’re sure to make new friends and experience growth in the security business that may delight you.

Being an Active (ISC)2 Member

Being an active (ISC)2 member is easy! Besides volunteering (see the following section), you can participate in several other activities including:

  • Attend the (ISC)2 Congress. For years, (ISC)2 rode the coattails of ASIS (formerly the American Society for Industrial Security — we blame Kentucky Fried Chicken for becoming “KFC” and starting the trend of businesses and organizations dropping the original meaning behind their acronyms!) and occupied a corner of the ASIS annual conference. But in 2016, (ISC)2 decided it was time to strike out on its own and run its own conference. In 2017, one of your authors (first name starts with a P) attended and spoke at the first (ISC)2 Congress and found it to be a first-class affair that’s every bit as good as those other great national and global conferences. Find out about the next (ISC)2 Congress at http://congress.isc2.org.
  • Vote in (ISC)2 elections. Every year, one-third of the (ISC)2 Board of Directors is elected to serve three-year terms. As a CISSP in good standing, you’ve earned the right to vote in the (ISC)2 elections. Exercise your right! The best part of this is becoming familiar with other CISSPs who run for board positions. You can read their biographies and understand their agendas if elected. With your vote, you’re doing your part to make sure that the future of (ISC)2 rests in good hands with directors that can provide capable leadership and vision.
  • Attend (ISC)2 events. (ISC)2 conducts several events each year, from networking receptions to conferences and educational events. (ISC)2 often holds gatherings at larger industry conferences such as RSA and BlackHat. Check back regularly on the (ISC)2 website to find out more about events in your area.
  • Join an (ISC)2 chapter. (ISC)2 has chapters around the world. You can find out more at www.isc2.org/chapters. There are many great opportunities to get involved in local chapters, including chapter leadership, participation in chapter activities, and participation in community outreach projects. Chapter events are also great opportunities to meet other infosec professionals.

tip It’s important that (ISC)2 has your correct contact information. As soon as you become a CISSP (or before, even), make sure your profile is correct and complete, so that you can receive announcements for these and other activities.

Considering (ISC)2 Volunteer Opportunities

(ISC)2 is much more than a certifying organization: It’s a cause, and you might even say it’s a movement. It’s security professionals’ raison d’être, the reason we exist — professionally, anyway. As one of us, consider throwing your weight into the cause.

Volunteers have made (ISC)2 what it is today, and they make important contributions toward your certification. You can’t stand on the sidelines and watch others do the work. Use your talents to help those who’ll come after you. You can help in many ways. For information about volunteering, see the (ISC)2 website (www.isc2.org).

tip Most sanctioned (ISC)2 volunteer activities are eligible for CPE credits. Check with (ISC)2 for details.

Writing certification exam questions

The state of technology, laws, and practices within the CISSP Common Body of Knowledge (CBK) is continually changing and advancing. In order to be effective and relevant, CISSP exams need to have fresh, new exam questions that reflect how security is done today. Therefore, people working in the industry — such as you — need to write new questions. If you’re interested in being a question writer, visit the (ISC)2 website and apply.

Speaking at events

(ISC)2 now holds more security-related events around the world than it has at any other time in its history. More often than not, (ISC)2 speakers are local volunteers — experts in their professions who want to share with others what they know and have learned. If you have an area of expertise or a unique perspective on CISSP-related issues, consider educating others with a speaking engagement. For more information, visit the (ISC)2 website.

tip If you speak at an (ISC)2 Congress, your conference fees are waived. You only need to pay for transportation, lodging, and meals.

Helping at (ISC)2 conferences

(ISC)2 puts on a fantastic annual conference that is called the (ISC)2 Congress. This conference is an excellent opportunity to learn new topics and meet other infosec professionals. But this conference doesn’t run itself — it’s powered by volunteers! Go to the (ISC)2 Congress website at http://congress.isc2.org to find information about volunteering.

Read and contribute to (ISC)2 publications

(ISC)2 publishes a quarterly online magazine called INSIGHTS that is associated with InfoSecurity Professional. You can find out more at www.isc2.org/News-and-Events/Infosecurity-Professional-Insights.

The (ISC)2 Blog is a free online publication for all (ISC)2 members. Find the blog, as well as information about writing articles, at http://blog.isc2.org.

The Information Security Journal is a fee-based publication that’s published bimonthly. Find information about subscribing and writing articles on the journal’s information page (www.isc2.org/Member-Resources/Journal). The annual subscription is currently U.S. $45.

Support the (ISC)2 Center for Cyber Safety and Education

The Center for Cyber Safety and Education, formerly the (ISC)2 Foundation, is a non-profit charity formed by (ISC)2 in 2011. The Center is a conduit through which security professionals can reach society and empower students, teachers, and the general public to secure their online life with cybersecurity education and awareness programs in the community. The Center for Cyber Safety and Education was formed to meet those needs, and to expand altruistic programs, such as Safe and Secure Online, the Information Security Scholarship Program, and industry research — the Center’s three core programs. Learn more at www.iamcybersafe.org.

Participating in (ISC)2 focus groups

(ISC)2 has developed focus groups and quality assurance (QA) testing opportunities. (ISC)2 is developing new services, and it needs to receive early feedback during the requirements and design phases of its projects. By participating in these groups and tests, you can influence future (ISC)2 services that will aid current and future certification holders.

Join the (ISC)2 community

(ISC)2 has developed a new interactive community that’s full of discussion groups. With more than 16,000 members in the first year, the community is well designed and easy to use. You can sign up and join discussions at http://community.isc2.org.

Get involved with a CISSP study group

Many communities have CISSP study groups that consist of volunteer mentors and instructors who help those who want to earn the certification.

If your community doesn’t have a CISSP study group, consider starting one. Many communities have them already, and the organizers there can give you advice on how to start your own. You can find out more at nearby (ISC)2 chapters and other local security groups.

Help others learn more about data security

In no way are we being vain or arrogant when we say that we (the writers of this book, and you the readers) know more about data security and safe Internet usage than perhaps 99 percent of the general population. There are two main reasons for this:

  • Security is our profession
  • Security is not always easy to do

A legion of volunteer opportunities is available out there to help others keep their computers (and mobile computing devices) secure and to use the Internet safely. Here is a very short list of places where you can help:

  • Service clubs
  • Senior centers
  • Schools (be sure to read about Safe and Secure Online earlier in this chapter)
  • Alumni associations and groups
  • Your place of employment

Using a little imagination, you can certainly come up with additional opportunities. The world is hungry for the information you possess!

Becoming an Active Member of Your Local Security Chapter

In addition to (ISC)2, many security organizations around the world have local chapters, perhaps in or near your community. Here’s a short list of some organizations that you may be interested in:

Local security groups provide excellent opportunities to find peers in other organizations and to discover more about your profession. Many people find that the contacts they make as part of their involvement with local security organizations can be especially valuable when looking for new career opportunities.

You certainly can find many, many more security organizations that have local chapters, beyond the ones we include in the preceding list. Ask your colleagues and others about security organizations and clubs in your community.

Spreading the Good Word about CISSP Certification

As popular as the CISSP certification is, there are people who still don’t know about it. And many who may have heard of it don’t understand what it’s all about. Tell people about your CISSP certification and explain the certification process to your peers. Here are some facts that you can share with anyone and everyone you meet:

  • CISSP is the top-tier information security professional certification.
  • More than 112,000 security professionals around the world have the CISSP certification.
  • The CISSP certification started in 1994.
  • CISSP was the first credential to be accredited by the ANSI (American National Standards Institute) to ISO (International Organization for Standardization) Standard 17024.
  • The organization that manages the CISSP certification has other certifications for professionals who specialize in various fields of information security. The organization also promotes information security awareness through education programs and events.

Promote the fact that you’re certified. How can you promote it? After you earn your CISSP, you can simply put the letters CISSP after your name on your business cards, stationery, email signature, resume, blog, and website. While you’re at it, put the CISSP logo on there, too (just be sure to abide by any established terms of use).

tip There are many other certifications available from (ISC)2 that are described in the next section.

Wear the colors proudly

The (ISC)2 online store has a lot of neat stuff, from jackets to shirts to mugs to caps. There’s something there for everyone. The organization introduces new items now and again, and it runs closeout specials. http://isc2education.org/shop.

Consider adding a few nice polo shirts that sport the (ISC)2 and CISSP logos to your wardrobe. Or really splurge and consider buying a CISSP leather jacket (be cool like the Fonz — except when you say “Aaa!” you’re of course referring to authentication, authorization, and accounting — which we discuss in Chapter 7) or backpack!

Lead by example

Like it or not, security professionals, particularly those with the CISSP, are role models for those around them. From a security perspective, whatever we do — and how we do it — is seen as the standard for correct behavior.

remember Being mindful of this, we need to conduct ourselves as though someone were looking — even if no one is — in everything we do.

Using Your CISSP Certification to Be an Agent of Change

As a certified security professional, you’re an agent of change in your organization: The state of threats and regulations is ever-changing, and you must respond by ensuring that your employer’s environment and policies continue to defend your employer’s assets against harm. Here are some of the important principles regarding successful agents of change:

  • Identify and promote only essential changes.
  • Promote only those changes that have a chance to succeed.
  • Anticipate sources of resistance.
  • Distinguish resistance from well-founded criticism.
  • Involve all affected parties the right way.
  • Don’t promise what you can’t deliver.
  • Use sponsors, partners, and collaborators as co-agents of change.
  • Change metrics and rewards to support the changing world.
  • Provide training.
  • Celebrate all successes.

remember Your job as a security professional doesn’t involve preaching; instead, you need to recognize opportunities for improvement and reduced risks to the business. Work within your organization’s structure to bring about change in the right way. That’s the best way to reduce security risks.

Earning Other Certifications

In business and technology, no one’s career stays in one place. You’re continuously growing and changing, and ever-changing technology also influences organizations and your role within them.

You shouldn’t consider your quest for certifications finished when you earn your CISSP — even if it is the highest-level information security certification out there! Security is a journey, and your CISSP certification isn’t the end goal, but a (major) milestone along the way. CISSP should be a part of your security lifestyle.

Other (ISC)2 certifications

(ISC)2 has several other certifications, including some that you may aspire to earn after (or instead of) receiving your CISSP. These certifications are

  • Associate of (ISC)2: If you can pass the CISSP or SSCP certification exams but don’t yet possess the required professional experience, you can become an Associate of (ISC)2. Read about this option on the (ISC)2 website.
  • CCSP (Certified Cloud Security Professional): This certification on cloud controls and security practices was co-developed by (ISC)2 and the Cloud Security Alliance.
  • SSCP (Systems Security Certified Practitioner): This certification is for hands-on security techs and analysts. SSCP has had the reputation for being a “junior” CISSP certification, but don’t be fooled — it’s anything but that. SSCP is highly technical, more so than CISSP. For some, SSCP may be a stepping stone to CISSP, but for others, it’s a great destination all its own.
  • CSSLP (Certified Secure Software Lifecycle Professional): Designed for software development professionals, the CSSLP recognizes software development in which security is a part of the software requirements, design, and testing — so that the finished product has security designed in and built in, rather than added on afterward.
  • HCISPP (HealthCare Information Security and Privacy Practitioner): Designed for information security in the healthcare industry, the HCISPP recognizes knowledge and experience related to healthcare data protection regulations and the protection of patient data.
  • JGISP (Japanese Government Information Security Professional): A country-specific certification that validates a professional’s knowledge, skills, and experience related to Japanese government regulations and standards.
  • CAP (Certification and Accreditation Professional): Jointly developed by the U.S. Department of State’s Office of Information Assurance and (ISC)2, the CAP credential reflects the skills required to assess risk and establish security requirements for complex systems and environments.

CISSP concentrations

(ISC)2 has developed follow-on certifications (think accessories) that accompany your CISSP. (ISC)2 calls these certifications concentrations because they represent the three areas you may choose to specialize in:

  • ISSAP (Information Systems Security Architecture Professional): Suited for technical systems security architects.
  • ISSEP (Information Systems Security Engineering Professional): Demonstrates competence for security engineers.
  • ISSMP (Information Systems Security Management Professional): About security management (of course!).

All the concentrations require that you first be a CISSP in good standing, and each has its own exam. Read about these concentrations and their exams on the (ISC)2 website at www.isc2.org/Certifications/CISSP-Concentrations.

Non-(ISC)2 certifications

Organizations other than (ISC)2 have security-related certifications, one or more of which may be right for you. None of these certifications directly compete with CISSP, but some of them do overlap with CISSP somewhat.

Non-technical/non-vendor certifications

There are many other certifications available that are not tied to specific hardware or software vendors. Some of the better ones include

  • CISA (Certified Information Systems Auditor): Consider this certification if you work as an internal auditor or your organization is subject to one or more security regulations, such as Sarbanes-Oxley, HIPAA, GLBA, PCI, and so on. The Information Systems Audit and Control Association and Foundation (ISACA) manages this certification. Find out more about CISA at www.isaca.org/cisa.
  • CISM (Certified Information Security Manager): Similar to (ISC)2’s Information Systems Security Management Professional (ISSMP) certification (which we talk about in the section “CISSP concentrations,” earlier in this chapter), you may want the CISM certification if you’re in security management. Like CISA, ISACA manages this certification. Read more about it at www.isaca.org/cism.
  • CRISC (Certified in Risk and Information Systems Control): This is a relatively new certification that concentrates on organization risk management. Learn more at www.isaca.org/crisc.
  • CGEIT (Certified in the Governance of Enterprise IT): Look into this certification if you want to demonstrate your skills and knowledge in the areas of IT management and governance. Effective security in an IT organization definitely depends on governance, which involves the management and control of resources to meet long-term objectives. You can find out more about CGEIT at www.isaca.org/cgeit.
  • CPP (Certified Protection Professional): Primarily a security management certification, CPP is managed by ASIS International, at www.asisonline.org/certification. The CPP certification designates individuals who have demonstrated competency in all areas constituting security management.
  • PSP (Physical Security Professional): ASIS International also offers this certification, which caters to those professionals whose primary responsibility focuses on threat surveys and the design of integrated security systems. Read more at www.asisonline.org/certification.
  • CIPP (Certified Information Privacy Professional): The International Association of Privacy Professionals (IAPP) has this and other country-specific privacy certifications for security professionals with knowledge and experience in personal data protection. Find out more at http://iapp.org/certify/cipp.
  • CIPP/E (Certified Information Privacy Professional/Europe): Privacy in Europe is so important in our industry that the IAPP has developed a version of the CIPP especially for European privacy matters. Learn more at http://iapp.org/certify/cippe.
  • C|CISO (Certified Chief Information Security Officer): This certification demonstrates the skills and knowledge required for the typical CISO position. Learn more at http://ciso.eccouncil.org.
  • CBCP (Certified Business Continuity Planner): A business continuity planning certification offered by the Disaster Recovery Institute. You can find out more at http://drii.org/certification/cbcp.
  • DRCE (Disaster Recovery Certified Expert): This certification is a recognition of knowledge and experience in disaster recovery planning. For more information, visit www.bcm-institute.org/certification.
  • PMP (Project Management Professional): A good project manager — someone you can trust with organizing resources and schedules — is a wonderful thing, especially on large projects. The Project Management Institute, at www.pmi.org, offers this certification.
  • PCI-QSA (Payment Card Industry Qualified Security Assessor): The Payment Card Industry Security Standards Council developed the QSA certification for professionals who audit organizations that store, transmit, or process credit card data. This certification is for PCI auditors. Find out more at www.pcisecuritystandards.org.
  • PCI-ISA (Payment Card Industry Internal Security Assessor): This certification, also from The Payment Card Industry Security Standards Council, is for security professionals within organizations that store, transmit, or process cardholder data. Find out more at www.pcisecuritystandards.org.
  • GIAC (Global Information Assurance Certification): The GIAC family of certifications includes categories in Audit, Management, Operations, and Security Administration. One of the GIAC non-vendor-specific certifications that complement CISSP is the GIAC Certified Forensics Analyst (GCFA) and GIAC Certified Incident Handler (GCIH). Find more information at www.giac.org/certifications. There are also several vendor-related GIAC certifications mentioned in the next section.

Technical/vendor certifications

We won’t even pretend to list all the technical and vendor certifications here. But these are some of the well-known vendor-related security certifications:

  • CCIE (Cisco Certified Internetworking Expert) Security: Cisco also offers several product-related certifications for specific products, including ASA firewalls and intrusion prevention systems. Find out more at www.cisco.com/certifications.
  • Check Point Security Administration certifications: You can earn certifications related to Check Point’s firewall and other security products. Visit www.checkpoint.com/certification.
  • C|EH (Certified Ethical Hacker): We know, we know. A contradiction in terms to some, real business value for others. Read carefully before signing. Offered by the International Council of E-Commerce Consultants (EC-Council). You can find out more at http://cert.eccouncil.org.
  • E|NSA (Network Security Administrator): Also from EC Council, this is the certification that recognizes the defensive view — as opposed to the offensive view of C|EH. You can learn more at http://cert.eccouncil.org.
  • L|PT (Licensed Penetration Tester): Another certification from the EC Council, this takes penetration testing to a higher level than C|EH. Learn more at http://cert.eccouncil.org.
  • C|HFI (Certified Hacking Forensics Investigator): Also from EC Council, this certification recognizes the skills and knowledge of a forensic expert who can detect computer crime and gather forensic evidence. Find out more here: http://cert.eccouncil.org.
  • CSFA (CyberSecurity Forensic Analyst): This certification demonstrates the knowledge and skills for conducting computer forensic examinations. Part of the certification exam is an actual forensics assignment in the lab. Check out www.cybersecurityforensicanalyst.com for more.
  • CompTIA Security+: A security competency certification for PC techs and the like. We consider this an entry-level certification that may not be for you, but you may well advise your aspiring colleagues who want to get into information security that this certification is a good place to start. You can find out more at http://certification.comptia.org.
  • Security|5: Like Security+, this is an entry-level security competency certification for anyone interested in learning computer networking and security basics. Find out more at http://cert.eccouncil.org.

You can find many other security certifications out there. Use your favorite search engine and search for phrases such as “security certification” to find information.

Choosing the right certifications

Regularly, technology and security professionals ask us which certifications they should earn next. Our answer is almost always the same: Your decision depends on where you are now and where you want your career to go. There is no single “right” certification for everyone — determining which certification you should seek is a very individual thing.

When considering other certifications, ask yourself the following questions:

  • Where am I in my career right now? Are you more focused on technology, policy, operations, development, or management?
  • Where do I want my career to go in the future? If (for example) you’re stuck in operations but you want to be focusing on policy, let that goal be your guide.
  • What qualifications for certifications do I possess right now? Some people tackle certifications based on the skills they already possess, and they use those newly earned certifications to climb the career ladder.
  • What do I need to do in my career to earn more qualifications? You need to consider not only what certifications you may be qualified to earn right now, but also what experience you must develop in order to earn future certifications.

If you’re honest with yourself, answering these questions should help you discern what certifications are right for you. We recommend that you take time every few years to do some long-term career planning; most people will find that the answers to the questions we’ve listed here will change.

You might even find that one or more of the certifications you have no longer reflect your career direction. If so, give yourself permission to let those certifications lapse. No sense hanging on to old certifications that no longer exhibit (or help you attain) your career objectives. Each of us has done this at least once, and we may again someday.

Find a mentor, be a mentor

If you’re somewhat new to infosec (and even if you’re not!) and you find yourself asking a lot of questions about your career, perhaps you would benefit from a mentor. A mentor is someone who has lived your professional lifestyle and been on the security journey for many years.

We suggest you shop around for a mentor and that you decide on one after talking with a few prospects. Mentors often have different approaches, from casual discussions to more structured learning.

If you’re not sure where to find a mentor, start with one or more of the local security organizations or activities in your area. If you live outside a major city, you may have to find a long-distance mentor. However, the experience can still be rewarding!

As you transition in your career from a security beginner to a security expert, consider being a mentor yourself. You’ll find that, although you’ll be helping another aspiring security professional get his or her career started, you’ll also learn quite a bit about security and yourself along the way.

remember Most non-technical certifications require you to prove that you already possess the required job experience in order to earn them. People make this common mistake: They want to earn a certification in order to land a particular kind of job. But that’s not the purpose of a certification. Instead, a certification is evidence that you already possess both knowledge and experience.

Pursue Security Excellence

We think that the best way to succeed in a security career is to pursue excellence every day, regardless of whether you’re already in your dream security job or just starting out.

The pursuit of excellence may sound like a lofty or vague term, but you can make a difference every day by doing the following:

  • Do your best job daily. No matter what you do for a living, be the very best at it.
  • Maintain a positive outlook. Happiness and job satisfaction are due in large part to your attitude. Having a good attitude helps make each day better and helps you to do a better job. Because optimism is contagious, your positive outlook will encourage your co-workers, and pretty soon everyone will be whistling, humming, or whatever they do when they like their jobs.
  • Continually improve yourself. Take the time to read about security practices, advances, developments, and changes in the industry. Try to figure out how innovation in the industry can help you and your organization reduce risk even more, with less effort.
  • Understand your value. Take the time to understand how your work adds value to the organization and try to come up with more ways to add value and reduce risk.
  • Understand the security big picture in your organization. Whether or not you’re responsible for some aspect of security, take the time to understand the principles that your organization uses to increase security and reduce risk. Use the security and risk management principles in Chapter 3, and see how those principles can help improve security even more. Think about the role you can play in advancing the cause of asset and information protection in your organization.

If you make the pursuit of excellence a habit, you can slowly change for the better over time. You end up with an improved security career, and your organization gets better security and reduced risk.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.35.247