By Ian Bowell, Head of Information Security – EMEA
According to PwC’s 2021 Global CEO Survey, 47% of CEOs identified cybersecurity as the top threat to their organizations’ growth prospects—up from 33% in 2020. This concern reflects the escalating frequency, complexity, and financial impact of cyber attacks and also the critical shortage of cybersecurity talent needed to meet those challenges.
IT decision-makers face the daunting task of finding security professionals with the right mix of skills and experience to protect their organizations. In response, many are turning to cybersecurity certifications—particularly CISSP (Certified Information Systems Security Professional)—to identify high-impact security talent.
CISSP can also be a boon to security professionals, helping them deliver improved job performance while creating opportunities for career advancement and higher compensation.
CISSP — The World’s Premier Cybersecurity Certification
CISSP is a certification offered by the International Information System Security Certification Consortium—(ISC)2. With almost 148,000 members worldwide, CISSP-holders are globally recognized as having the skills and experience to design, implement, and manage high-performance cybersecurity programs.
CISSP takes a comprehensive approach to certification. Applicants must possess the equivalent of four years of cybersecurity experience, receive an endorsement from an existing (ISC)² credential holder, and complete an ongoing 120 credit education program over three years to retain their certification.
Assurances for the C-Suite
With the average cost of a cybersecurity breach in the financial sector pegged at $5.1 million, C-level executives are prioritizing security programs and infrastructure to reduce their risk. But talent is a problem; demand is high for experienced, certified security experts, with an estimated 3.5 million unfilled cybersecurity positions in 2021.
While organizations must compete hard for security talent, executives need assurances that potential hires have the experience, skills, and ‘growth mindset’ to meet the challenges of a rapidly-evolving cybersecurity landscape.
CISSP certification helps provide those assurances. Forbes found that 96% of IT leaders surveyed believed team members with cybersecurity certifications add value to their organizations. And according to Brad Puckett, Global Product Director for Cybersecurity at Global Knowledge, “Any organization with sensitive critical infrastructure and assets will look to the CISSP as a staple when screening prospective candidates for open cybersecurity leadership positions.”
An Important Differentiator for Security Pros
Certifications like CISSP are also critical for cybersecurity professionals to accelerate their career development. According to the Global Knowledge 2020 IT Skills and Salary Report, more than half of survey respondents had at least one cybersecurity certification. As well, those certifications were associated with the highest IT salaries globally. “The top-tier cybersecurity certifications validate professionals for jobs in cybersecurity senior leadership positions, which are among the highest in-demand,” says Global Knowledge’s Puckett.
CISSP—Meeting the Demands of the Changing Security Landscape
The CISSP program is broken down into eight knowledge domains that continually evolve. Each update, issued every three years or so, brings changes that address technology advancements, escalating security threats, and new compliance requirements.
This domain details the physical requirements of information security.
The most significant change in this domain reflects the evolution of the General Data Protection Regulation (GDPR) standard since the privacy legislation was improved. CISSP certification now extends beyond data and system ownership into a complete set of GDPR terms for data processor, custodian, user, and the all-important privacy-protected data subject.
This section also acknowledges the rising significance of digital rights management covering ownership of data. This topic is now even more important with the rise of non-fungible tokens (NFTs) in the blockchain world and other digital assets of value, like the first tweet by Twitter’s founder, recently auctioned for charity.
Security Architecture and Engineering
Addresses several important information security concepts, including secure engineering design, mitigating system security vulnerabilities, and designing and implementing physical security.
The updated CISSP certification reflects advances in standard procedures (also raised by regulatory bodies) for Zero Trust, Least Privilege, Separation of Duties, and Two-Person Control. It also covers the Defense-in-Depth concept extensively utilized by Edge TG to ensure that no one security layer is a single point of failure. If a failure or breach does occur, then another layer, vendor, or source of authority will pick up the attempt and prevent it with appropriate logging and analysis. Defense-in-Depth also includes the concept of Fail Securely, whereby if one layer fails, then systems fail to a secure state.
This section of the certification now also contains nearly twice the material covering various forms of cryptographic attack and their definitions, as well as quantum computing’s potential capacity to defeat current encryption.
Communications and Network Security
Focuses on the design and protection of an organization’s networks.
This section includes expanded coverage to reflect the increased relevance of wireless and cellular systems in communication and network security. CISSP now covers Wi-Fi Protected Access 3 (WPA3) in Wi-Fi networks and further deprecating WPA, along with the previously-addressed Wired Equivalent Privacy (WEP). Also highlighted is how WPA3 uses a Simultaneous Authentication of Equals (SAE) with Advanced Encryption Standard (AES) cryptography.
Other communication networks now included are:
- Zigbee for IoT, hinting at the rising security concerns for industrial complex OT (Operational Technology security considerations)
- 5G together with existing 4G
- Satellite communications, although Starlink internet as developed by SpaceX is not yet explicitly mentioned
Also covered is the rising use of Content Delivery Networks (CDN), essential for responsive proximity and static content distribution (images, videos, podcasts, and more) on the internet and social media.
Surprisingly, the list of standard ports has not changed to accommodate the increase and standardization of SFTP (SSH File Transfer Protocol) on port 22 and elsewhere across financial institutions, counter-parties, and others.
Identity and Access Management
This domain helps security professionals understand how to control the way users access data.
This section’s changes reflect a marked increase and open standardization on Security Assertion Markup Language (SAML), OpenId, and OAuth. These protocols are used for cross-entity federated authentication that simplifies single sign-on for corporate credentials and Google accounts while addressing some of the past credential leakage issues. New access control definitions also expand to include rule and risk-based access control, joining role-based access control (RBAC) with attribute-based access control (ABAC).
Security Assessment and Testing
Addresses the design, performance, and analysis of security testing.
This section has updated coverage of SSAE16 to SSAE18, and SOC audits for regulatory considerations, but no other notable changes.
This domain details the way security plans are implemented and optimized.
The Security Operations section remains little-changed compared to the other domains. Future changes should include more detailed coverage of newer forensics or cloud-influenced processes in this area, particularly in light of Security Orchestration, Automation & Response (SOAR), and evolving ransomware attacks with robust responses.
Security and Risk Management
CISSP’s largest domain, Security and Risk Management, provides a comprehensive overview of security and information systems management.
There are no significant changes of note in this section. Edge TG’s CISSP experts are monitoring the certification requirements for any upcoming developments.
Software Development Security
Helps professionals to understand, apply and enforce software security.
While this large section could be considered a discreet career path, it incorporates minimal changes at this time. Other available certifications have a greater focus on privacy or security-by-design, as mandated by GDPR or other considerations.
ISO 27001 and related certifications will continue to evolve, as a renewed ISO 27001 standard was expected in 2020. We also anticipate a new version of the Information Technology Infrastructure Library (ITIL), ITIL 4.
Security and the Human Factor
Deloitte calls the ‘human factor’ a critical element in “reducing the widening cyber risk gap and enabling organizations to capture the full promise of new technologies.”
Eager to close that gap, many C-level executives are leveraging CISSP as a strategic resource to identify the talent they need to protect their organizations’ systems, data, and infrastructure.
The insights into the additions and improvements to the CISSP program domains are provided by Ian Bowell, EMEA Information Security Manager at Edge Technology. These perspectives reflect the overall change in focus and priority by CISSP. Please note that CISSP will be launching updated material in May 2021