Peter H. Gregory - CISSP For Dummies

International Association of Privacy Professionals (IAPP): https://iapp.org

Disaster Recovery Institute International (DRII): https://drii.org

Computer Technology Investigators Network (CTIN): www.ctin.org

Local security groups provide excellent opportunities to find peers in other organizations and discover more about your profession. Many people find that the contacts they make as part of their involvement with local security organizations can be especially valuable when they’re looking for new career opportunities.

You certainly can find many more security organizations with local chapters beyond the ones we include in the preceding list. Ask your colleagues and others about security organizations and clubs in your community.

Many communities have local information security groups and clubs that are not affiliated with national or global organizations. Through word of mouth, you might find one of these groups located near you.

As popular as the CISSP certification is, some people still don’t know about it, and many who may have heard of it don’t understand what it’s all about. Tell people about your CISSP certification, and explain the certification process to your peers. Here are some facts that you can share with anyone and everyone you meet:

The CISSP certification started in 1994.

CISSP is the top-tier information security professional certification.

More than 142,000 security professionals in more than 170 countries have the CISSP certification.

CISSP was the first credential accredited by the ANSI (American National Standards Institute) to ISO (International Organization for Standardization) Standard 17024.

The average CISSP salary is $131,030 (U.S.).

The organization that manages the CISSP certification has other certifications for professionals who specialize in various fields of information security. The organization also promotes information security awareness through education programs and events.

Promote the fact that you’re certified. How can you promote it? After earning your CISSP, you can simply put the letters CISSP after your name on your business cards, stationery, email signature, résumé, blog, and website. While you’re at it, put the CISSP logo or your digital badge on there, too (and be sure to abide by any established terms of use).

Many other certifications available from (ISC) 2are described later in this chapter.

Like it or not, security professionals, particularly those with the CISSP certification, are role models for those around them. From a security perspective, whatever we do — along with how we do it — is viewed as the standard for correct behavior.

Being mindful of this fact, we need to conduct ourselves as though someone is looking — even if no one is — at everything we do.

As a certified security professional, you’re an agent of change in your organization: The state of threats and regulations is ever-changing, and you must respond by ensuring that your employer’s environment and policies continue to defend your employer’s assets against harm. Here are some of the essential principles for being a successful change agent:

Identify and promote only essential changes.

Promote only those changes that have a chance to succeed.

Anticipate sources of resistance.

Distinguish resistance from well-founded criticism.

Involve all affected parties the right way.

Don’t promise what you can’t deliver.

Use sponsors, partners, and collaborators as co-agents of change.

Change metrics and rewards to support the changing world.

Provide training.

Celebrate all successes.

Your job as a security professional doesn’t involve preaching; instead, you need to recognize opportunities for improvement and reduced risks to the business. Work within your organization’s structure to bring about change in the right way. That’s the best way to reduce security risks.

In business and technology, no one’s career stays in one place. You’re continuously growing and changing, and ever-changing technology also influences organizations and your role within them.

You shouldn’t consider your quest for certifications to be finished when you earn your CISSP — even if it is the highest-level information security certification out there! Security is a journey, and your CISSP certification isn’t the goal, but a (major) milestone along the way. CISSP should be part of your security lifestyle.

(ISC) 2has several other certifications, including some that you may aspire to earn after (or instead of) receiving your CISSP. These certifications are

Associate of (ISC)2: If you can pass the CISSP or SSCP certification exams but don’t yet possess the required professional experience, you can become an Associate of (ISC)2. Read about this option on the (ISC)2 website.

CCSP (Certified Cloud Security Professional): This certification on cloud controls and security practices was co-developed by (ISC)2 and the Cloud Security Alliance.

SSCP (Systems Security Certified Practitioner): This certification is for hands-on security techs and analysts. SSCP has had a reputation for being a “junior” CISSP certification, but don’t be fooled — it’s anything but that. SSCP is highly technical, more so than CISSP. For some people, SSCP may be a stepping stone to CISSP, but for others, it’s a great destination all its own.

CSSLP (Certified Secure Software Lifecycle Professional): Designed for software development professionals, the CSSLP recognizes software development in which security is part of the software requirements, design, and testing so that the finished product has security designed and built in, rather than added afterward.

HCISPP (HealthCare Information Security and Privacy Practitioner): Designed for information security in the healthcare industry, the HCISPP recognizes knowledge and experience related to healthcare data protection regulations and the protection of patient data.

CAP (Certification and Accreditation Professional): Jointly developed by the U.S. Department of State’s Office of Information Assurance and (ISC)2, the CAP credential reflects the skills required to assess risk and establish security requirements for complex systems and environments.

(ISC) 2has developed follow-on certifications (think accessories ) that accompany your CISSP. (ISC) 2calls these certifications concentrations because they represent the three areas you may choose to specialize in:

ISSAP (Information Systems Security Architecture Professional): Suited for technical systems security architects

ISSEP (Information Systems Security Engineering Professional): Demonstrates competence for security engineers