The FBI and other industry watchdogs are constantly releasing reports on how social engineering campaigns and other cyberattacks are rampant and increasingly effective at turning regular people and businesses into victims. One of the problems is a serious shortage of expertise. So many of these attacks can be defended against. Your assets can—and should be—protected from would-be thieves. Unfortunately, too many of us lack the knowledge and experience to manage information security on our own. At the same time, some security providers only pretend to be experts while peddling cookie-cutter solutions they license from vendors who don’t know or care about you.
And then there’s CISSPs.
What is a CISSP?
CISSP stands for Certified Information Systems Security Professional, and when someone says they are one, it means that they have been independently certified by the (ISC)², the largest association of cybersecurity professionals in the world. Those who pass the grueling six-hour exam and earn the distinction of CISSP are one of only about 142,000 in the entire world.
Before you can even take the exam, you need to have five years of experience working as a full-time security professional in at least two of the eight information security domains approved by the (ISC)². And after passing, you still need to be endorsed by a current certification holder in good-standing.
“The CISSP is arduous and difficult to attain,” explains Tony Vizza, Director of Cybersecurity Advocacy for the (ISC)² Asia-Pacific region. “Achieving the CISSP is a proud achievement and demonstrates to the industry and your peers that you are a consummate industry professional with depth of experience to provide effective cybersecurity leadership and direction for the organization you work for.”
The certification, which has existed for over 25 years, is a distinction that is in high demand in the security world—and everywhere else. Businesses of all size need to protect themselves from a growing online landscape of criminal threats that increase in sophistication every year. CISSPs are expected to ask the tough questions and come up with dynamic, effective solutions to mitigate risk to a company’s assets, its employees, and its clients.
“Earning the CISSP proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program,” explains the (ISC)² website.
Should I have a CISSP managing my IT?
As with reviewing candidates for any job, you want to look at all aspects of a person’s career before making a decision. Probably the most important element is their relevant work experience. If you’re going to have a person managing your information security systems, you’re going to want them to have proven already they are competent.
What’s nice about the CISSP certification is that it requires a recipient to have a minimum of five years relevant experience (four if they hold a bachelor’s degree, a master’s degree in information security, or one of a number of other certifications). This way, you know that even a fresh recipient of the certification can demonstrate their security expertise.
Just because someone is not certified by the (ISC)² does not mean they are not technically skilled in the field of information security, but it might mean you want to look more closely at their experience.
When it comes to hiring a professional to manage your IT, you could do a lot worse than going with a CISSP. That person knows the ins and outs of risk management, asset security, identity and access management (IAM), security architecture, network security, and testing—a deadly combination.
The CISSP “ensures that a certified professional understands all aspects of information security and, most critically, how the aspects of the information security environment they themselves work on will interact with the overall organizational ecosystem,” explains Vizza.
How do I know if my candidate is a CISSP?
You can start by just asking! If they’re qualified, they’ll probably be happy to share that information with you. It might even be on their website or LinkedIn page, so if you’re scouting for potential experts, that might be a good place to start. Alternatively, you can use the (ISC)² database to verify a person’s certification. All you need is their last name and their ID number which they should be willing to provide.
What should I do next?
It sounds like you’re looking for a change! If you’re looking to grow your business and keep your infrastructure secure while doing so, you might be interested in working with a managed service provider, or MSP. A managed service provider is an expert third-party consulting service that proactively manages and monitors IT infrastructures for others, improving efficiency and security.
At Machado Consulting, we pride ourselves in being an industry-leading MSP actively led by our CEO Helder Machado, CISSP. Under his leadership, we pride ourselves on serving businesses and non-profits both large and small, making them better, more secure operations in the process. We’d love to share how we can do the same for you. You can contact us here or by phone at (508) 453-4700.