6 minute read
Cyber Security Certification
By Tony Vizza, CISSP, CCSP
WHY CYBER SECURITY IS CRITICAL TO ELECTRONIC SECURITY
The advent of digitization has seen the electronic security world changing dramatically over the last 20 years. Almost all electronic security devices today are reliant on network connectivity in order to operate and keep organizations physically secure. While the electronic security devices perform their objectives in keeping physical security threats in check, the connected nature of these devices opens up a new set of threats from a cyber perspective.
This boom in digital security devices has correlated to better overall physical security. Sadly, the same cannot be said for cyber security. While the Australian Bureau of Statistics has recorded a significant drop in property crime such as burglaries over the last few decade 1 , the rate of cyber related data breaches has increased at an
exponential rate. For the twelve months to the 31st March 2019, the Office of the Australian Information Commissioner (OAIC) received 964 breach notifications from Australian organisations. 2 This was an incredible 712% increase on the previous twelve-month period.
The OAIC findings revealed that 40% of breaches were attributed solely to human error or system faults, while the remaining 60% of breaches were due to a malicious actor. 3 Many of these breaches are caused by misconfiguration of IT services, lack of preventative measures and lack of user education and awareness. 4 Globally, the World Economic Forum has declared that cyberrelated risks now constitute two of the top five global risks. 5 As a result, the Federal Government has decided to review its cyber security strategy for Australian organisations and individuals for the year 2020. 6
GAINING CYBER SECURITY KNOWLEDGE AND EXPERIENCE THROUGH CERTIFICATION
Given the prevalence of connected systems and Internet of Things (IoT) devices that are now commonplace in the electronic security space, a large number of new and significant attack vectors exist that can affect the confidentiality, integrity and availability of these systems. This has resulted in electronic security installers who, as qualified and certified as they are in the physical aspects of security technologies that are being deployed, lacking the commensurate knowledge in the cyber security area to ensure that these electronic security solutions being installed are both physically and virtually safe.
How can you ensure that the electronic security solutions that you install, maintain and manage for your customers are also configured securely from a cyber perspective? It all comes down to cyber security training, experience and accreditation. One of the best ways to achieve these is through industry-recognized certification. (ISC) 2 , a global not-for-profit association of over 140,000 certified cyber security professionals, is a certification body for individuals who are seeking to become cyber security certified based on their area of expertise and their experience levels. Within the electronic security field, two (ISC) 2 certifications are most relevant to consider – the Systems Security Certified Practitioner (SSCP) and the Certified Information Systems Security Professional (CISSP). (ISC) 2 certifications are ANSI 17024 accredited, meaning that certifications require both theoretical knowledge - which is demonstrated through passing an examination - as well as hands-on and paid work experience.
The SSCP is a vendor-agnostic certification that is ideal for those experienced in Information Technology (IT) who want to gain a deeper understanding of cyber security principles. SSCP certification demonstrates technical skills and knowledge to be able to implement, monitor and administer IT infrastructure using security best practices, policies and procedures and is the (ISC) 2 certification that is best suited to electronic security technicians who configure, deploy, manage and maintain electronic security solutions. The Common Body of Knowledge (CBK) that underpins the SSCP certification is built on foundational cyber security concepts that cover the
breadth of the field, and the SSCP equips technicians and engineers with the skills to consider cyber security from a business-oriented and risk-based approach, as well as from a technical perspective.
There are seven “domains” in the SSCP CBK which include:
3
3
3
3
3
3
3
Access Controls Security Operations and Administration Risk Identification, Monitoring and Analysis Incident Response and Recovery Cryptography Network and Communications Security Systems and Application Security
Certification requires passing the SSCP exam and possessing a minimum of one year of paid experience in one of the seven SSCP domains. In addition, to maintain your certification, you must complete a minimum of 60 continuing professional education (CPE) credits in each three-year cycle. Candidates who pass the exam but do not possess the relevant work experience are eligible to be awarded Associate of (ISC)2 status, which converts to full certification once this requirement is met. In addition, all candidates must adhere to an industry Code of Ethics.
More info at isc2.org/Certifications/SSCP
THE CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL (CISSP) CERTIFICATION The CISSP certification has long been considered to be the gold standard of cyber security certification that is recognized across the world. The CISSP demonstrates a certified professional’s capability to be able to effectively design, implement and manage a best-in-class cyber security program for their organization and their customers. The CISSP is a vendor-agnostic certification designed for professionals who have been involved in the cyber security field for a number of years. It is particularly relevant to electronic security personnel is because a critical aspect of cyber security is in fact physical security. The CISSP offers a strong focus on physical security controls and as such, is an ideal certification to pursue for an experienced electronic security professional who also have strong experience in information technology. In addition, many SSCP holders work towards CISSP certification as their careers continue to grow.
Continues over page >
1. 4510.0 – Recorded Crime – Victims, Australia, 2018. Australian Bureau of Statistics, 27th June 2019. 2. Notifiable Data Breaches Scheme 12-month Insights Report, Office of the Australian Information Commissioner, Australian Government, 2019 p4. 3. Notifiable Data Breaches Scheme 12-month Insights Report, Office of the Australian Information Commissioner, Australian Government, 2019 p8. 4. Ibid p21. 5. The Global Risks Report, 2019. World Economic Forum, 15th January 2019. 6. Australia’s 2020 Cyber Security Strategy – A call for views. Department of Home Affairs, Australian Government.
There are eight “domains” in the CISSP Common Body of Knowledge (CBK). These are:
Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing Security Operations Software Development Security
Certification requires passing the CISSP exam and possessing a minimum of five years of paid experience in two of the eight CISSP domains. In addition, to maintain your certification, you must complete a minimum of 120 continuing professional education (CPE) points in each three-year cycle. Candidates who pass the exam but do not possess the relevant work experience are eligible to be awarded Associate of (ISC)2 status, which converts to full certification once this requirement is met. In addition, all candidates must adhere to an industry Code of Ethics.
More info at isc2.org/Certifications/CISSP
OTHER (ISC)2 CERTIFICATIONS While the SSCP and CISSP are the cyber security certifications that are most sought after by electronic security personnel, there are a number of other certifications that are also valuable, dependent on your role, career ambitions and interests. These include the Certified Cloud Security Professional (CCSP), the Certified Secure Software Lifecycle Professional (CSSLP) and the HealthCare Information Security and Privacy Practitioner (HCISPP).
TRAINING TOWARDS CERTIFICATION In order to prepare for (ISC)2 certification examinations, most candidates decide to undergo formal training to ensure that they adequately understand the concepts covered in the chosen certifications Common Body of Knowledge (CBK). In addition, candidates will revise and study in order to successfully pass the certification examination.
Training consists of a number of different techniques and methods, dependent on the candidate’s personal preference:
3
3
3
3
Classroom based training offered by an official (ISC)2 training provider Online instructor-led training offered by (ISC)2 Online self-paced training using recorded lessons offered by (ISC)2 Self-study using text books, study guides and apps and flashcards, available through (ISC)2 and authorized partners
More info at www.isc2.org/Training/
In addition, (ISC)2 has prepared an easy-to-follow and free Certification Preparation Kit with extra information on how to become certified, training options as well as handy tips to help you become certified. You can download this at https://www.isc2.org/Training/Cert-Prep-Kit
BENEFITS OF CERTIFICATION FOR PROFESSIONALS AND EMPLOYERS There are significant and tangible benefits to becoming cyber security certified, both for the professional as an individual, as well as for an employer.
For professionals, certification demonstrates a validation and recognition of your skills and experience. It helps you open up new and different employment opportunities to further your career. Certification increases your earning power in an area with a significant skills shortage. In addition, the requirement for continuing professional education to maintain the certification means that the professional is on top of their game in an area that is rapidly changing with each passing day.
For employers, having certified personnel on your staff validates your competency and experience when offering services to customers and clients. Customers are increasingly sensitive to cyber security risk considerations and being able to demonstrate your experience by hiring certified cyber security professionals provides a strong competitive edge. As certified professionals adhere to a strict Code of Ethics, employers can take comfort in knowing their employees have made a commitment to protecting your digital assets as well as those of your customers.
CONCLUSION
Attaining cyber security certification helps you as a professional meet the challenges faced in today’s hyper-digital environment. It offers career opportunities and ensures that you are skilled to help protect against cyber related risks. For employers, it is a valuable investment from a competitive, competency and operational point of view and helps to ensure your customers can feel safe and secure, not just from a physical security sense but also from a virtual one.
