Day: May 10, 2017

Other than a college degree, how can you validate your knowledge and skills? Certifications represent a way for professionals to validate their knowledge and expertise, as well as a path for continued education and professional development.

But what about value? Why are cybersecurity certifications essential today? What is the value of a cybersecurity certification?

Proves Your Worth
According to the 2017 (ISC)² Global Information Security Workforce Study (GISWS), when respondents were asked for the reasons why their organization requires staff to have information security certifications, employee competence was the most common answer. You can spend years working to prove your knowledge, but a third-party validated measure of competence displays your expertise (i.e., your worth) to your employer, colleagues and peers in your network. Not only do certifications require the testing of one’s knowledge and skillsets, but many certifications also require continuing professional education credits to ensure that the learning process doesn’t stop once certification is obtained. Certification also proves a candidate’s commitment to their respective profession – if they are dedicated enough to study for a lengthy exam and go through the entire certification process, that exemplifies commitment.

Instant Street Cred
Certifications are often difficult to obtain. Many people spend hours, weeks, even months studying for certification exams. When your managers and colleagues know that you’ve been validated by a third-party organization as having certain knowledge and skills by passing a tough exam, you earn credibility. When hiring managers are making decisions for staffing, 70 percent of GISWS respondents said it was at least somewhat important that the candidate has information security certifications. When asked if their organization requires its IT staff to have information security certifications, 40 percent said yes.

Catapults Your Career
Once you’re hired, you’ll probably start to think about career advancement and how to get to the next level. As part of the GISWS survey, respondents who hold certifications were asked how relevant their current certifications are to their potential career advancement. An incredible 90 percent of respondents said they are at least somewhat relevant. Members of (ISC)² (certification holders) also make a higher average annual salary than those who are not members – $103,000 for members compared to $76,300 for nonmembers. With certain certifications being required to obtain cybersecurity positions, it’s no wonder that they can be the way in the door and up the ladder.

Attaining certifications can be a key component in planning for and building a successful, well-respected career in cybersecurity. Certifications will show your value as a cybersecurity professional by helping to prove your worth as an employee, show street cred as a team member, and catapult your career, setting you up for a lifetime of success.

Validate your expertise and show your boss you have what it takes to protect your organization with a globally recognized (ISC)² certification. Choose which certification is right for you and download The Ultimate Guide.

[(ISC)² Blog]

The CSA recently announced that the STAR Program will now allow a one-time, first-year only, Type 1 STAR Attestation report. What is a Type 1 versus Type 2 examination and what are the benefits for starting with a Type 1 examination?

Type 1 versus Type 2
There are two types of System and Organization Control (SOC) 2 reports, Type 1 and Type 2. Both types of reports examine a service organization’s internal controls relating to one or more of the American Institute of CPAs’ (AICPA) Trust Services Principles and Criteria, as well as the Cloud Security Alliance’s (CSA) Cloud Controls Matrix (CCM). Both reports include an examination on the service organization’s description of its system.

A Type 1 report examines the suitability of the design of the service organization’s controls at a point in time, also referred to as the Review Date. A Type 2 report examines not only the suitability of the design of controls that meet the criteria but also the operating effectiveness of controls over a specific period of time, also referred to as the Review Period.

In Type 2 examination, the auditor is required to perform more detailed testing, request more documentation from the organization, and spend more time performing a Type 2 examination than with a Type 1 examination. The additional documentation and testing requirements can put a greater strain on an organization and require more resources to complete the audit.

A service organization that has not been audited against the criteria in the past may find it easier to complete a Type 1 examination during the first audit as it requires less documentation, less preparation, and the organization can respond quicker to gaps noted during the examination.

The cost for a Type 1 examination is less than for a Type 2 examination because the examination testing efforts are less than what is needed for a Type 2. Additionally, fewer organization resources will be utilized for a Type 1, resulting in additional cost savings.

If the service organization, or specific service line or business unit of the organization, was recently implemented, the organization would have to not only ensure that controls were put in place to meet the criteria, but also ensure the controls have been operating for a certain period of time prior to completing a Type 2 examination. In this situation, there would not be enough history or length of time for a service auditor to perform a Type 2 examination. A Type 1 examination would allow for a quicker report rather than waiting for the review period in a Type 2 examination.

Benefits of a Type 1
There are several benefits to starting with a Type 1 report that include:

• Quicker report turn-around time and STAR Registry
• Shorter testing period
• Cost efficiencies
• Easier to apply to new environment or new service line

An organization might be trying to win a certain contract or respond to a client’s request for a STAR Attestation in a short period of time. A Type 1 examination does not require controls to be operating for a period of time prior to the examination. Therefore, the examination and resulting report can be provided sooner to the service organization.

Starting with a Type 1 report has many benefits for a first-year STAR Attestation. The organization will find this useful when moving to a Type 2 examination in the following year.

It is important to note, though, that Type 1 shall be considered just as an intermediate and preparatory step prior to achieving a Type 2 STAR Attestation.

Debbie Zaller, CPA, CISSP, PCI QSA, Principal, Schellman & Co., LLC

[Cloud Security Alliance Blog]

From an information security perspective, companies often have perceived their own organization as a castle with well-defined walls, with few entry points sufficiently staffed with guards monitoring what information is coming in or leaving the organization. If further protection is needed, it is obvious what to do: build higher or thicker walls or add additional security guards. What is inside the castle can be considered safe.

However, there have been several significant changes in the past few years, namely:

• New business models and supply chain dependencies transcending traditional company and information boundaries
• Advances in technology and digitization increase ICT reliance
• Increasing reliance on external parties and their security approach
• Scarcity of resources, be it financial or human resources
• Increased regulatory requirements supporting the shift from a protection focus to a detection/response focus (e.g., GDPR)
• Changes in the cyber threat landscape (e.g., crime-as-a-service, espionage)

This means that reliance on traditional perimeter security is no longer sufficient, a mindset that information security professionals have been advocating for several years. The National Institute of Standards and Technology (NIST) in the US, for instance, has developed a model by mandating an ‘Identify – Protect – Detect – Response – Recover’ approach.

The next generation CISO
So why are so many companies still struggling to adopt this approach? A CISO of a reputable company once said: “I was hired for my technical security skills; however, I do not know how to build an organizational change program.” The next-generation CISO not only needs an understanding of security challenges, but also needs to deliver this change in a programmatic approach.

The need for a step-change in information security
What is needed is a way to package the NIST thinking into an information security transformation framework considering the organizational model of companies.

The goal of the different components:

• Governance, risk and compliance: Align the approach to the company’s governance model and build alliances with related functions, such as risk management, corporate security, compliance and audit.
• Secure architecture: Ensure a ‘security by design’ approach.
• Secure baseline: Do the fundamental things right (e.g., patching, monitoring, adopting good IT operations practice).
• Cyber threat management: Understand the threat environment and provide appropriate incident response.
• Training and awareness: Address the human factor in information security.

Define KPIs
By first comparing the current organizational capabilities against future need, we can determine how fast and in which areas a company needs to act. Derived from this assessment, the projects can be planned and budgeted covering several years, including sourcing requirements (in-house or managed security provider). Each year, the required capabilities are re-assessed considering the threat landscape, business strategy and technological advances.

One key element is the definition of KPIs to measure the progress for each framework component. These KPIs help to communicate the benefits of a multi-year program to senior management. The assignment of skilled project/program management resources also helps to maintain the focus rather than daily operational tasks superseding project/program goals.

Experience so far
Taking this approach, we have experienced the following changes:

• Shift toward a holistic view: from a tool discussion to a capability-based discussion covering people, process and technology.
• Regular re-assessment of capability profile, threat landscape and business strategy define the security projects for the coming year.
• Capability needs drive security strategy and implementation priorities.
• A failure to meet incident resolution target KPIs resulted in a root cause analysis and renegotiation of service level agreements (SLAs) with vendors.

New threats demand a new mindset – and approach – for information security professionals.

Editor’s note: Monika Josi will present on “Building a Sustainable Security Program” at ISACA’s EuroCACS 2017 conference, which will take place 29-31 May in Munich, Germany.

Monika Josi, Head of Group Security Consulting, AXAS AG

[ISACA Now Blog]