Earlier this week, (ISC)2 announced that nominations are now being accepted for the 2020 (ISC)2 Global Achievement Awards. This awards program replaces the former (ISC)2 Awards Program, which had included the Information Security Leadership Awards (ISLA). The new program creates a unified, global platform for recognition of the most outstanding annual achievements in the field of cybersecurity. For years, (ISC)2 has honored and celebrated deserving cybersecurity professionals from around the world with its awards program, highlighting best practices and those who have gone above and beyond to inspire a safe and secure cyber world. The four categories now open for... Continue reading

By Javvad Malik, CISSP Can You Explain Encryption to Me? From: Thomas, Kevin Sent: 24 August 2019 10:43 To: Malik, Javvad Subject: Encryption Jav I’m updating the presentation pack for this months management meeting. Can you send me a short description of encryption so the SLT can better understand the solution. Kev From: Malik, Javvad Sent: 24 August 2019 11:03 To: Thomas, Kevin Subject: Encryption Hi Kevin, Encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is... Continue reading

The cloud today has become what Forrester calls “a turbocharged engine powering digital transformation around the world.” Digital transformation is propelling worldwide cloud service market projected growth from $182.4B in 2018 to $331.2B in 2022. Yet the cybersecurity skills shortage threatens safe cloud adoption and cloud security is the number one technology area most impacted by the shortfall. Because of this, many cybersecurity experts are finding themselves pushed by their employers to expand their expertise to the cloud. That was certainly the case for Nanditha Rao, Information Security Senior Advisor and Olayinka “Olay” Ladeji, Senior Principal Program Manager, Cloud Operations.... Continue reading

Earlier in the year, we announced an upcoming update to the CISSP-ISSAP certification exam. Coming in November, the CISSP-ISSEP exam will also be updated. The CISSP-ISSEP is a concentration certification exam for those who already hold the CISSP. The concentration recognizes certification for those who have the keen ability to practically apply systems engineering principles and processes to develop secure systems. Those who hold it have the knowledge and skills to incorporate security into projects, applications, business processes and information systems. When the updated exam blueprint takes effect starting on November 13, 2020, the CISSP-ISSEP exam will be reduced from... Continue reading

By AJ Yawn, CISSP Amazon Web Services (AWS) is the industry-leading cloud service provider by any metric you can find doing a quick google search. The shared responsibility model is generally understood by individuals managing production workloads that are hosted on AWS and *most* auditors understand how this impacts a SOC 2 or other compliance assessment (if your auditor asks you about the physical security of an AWS data center, close your laptop, leave the conference room and run away really fast!). AWS has developed several services and features to help manage the security of an organizations’ AWS account and... Continue reading

Hundreds of thousands of people have been asked to work for home with little information as to when things will be back to normal. Likewise, children are having to stay at home to avoid the spread of Coronavirus disease 2019 (COVID-19). Parents around the world are in the hunt for resources that can entertain and educate their children without breaking the bank or having to go outside. To help with this burden, the nonprofit Center for Cyber Safety and Education is offering, until the end of April, free access to its Garfield eLearning program. Children ages 6-12 will be able... Continue reading

ISC)² continues to grow as it recently surpassed a milestone of 150,000 certified cybersecurity professionals in 175 countries. This is good news considering the data in the 2019 (ISC)2 Cybersecurity Workforce Study indicates that the cybersecurity workforce needs hire 4.07 million professionals globally to close the skills gap to better defend organizations. “We’re extremely proud of our association’s growth over the past 30 years to support the profession and reach this member milestone,” said David Shearer, CEO, (ISC)². “However, we can’t stop now. The cybersecurity workforce still needs to grow by 145% globally in order to close the widening skills... Continue reading

There are just a few weeks left to submit your session to speak at this year’s Security Congress. The 10th annual conference will be held November 16 – 18, 2020 at the Hyatt Regency Orlando in Orlando, Florida. If you’ve never spoken at Security Congress - or any conference – before, you may not be sure where to start when it comes to your speaker submission. We’ve compiled five tips to help you write a great speaker submission and increase your chances of being selected! No pitches! We don’t accept any marketing or product pitch type of submissions. It’s ok... Continue reading

As published in the November/December 2019 edition of InfoSecurity Professional Magazine By Michael Bergman, CISSP An (ISC)2 member details a software security integration system that eliminates that ’50-page security policy’ for developers. Unless your organization is gifted with resources, your software development teams do not have a dedicated first-line-of-defense function that integrates controls and makes it easier for developers to secure the products they build. Instead developers, particularly those using Agile for project management, typically are handed a 50-page security policy document and told to “implement that along with your functional requirements, all within your two-week sprint cycle.” The result... Continue reading

U.S. healthcare institutions are under constant attack from cybercriminals, and unless hospitals take concrete steps to protect themselves, the situation won’t get any better. In 2019, the healthcare industry was the number one target for cyber attackers, with the cost of breaches totaling $4 billion, according to a new report. 2020 Vision: A Review of Major IT & Cybersecurity Issues Affecting Healthcare, published by security intelligence firm CyberMDX, provides an in-depth look at the causes and types of cybersecurity threats affecting the industry, as well as recommendations for healthcare institutions to fortify their cyber defenses. Attacks on healthcare are prevalent,... Continue reading

It’s time again for another (ISC)² Job Task Analysis (JTA) study, this time for the CAP certification. We frequently review and update our content outlines (aka exam blueprints) of our credentialing examinations. If you’re not familiar, the JTA is a methodical process used to determine tasks that are performed by credential holders and knowledge and skills required to perform those tasks successfully. As we prepare for a review of the CAP exam, we would like to hear from our CAP members! We would like you to comment on the new and emerging cybersecurity issues that should be addressed, but are... Continue reading

Being a CISO can be stressful. That should come as no surprise. According to a new report, the stress is bad enough to cause health issues and personal relationship crises, and on average, CISOs stay in each job for just 26 months. The CISO Stress Report by Nominet, a U.K. domain registry, reveals that 95% of CISOs work longer hours than they are contracted for and 88% are “moderately or tremendously stressed.” While CISOs are undoubtedly under a lot of pressure, it’s important to not paint all of cybersecurity with the same brush, and to draw a distinction between job... Continue reading

Cloud security today is touted as better than ever. So how do we explain the ever-increasing number of data breaches? According to the new white paper, Cloud Security Risks & How to Mitigate Them, the disconnect arises from a shared security model. Cloud Service Providers protect the datacenter, but customers are responsible for safeguarding their own data, and focus is shifting from the provider to the customer. To reduce risks, cloud customers must take charge of data security. This is no small feat as many are in a period of transition and facing a wide range of threats… Insufficient access... Continue reading

As published in the November/December edition of InfoSecurity Professional Magazine. It could be a blended attack as slick as a multichannel marketing campaign. Or a spontaneous crime of opportunity by a single dis-gruntled employee. It could even be an innocent configuration error. When a threat exists, there will be indicators. The perennial challenge is to hunt for signs in the right places and to isolate the signal from the noise. How best to find—and remove, where possible—such threats remains up for debate. Lance Cottrell, chief scientist at Ntrepid, approaches threat hunting less as a specific set of techniques than as... Continue reading

If you hold the CISSP certification, you may have asked yourself “What’s next for me?” as far as your certification journey is concerned. For many professionals, the next step is one of the CISSP concentrations: architecture, engineering or management. This year, the CISSP-ISSAP (Information Systems Security Architecture Professional) exam will be updated. The exam length (125 items in three hours) remains unchanged, as do the number of domains (six). However, the domains have been reordered and reweighted based on last year’s Job Task Analysis (JTA) which is a process by which professionals who hold the CISSP-ISSAP review the content of... Continue reading

As published in the November/December 2019 edition of InfoSecurity Professional Magazine By Naresh Kurada, CISSP Threat modeling is gaining even more attention with today’s dynamic threat environment. The sophistication of threat actors and development of advanced tactics, techniques and procedures (TTPs) has put a brighter spotlight on the process of finding vulnerabilities by incorporating the attacker’s point of view. There are several threat modeling approaches and techniques to consider. Often, these can be classified as asset-centric, system-centric, people-centric or risk-centric. For instance, Microsoft’s STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege) is system-centric, while PASTA... Continue reading

By Clayton Jones, Managing Director, Asia-Pacific for (ISC)² The past few weeks have been challenging. Governments, individuals and organizations are working hard to contain the spread of Covid-19. Many of us across the Asia-Pacific region are still haunted by the SARS epidemic that wreaked havoc back in 2003. At the time, I had a very young family and was new to (ISC)², which in the region was still in its infancy. I feared for the health of my family and was also very conscious of the potential impact an economic downturn in the region could have on my recently created... Continue reading

(ISC)²’s Certified Information Systems Security Professional (CISSP) is currently the sixth highest paying IT certification, according to newly published research. CISSP-certified cybersecurity professionals earn salaries averaging more than $140,000. The CISSP is one of just six IT certifications commanding salaries above $140,000, which places them on the 15 Top-Paying IT Certifications for 2020 compiled by training company Global Knowledge. The list contains salaries ranging from an average of $117,000 for Citrix Certified Professional – Virtualization to nearly $176,000 for Google Certified Professional Cloud Architect. The list’s top four certifications are either in cloud computing or cybersecurity, confirming that demand in... Continue reading

The number of U.S. data breaches bumped up 17% in 2019 but despite the increase, the volume of sensitive consumer records that were exposed declined substantially by 65%, according to a newly published report. These statistics are a complete reversal of what happened in 2018, when the number of exposed consumer records soared by 126% and breaches declined by 23%, according to the Identity Theft Resource Center’s (ITRC) End-of-Year Data Breach Report for 2019 Data breaches tracked in 2019 in the United States jumped to 1,473, from 1,257 in the previous year, the report revealed. Meanwhile, 164,683,455 sensitive records were... Continue reading

By Diana Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP Ransomware is in the news lately with attacks on Norsk Hydro, multiple cities in Florida, Baltimore and Atlanta, not to mention the numerous hospitals that have been hit. These attacks have cost companies like Norsk an estimated $45 million due to lost revenues and the cost to restore and recover their IT department. The cost to the two cities in Florida is estimated to be $1.1 million and the tally continues to grow. Ransomware is short for ransom malware and has been around since the late 1980s, but is now gaining in popularity... Continue reading

In yet another sign that (ISC)2 is working to increase its international efforts and alliances, today we’re excited to announce a new strategic partnership with the Australian Information Security Association to work jointly toward a safer and more secure cyber world. As the press release outlines: “. . . the Strategic Partnership Agreement . . . recognises (ISC)2 certifications as the global standard for cybersecurity certifications that AISA members can aspire to and achieve. AISA will run quarterly certification sessions to its membership for (ISC)2 certifications including the CISSP, CCSP and SSCP, among others. AISA will promote to its members... Continue reading

By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP and John Martin, CISSP-ISSAP Continued discussion from Security Predictions for 2020 from the (ISC)² Community of Security Professionals (Part 1) Internet of Things (IoT), Industrial Internet of Things (IIoT) and Operating Technology (OT) related to the state of digital certificates The issue is not just self-signed digital certificates or expired certificates. Many of these devices have digital certificates, which need to be managed via a Key Management System and maintained. The fallout, of course, is that without proper controls, these devices can and will be compromised. Currently, the onus is on the consumer... Continue reading

By Diana-Lynn Contesti, CISSP-ISSAP, ISSMP, CSSLP, SSCP and John Martin, CISSP-ISSAP Cyber-attacks will impact businesses on a larger scale in 2020 and will affect those who are unprepared, whether it is attributed to human error or other disasters. In an effort to combat some of the issues faced by corporations, it is time for CEOs to grasp the mettle and officially buy-in with their security practitioners’ advice. We have all seen various vendors make predictions for Information Security for 2020. These predictions include an increase in targeted Ransomware, threats to the 2020 Elections in the U.S. and other countries, and... Continue reading

With RSA Conference in San Francisco fast approaching, SC Media has once again announced the finalists for its annual awards program. Winners will be announced at the SC Awards dinner and presentation on February 25 at the Intercontinental San Francisco. We’re proud to say that the CISSP has once again been recognized as one of the industry’s Best Professional Certification Programs for 2020 after receiving a Finalist designation in that category. The CISSP was also the winner at last year’s ceremony. The SC Awards are recognized throughout the cybersecurity industry as the crowning achievement for IT security, and winners are... Continue reading