As organizations struggle to fill cybersecurity vacancies due to a worldwide shortage of 4 million professionals, they should consider implementing strategies to attract qualified candidates and prevent experienced staff from leaving. The (ISC)2 Cybersecurity Workforce Study 2019 lays out four strategies organizations should consider: Address cybersecurity team members’ needs with training and career development opportunities. Properly set internal expectations about applicant qualifications to widen the search for candidates as much as possible. Target recent college graduates and workers with degrees relevant to cybersecurity. Grow your cybersecurity team from within with further development and cross-training opportunities. All of these strategies are... Continue reading

The (ISC)² Chapter Recognition Awards are presented to official regional chapters of (ISC)² that best promote the vision of (ISC)² by inspiring a safe and secure cyber world. The chapters demonstrate a well-rounded offering of activities and services designed to benefit members and affiliates, while making a significant contribution to the profession and their local community through the core focus areas of the (ISC)² Chapter Program of Connect, Educate, Inspire and Secure. (ISC)² chapters self-nominated by completing a questionnaire on their accomplishments. Members of the newly formed Chapter Advisory Committee reviewed and scored the entries, and the top-rated chapter in... Continue reading

The cybersecurity industry in the United States and 10 other major global economies currently employs 2.8 million professionals. But the industry continues to struggle with a significant workforce shortage, and it would take another 4 million professionals to close the gap. That would mean an increase of 145% cybersecurity workers, according to the findings of the (ISC)² Cybersecurity Workforce Study 2019. The study, released this week, represents the first estimate of how many people are employed in cybersecurity. Countries covered by the study are the U.S., U.K., Canada, Germany, France, Australia, Singapore, Brazil, Mexico, Japan and South Korea. According to... Continue reading

On November 1, 2019 CNBC’s Nightly Business Report featured the growing need for qualified cybersecurity workers in their “Help Wanted” segment. The (ISC)2 Cybersecurity Workforce Study, 2019 served as the foundation of this story, which pointed to the newly reported shortage of 4 million trained cybersecurity professionals worldwide. Cybersecurity analyst Mandi Ingersoll of TDI Security, a cybersecurity firm in Washington, D.C., began her career in cybersecurity in the U.S. Navy. She chose to stay in the field after retiring from military service. “It’s interesting because it’s always something new.” TDI’s CEO, Paul Innella, CISSP-ISSMP says the firm has had trouble... Continue reading

Human Spirit Admiral William H. McRaven (retired) was one of the speakers at (ISC)2 Security Congress who received a standing ovation. Another was Eric Wahl, an artist and best-selling author, who delivered the lunch hour keynote on the second day. He mesmerized the audience by painting portraits of Michael Jordan, John Lennon and Albert Einstein to heart-pounding music in a matter of minutes. He urged attendees to let the human spirit drive them even as they increasingly rely on digital tools, data, analytics and automation to do their job of protecting people and organizations. Wahl talked about the importance of... Continue reading

Sometimes you need a boatload of people to help you through. It’s a lesson Admiral William H. McRaven (retired) learned after a parachute accident that left him bedridden for months. The accident happened while he was participating in a Naval Special Warfare exercise involving a 1,000-foot free-fall jump. McRaven, who served as the ninth commander of the U.S. Special Operations command from August 2011 to August 2014, got both legs tangled in his parachute because another parachutist was underneath him and opened his chute into McRaven’s falling body. When McRaven opened his own chute, his legs became tangled and the... Continue reading

The cyber ecosystem is changing faster than ever, creating new attack surfaces and increasing the challenge of defending against new and evolving threats. The fast-changing landscape requires new ways of thinking and approaches to protect environments that spread across on-premise and cloud infrastructures and connect IT with OT (operational technology) systems. Just accepting that the expansion of the ecosystem – and the growing presence of technology in our lives – will increase risk isn’t good enough. This is a point (ISC)2 CEO David Shearer made clear at the kickoff of the organization’s Security Congress 2019 this week in Orlando. We... Continue reading

While cybersecurity spending is expected to hit $124 billion this year, only a small portion of it will go toward identity management. Yet, a disproportionate number of breaches occur because of flaws in access management and dangerous practices such as the sharing of passwords, according to Tariq Shaikh, CISSP, Senior Security Advisor for CVS Health. Identity management spending accounts for 5% to 10% of total cybersecurity spend. When it comes to privileged access management (PAM), Shaikh said the portion is even smaller -- 1%. It’s time to change that, he argued during a session on PAM at the (ISC)2 Security... Continue reading

While artificial intelligence (AI) has gotten a lot of attention in recent years as a possible solution for cybersecurity issues, Winn Schwartau argues there’s a long way to go before we can trust AI and its siblings, machine learning (ML) and deep learning (DL), to deliver the results we need. During a presentation on the ethical bias of AI-based systems at the (ISC)2 Security Congress 2019, Schwartau said significant problems with AI need to be overcome before we can fully trust it with something as important as cybersecurity. Schwartau, a top expert on security and privacy, is the Chief Visionary... Continue reading

Whenever new data privacy and cybersecurity laws go into effect, they create more work and responsibilities for cyber professionals. This reality hasn’t gone unnoticed by attorney Scott Giordano, who reminded cybersecurity professionals during a session about the California Consumer Privacy Act (CCPA) that the law will create new duties for them. Giordano, Vice President of Data Protection at Spirion, went over details of the law, which takes effect on Jan. 1, 2020, and how organizations should prepare for it. His was one of a series of presentations at the 2019 (ISC)² Security Congress, taking place in Orlando this week, about... Continue reading

At public events, speakers and performers often ask the audience to turn off their mobile phones, but Catherine Price really meant it. She asked attendees of Tuesday’s keynote speech at (ISC)2 Security Congress 2019 to actually press their phones’ power button. “I’m going to guess a lot of people are feeling uncomfortable. A lot of you faked it. A lot of you are probably hating me right now,” said Price, a journalist and author of the book, “How to Break Up with Your Phone.” For the next hour, Price discussed the reasons we are so tethered to our phones, what... Continue reading

When doing their work, cybersecurity professionals often come across situations that put their skills to the test. And sometimes those tests have far less to do with technology or business than with questions of ethics. When cyber professionals discover vulnerabilities while performing penetration tests or some other security-related work, is it OK to disclose those vulnerabilities publicly? What happens if system owners are made aware of issues but decide to ignore them? And at which point, while testing systems containing private information, do cyber professionals reach a line they should not cross? These questions were part of a lively panel... Continue reading

The spotlight was on safety at the kickoff this morning of (ISC)² Security Congress 2019, taking place this week in Orlando. First, (ISC)² CEO David Shearer talked about the role that association members have in protecting society through their cybersecurity work. Then, Capt. Chesley Burnett "Sully" Sullenberger, the pilot of flight 1549, which landed on the Hudson River in January 2009, related the events of that day and how he and his co-pilot, Jeff Skiles, safely landed their U.S. Airways Airbus with everyone aboard surviving the event. Shearer spent much of his kickoff address on the importance of abstracting what... Continue reading

It is widely known within the cybersecurity field that there is a severe talent shortage. Organizations across all industries are facing major challenges in staffing their security teams to protect themselves from cyber threats. Healthcare, along with finance and retail, is one of the most commonly-targeted industries by cybercriminals. As the (ISC)2 Cybersecurity Workforce Study revealed, the deficit of cybersecurity professionals has reached critical levels, at nearly 3 million worldwide. According to the March 2018 McAfee Labs Threat Report, healthcare is the most targeted of any sector for cybersecurity attacks. Ransomware attacks, specifically in the healthcare sector, increased by 210... Continue reading

by Adam M. Lechnos, CISSP Payment Card Industry Data Security Standards or PCI DSS, are a set of 12 requirements with over 300 controls which apply to any organization which stores, processes or transmits credit card data. Today, I will attempt to add some clarity around PCI compliance within AWS. Concepts and practices were sourced from the referenced document below and here I will break it down further. I do suggest you first read the Architecting for PCI DSS Scoping and Segmentation on AWS and come back to enhance your understanding of the methods being applied and its rationale. For... Continue reading

When M&A auditors look at a target company’s tangible assets, in the vast majority of cases that includes cybersecurity. In a new (ISC)² study about the impact of cybersecurity in M&A, 95% of respondents say they consider cybersecurity infrastructure “a tangible part” of the value calculation. The stronger the infrastructure, including soft assets such as risk management policies and security awareness training programs, the higher a target company’s value will be, according to 82% of respondents. If an audit reveals weak security practices, 52% of respondents would view the cybersecurity program as a liability. What this means for organizations considering... Continue reading

As published in the July/August edition of InfoSecurity Professional Magazine By Crystal Bedell As a former cyber analyst for the government, Masha Sedova has seen firsthand what a Russian state-sponsored attacker is capable of. So, when she was charged with building a security culture at Salesforce in 2012, she knew an employee newsletter and animated videos wouldn’t prepare end users in the event of a targeted corporate attack. “I thought, ‘There’s no way this will work. It’s a waste of time,’” says Sedova, co-founder of Elevate Security in Berkeley, Calif. “In order for an organization to withstand an attack like... Continue reading

As published in the July/August edition of InfoSecurity Professional Magazine By Pat Craven, Director of the Center for Cyber Safety and Education As cybersecurity and cyber safety continue to become a growing global conversation, there are an increasing number of themed days and events to help promote the industry and highlight the need to educate people on how to be safe online. One of the biggest promotions of the year is Cybersecurity Awareness Month in October. October is a busy time of year for your Center for Cyber Safety and Education. We plan all year for Cybersecurity Awareness Month, and... Continue reading

Cybersecurity threats are a major concern for businesses of all sizes, and that challenge can have repercussions when a company puts itself on the selling block. One of the things buyers will want to know is whether the company has had a breach and, if so, how it was handled. If the business can show it addressed the breach in a satisfactory way and learned from the experience by fixing its security vulnerabilities, its sale value increases, according to 88% of respondents in a new (ISC)² study titled Cybersecurity Assessments in Mergers and Acquisitions. The study reveals that cybersecurity audits... Continue reading

IT service providers have recently become a common target of cyber attacks and 11 of them have been compromised since July 2018. Attackers target providers in attempts to gain access to their customers, according to a blog post by Symantec. What makes this especially ironic is that IT service providers often are the same companies that businesses hire to protect them against cyber threats. It’s not exactly a new tactic by cybercriminals, who in the past have even attacked security vendors. Perpetrators also have been known to target some companies purely to get to their business partners. This practice was... Continue reading

Earlier this week, S4 Inc. announced that it has been added to (ISC)²’s roster of Official Training Providers. Based in Colorado Springs, S4 is celebrating its 20th anniversary and has supported US Government, DoD and DHS agencies since 1999. S4 is now offering its first official (ISC)² Training Seminar for the CISSP certification beginning on September 30th, 2019. Other instructor-led training seminars will also be available later this year for the CCSP, CSSLP and CAP certifications. If you’re in the local area, you can register here. S4 will also host an open house this Friday, September 20, at its 8800... Continue reading

The cybersecurity skills gap means companies are scrambling to fill security positions, and that presents an opportunity for you to find security work – even without direct experience. Faced with a critical shortage of qualified candidates, organizations are increasingly taking chances on nontraditional applicants and training them for security roles. One way to bridge a cybersecurity experience gap and get started? Make the case for your transferable skills. Success in security requires a mix of technical and soft skills. These can potentially come from ANY previous job. Analytical skills, enthusiasm for exploring technical questions and issues, and diagnostic experience will... Continue reading

by Dr. Chris Veltsos, CISSP, member of (ISC)² Advisory Council of North America Hardly a day goes by that I don’t hear or read about the benefits of mentoring. Can a good mentoring experience fix what ails organizations today? I’m not a mentoring guru so I can’t answer that particular question, but what dawned on me is how many people seem to think of mentoring as a narrowly defined relationship where the mentor gives — time and advice — and the mentee receives that information. While the relationship has value, in this article, I wanted to share other forms of... Continue reading

Thank you for your feedback! We have concluded the process of receiving feedback as of October 4, 2019. (ISC)² regularly conducts Job Task Analysis (JTA) studies to review and update the content outline (or exam blueprint) of its credentialing examinations. A JTA is the methodical process used to determine tasks that are performed by credential holders and knowledge and skills required to perform those tasks successfully. Results of the JTA study link a candidate’s examination score directly to the domain knowledge being tested. The existing exam blueprint for CISSP will be reviewed in early 2020. In preparation for the upcoming... Continue reading

by Paul Lanois, SSCP, CIPP, CIPT, CIPM, Member of the (ISC)² Advisory Council of North America Privacy Working Group and Eric Tierling, CISSP, Member of the (ISC)² Advisory Council of North America Privacy Working Group If you have spent any amount of time online recently, then it is extremely likely that you have already heard about the General Data Protection Regulation (the "GDPR"), the European regulation which came into effect on May 25, 2018 and which governs data protection or individuals which have their personal data processed or stored by an organization within the European Economic Area (EEA). Meanwhile, information... Continue reading