READY for What’s New at (ISC)² Security Congress in 2021? Cybersecurity professionals are facing some of the toughest challenges of their careers. The shift to remote work has been sudden and wide-ranging. Only about half (53%) of respondents to the 2020 (ISC)2 Cybersecurity Workforce Study say they were “very prepared” for remote work. It’s time to assess and reset. We are looking forward to our first-ever hybrid (ISC)² Security Congress on October 18-20. This year’s event will have something for everyone, whether you decide to attend virtually or in person at the Hyatt Regency Orlando. Based on your feedback, we... Continue reading

Accelerating Your Security Career Requires More Than Just Paying Attention Many InfoSec professionals have seen so many breaches, whether through personal experience, or in the news, that it becomes apparent that a new approach is needed to combat the existing and emerging threats. Since the cloud is embraced by most organizations, the ability to protect the organization is also changing and becoming an increasingly important capability for the security professional. One way that companies are achieving better security is by creating a resilient security approach. This resilience, especially in the cloud, requires an upgrade to the skills of many security... Continue reading

When it comes to compliance in cybersecurity there are many regulations in play, GDPR, CCPA, HIPAA, to name but a few. Whilst you may have to take a key role in these regulations, you need the support and engagement of your organization. One nominated person is not enough. In the case of an InfoSec professional, culture is frequently the difference between a successful, and a failed endeavor. This is especially true when attempting to navigate the many regulations that impact an entity. Trying to find unity in the directives, and often disparate suggestions in many regulations can be a maddening... Continue reading

Organizations have expedited use of and reliance on public cloud services to run their businesses in ways that would have been hard to anticipate, even a few years ago. And for many smaller businesses without dedicated cybersecurity functions, skills or tools, public cloud services could offer a level of protection they may otherwise lack on-premises. But don’t assume basic cloud security services are a cure-all or dissuasion to bad actors. Today there is no safe haven from ransomware. In fact, attacks are targeting data and applications in the cloud nearly as often as they are directed at on-premises resources. Read... Continue reading

Cybersecurity professionals are far more likely to hold vendor-specific certificates than certifications from a vendor-neutral association or standards-based organization, according to the (ISC)² Cybersecurity Career Pursuers Study. But when asked which qualifications they would recommend to cybersecurity newcomers, professionals tend to prioritize vendor-neutral credentials. This preference suggests that even though current professionals followed a more traditional, vendor-specific path when gaining experience in the field (55% of current professionals entered cybersecurity from IT backgrounds), they see greater value in pursuing broader professional qualifications for people starting their careers now. This is a perspective that may be informed by their own lessons... Continue reading

A Singular Aspect of Risk Management As a security and privacy practitioner, you understand the importance of risk management. Perhaps you are a member of the risk management committee in your organization, or you may serve in an advisory role for that committee. The enormous task of risk management requires careful thought and consideration. Some aspects of a complete risk management plan include the acknowledgment of known vulnerabilities, as well as predictions about unknown vulnerabilities. Topics such as security awareness training, threat management, access control, incident response, risk mitigation, and many others must be taken into consideration. While the majority... Continue reading

Nearly three weeks after (ISC)² made its highly popular Professional Development Institute (PDI) course titled “Ransomware: Identify, Protect, Detect, Recover,” free to the public through July 31, 2021, more than 4,500 professionals have enrolled in the course. The ransomware crisis has reached an all-time high, with numerous headline-grabbing attacks coming to light. Some attacks, such as the ones against Kaseya and SolarWinds, are having far-reaching effects that, by design, extend well beyond the original target. The current ransomware epidemic is leaving victim organizations struggling to remediate and others wondering if they’ll be next. However, with protection strategies and remediation plans... Continue reading

A very common complaint among information security professionals is lack of a budget to implement the best security tools. It may be true that recent newsworthy security events have increased many budgets, yet it never seems like enough. In many ways, this is true. It is like the difference between the base-model automobile, and the fully equipped model. What easier way is there to grant a system the authority to operate than with the most robust budget imaginable? Yes, it is nice to have all the flashing lights and automated features, but that is not always what is needed to... Continue reading

Is your organization protected with a stronger cloud security posture from new concepts and technologies like Zero Trust, micro segmentation, containerization and microservices? With Certified Cloud Security Professional (CCSP) training, cybersecurity teams are gaining a mastery of the latest cloud architecture, infrastructure, deployment models, risk management strategies and more. Read the Full Article. Continue reading

Last year was a first for (ISC)² Security Congress, as our conference took place entirely virtually. The COVID-19 pandemic forced nearly all events in 2020 to go virtual and we’re excited to take the experience from that event and use it to deliver an even better one for you this year. Whether you’re a first-timer or a returning attendee, you’re going to love the first-ever hybrid Security Congress. This year, the All Access Pass offers the in-person experience that so many of us have missed over the past year and a half, plus the option to attend sessions virtually. We... Continue reading

The Bean Counters Many years ago, a car was manufactured with a design flaw resulting in the gas tank catching fire when the car was struck from behind. Many deaths stemmed from this mechanical flaw. It was later revealed during subsequent wrongful death court cases, that the vehicle’s manufacturer was aware of the problem, had performed a risk/benefit analysis, and determined the cost to fix the problem would exceed any penalty levied by the courts. As a software security professional, you may question – what type of software could result in a risk to life? Imagine, however, a faulty calculation... Continue reading

The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted. In this installment, we talk to Theresa ‘Terry’ Grafenstine. Terry tells us about her time working as the appointed Inspector General of the U.S. House of Representatives and her journey to becoming Chief Auditor for Global Technology at Citi. She shares with us her passion for cybersecurity... Continue reading

Clar Rosso, (ISC)² CEO recently joined a roundtable of experts in an (ISC)² Think Tank webinar to highlight why it’s so important to the cybersecurity industry to focus on Diversity, Equity and Inclusion (DEI) as well as offer tangible and practical tips to address common challenges and tensions that often arise on the inclusion journey. The June 23 panel discussed why these initiatives often fail and how to push through the barriers that often keep them from achieving lasting transformation. Rosso was joined by Dr. Kevin Charest, Executive Vice President and CTO at HITRUST, and Samara Moore, AWS Security Assurance... Continue reading

Earlier this week, (ISC)² announced that the DoD approved both the HCISPP and CCSP certifications to its DoD 8570 Approved Baseline Certifications table on the DoD Cyber Exchange website. Why does this matter? This means that the entire roster of (ISC)² certifications are now required for different security workforce categories within the Department, depending on the functional area the role covers. Approval for these additions came from the DoD Senior Information Security Officer and a recommendation by the Cyber Workforce Advisory Group (CWAG) Certification Committee. The HCISPP has been approved for the following categories: Information Assurance Manager Level 1 (IAM... Continue reading

As we close out #RansomwareWeek here on the (ISC)² blog, a timely piece of news comes from The National Institute of Standards and Technology (NIST) in the form of new draft guidance for organizations concerning ransomware attacks, according to reporting by Infosecurity Magazine. As the body responsible for one of the most revered standards frameworks in the world, NIST’s entry into the discussion is remarkable. According to the Infosecurity Magazine article, “The Cybersecurity Framework Profile for Ransomware Risk Management features advice on how to defend against the malware, what to do in the event of an attack, and how to... Continue reading

As #RansomwareWeek draws to a close here on the (ISC)² blog, we turn our attention to how organizations can defend themselves. Yesterday, we announced that (ISC)² has granted free access to its "Ransomware: Identify, Protect, Detect, Recover" course through the Professional Development Institute to anyone who is interested in learning more about prevention and remediation. That’s because the consequences can be dire for organizations. The days of ransomware attackers demanding a few hundred dollars for a decryption key are long gone. Attacks have gotten more severe, and perpetrators have become bolder, demanding multimillion-dollar payouts from their victims. In March, CNA... Continue reading

In conjunction with #RansomwareWeek, today (ISC)² announced that its popular Professional Development Institute (PDI) course titled “Ransomware: Identify, Protect, Detect, Recover,” is now free to the public through July 31, 2021. (ISC)² recognizes the intense demand for ransomware prevention and mitigation content and has opened registration to anyone who is interested in the topic. The two-hour ransomware course is Quality Matters (QM) approved and upon successful completion, learners earn a certification of completion and digital badge. Successful course completion will also unlock a 25% discount off all PDI courses through July 31, including the All-Access Pass and the Express Bundle.... Continue reading

Welcome back to #RansomwareWeek here on the (ISC)² Blog! Today we’re linking you up with eight episodes from the award-winning (ISC)² webinar program that touch on ransomware and cover the key components surrounding the state of cybersecurity threats. These sessions can help teams to better understand cybersecurity attacks, prepare for defense and plan a response in the event of a security breach. Anatomy of a Targeted Industrial Ransomware Attack Ransomware-New variants and Better Tactics to Defend and Defeat These Threats Darktrace #1: Ransomware in Focus: How AI Stays One Step Ahead of Attackers Ransomware Deep Dive: Examining Disturbing Ransomware Trends... Continue reading

Welcome to #RansomwareWeek on the (ISC)² Blog. Ransomware attacks are receiving increased exposure in global news coverage with recent high-profile incidents at SolarWinds and Colonial Pipeline. These events have prompted many companies who previously may have felt secure in their practices to take a deeper look at their security measures and engage in deeper conversations surrounding threat management, cybercriminals, and cybersecurity training. This week we’ll be providing content resources that may be helpful to you, the reader, as your organization wrestles with ransomware prevention and remediation policies and best practices. As the first item in this week’s coverage, the massive... Continue reading

As a security practitioner, perhaps you have found yourself in meetings about Risk Management. Or, perhaps, you are part of the incident response team, where you are responsible for everything from preparation, through post-incident reporting. The common thread that runs through risk management and incident response are the “what if this happens” scenarios. Whatever your involvement in these preparatory exercises, the overarching concern of all involved is: When will the business be up and running normally again? When confronted with such dire circumstances, the realization of the need for Business Continuity and Disaster Recovery becomes as important as the business... Continue reading

Cloud security skills can be seen as very similar to the security skills for any on-premises data center. But in many instances, organizations are learning that their familiar applications cannot simply be “forklifted” to the cloud. Legacy applications can break when placed in a cloud infrastructure, and the entire security model is impacted as well. The need for a trained cloud security professional has never been more apparent. Explore how certified CCSPs ease the challenges of cloud security and add critical understanding to a largely misunderstood realm. READ THE FULL ARTICLE Continue reading