Blog

CISSP – Certified Information Systems Security Professional (Podcast)

Dave and Steve talk about CISSPs, trained and certified security professionals, and why having one on staff at your IT company is critical.

Portsmouth Computer Group · CISSP (Certified Information Systems Security Professional)

Dave Hodgdon: Good afternoon and welcome to PCG Tech Tuesday. My name is Dave Hodgdon, and I’m here today with one of PCG’s security experts, Steve Ripper. Steve, how we doing today?

Steve Ripper:    We’re doing good, Dave. It’s good to be here.

Dave:   It’s the first day of summer. It’s a beautiful day here.

Steve:   And we’re in this podcast room.

Dave:   Well, don’t we love the podcast room?

Steve:   Can we do an outdoor podcast? Would that work?

Dave:   Yeah, give it a shot. We’ll drive around in the van and put the big bullhorn out there and drive around so people can hear us.

Steve:   We can get out there and get the security information out there. We can talk about MFA. We can blare it out to the masses.

Dave:   Oh, it’s a beautiful thing. Today’s topic is dear to all of us in the security world, and we’re going to talk about today about ACE, what it means to have a certified information security and systems solutions professional on your staff and why it’s critical to your business, Steve.

How Does Having Access to a CISSP Add Value to a Small Business?

That word CISSP is a big word, but let’s break it down for our audience and talk about that and how it’s important to the business. So Steve, how does access to a CISSP certified professional add value to the day-to-day process of running a small business?

Steve:   Yeah, so having someone who’s had that training, pass the exam for the certification, which is one of the hardest ones in the industry, we’ll talk about that in a little bit, but it adds someone who’s giving you advice who has gone through the process from a big picture standpoint of what the security for your company needs, from your line of business applications, to your identity access, from what to do about backups and disaster recovery, how to meet compliance standards, all the way up to things like how to design your facility to have better security, and what you need to do for things like biometrics and cameras and different methods like that. It really adds a holistic big picture look at how security goes and what you need to do to get to a better posture for it.

Dave:   Yeah. In today’s world of security, a lot of businesses…there’s so many security services and tools out there, but I really feel this service is different. It’s about understanding the business, understanding what they’re trying to accomplish to protect their cash, to protect their reputation, to have policies in place. Let’s talk about how that CISSP really brings that value down to the client.

Steve:   Yeah, so it starts with risk assessments, and we’ve done risk assessments for several customers, but we need to do more of them, where we go through a question process and we apply something like NIST that has controls that you either meet or you don’t meet. Think of it as a game plan. We’re going to go through that, and we’re going to talk about what you need to do, where you are at now, and what you need to do to get to a certain place. We’re going to talk about the compliance needs that you have. We’re going to talk about business continuity. We’re going to talk about incident response plans.

Dave:   That’s big.

Steve:   Yeah, so the business continuity. What do you do, big picture, in terms of your business if something goes wrong, a major event, things like that? Incident response policies. What do you do for smaller events? You’ve been hacked or there’s a ransomware. Those don’t sound small, but maybe they’re small compared to business impact analysis, where you’re looking at major fires or the whole region has a problem.

Incident response policies are more for “what are the procedures that we follow when something goes seriously wrong and we’ve detected it, we’ve figured it out, or we’ve stumbled into it”? Then “what do we do from there”? From how to mitigate it, how to start managing it, when to let the customers or your customers know, when to alert the media, when the C-suite needs to know about these things. These are all things that you do, and these are all things that CISSP professionals are trained for. They’re questioned and tested on the certification exam to make sure that they understand how to go about it and what questions to ask and what kind of things you have to do to make it go the right way.

Security Testing

Dave:   Yeah, I see that, Steve, as a checklist. Without that thorough training and having that checklist of what are you going to do should an incident happen from your cyber insurance, checking with the FBI. So if having a checklist is the kingpin to help this happen…because if something does happen, that incident response, it’s nice not to panic.

I remember the days in school, the fire alarm going, they went out. Everyone’s in their single line. We got through it. It was all testing. But we have to take that same process to this, right Steve?

Steve:   Yeah, absolutely. I think it’s always one of the funny questions in the risk assessment. Again, we’re not coming up with the questions for the risk assessment. NIST is coming up with the questions, and there are many controls that you can run. You can run CMMC Level 3. You can run GLBA. There’s a lot of different ones out there.

But in the NIST one, there’s one, Dave, where it goes, “Do you have the phone numbers that you need written down for during your incident response?” Whenever I do the risk assessment, the company owners, or whoever’s doing it with me, the person in charge of it, will always look at me like, “Well, we know 911 and we know your phone number at PCG.” I always have to explain to them that that is not the point of the control. The control is “what happens if you’re not available? What do you have immediately at hand that makes the panic that’s going on because an incident has happened? Whether it’s a fire, whether it’s a breach, whether it’s a phishing attack, whether it’s ransomware, whether somebody has literally come into your facility and stolen something, these are all things that create…they create chaos, they create panic.

Do you have things written down so that if someone who has never thought about this before, they can follow the steps and call the right people, and get moving on it? Assume that you’re not going to be there. Assume that you’re going to be audited, and these are going to be questions that the auditor is going to ask. If you stumble on it, you say, “I think so,” that’s not the right answer.

Yeah, you’d be amazed at the things that you don’t think about. Having a list and going through the policies that you need to do is really important.

Dave:   I feel a lot of people, even though we talk about having that guide is … not only should it be written down, saved, not only at the business or at your home, that data… A lot of times if you have that plan on your network and your network’s down, you’re not going to have access to it. You want to make sure you have access to that should something happen.

How Do You Become a CISSP?

How does an IT professional become a Certified Information Solution Security Professional, Steve?

Steve:   It’s pretty easy. You just take the worst exam ever devised in the history of mankind, or at least that’s how it felt like to me. It’s one of the hardest exams in the industry. But yes, it’s months and months of studying, and then you take the exam. You take it at a certified testing facility, and then it can range from anything … it’s always over 100 questions, but can range from 100 questions to 175, depending on what it’s trying to test you on. They are adaptive.

In addition to just passing the exam, you do also have to have requisite experience.

Dave:   That’s big.

Steve:   Yeah, they don’t just let anyone just take the exam and then just say, “Hey, I’m doing it,” which is, some of the certifications in the industry are like that, but the CISSP is not like that. You have to have at least five, and they prefer much more, relevant IT experience, whether it’s being a manager, whether like myself, in my case, I have more than 25 years of just being an engineer and in the field and at places. But they require an experience component to go along with you passing the certification.

Dave:   I think that’s just as big, Steve, that experience, which we know that you have of that ability of seeing multiple businesses, multiple environments and multiple setups, so many securities concerns in the industry of just you having that day in, day out, of just understanding anything that can possibly go wrong, that you’ve got that. That’s huge.

Steve:   Yeah, exactly. You’re talking about an exam that’s very broad in scope. I was amazed at how broad it was. The different categories is going through the book. If I fell asleep, it would’ve broken my nose if it hit me in the face. That’s how big this book was. But the number of topics in there, from physical security, to risk assessments, to software development, how to secure your software development, straight up to incident responses and business impact analysis and how to talk to senior management, it’s really just an exam that tests and trains you to be a security executive within your company and to advise other companies on what to do when these types of questions come up.

Differences Between a CISSP and a Standard IT Professional

Dave:   What are some of the major differences between the outlook of a CISSP professional and a standard IT professional?

Steve:   Yeah, so again, I’ve mentioned it a couple times, but a CISSP professional is going to look at the big picture of how secure is it. So you might be talking to some of your salespeople or your sales manager and you might talk to the director of engineering and you might talk to the CIO and so on, but they’re all going to have their unique perspectives. The engineers are going to talk about what their challenges are. The salespeople are going to talk about what it takes to convince a customer to buy something.

But the security professional is trained to look at how this impacts security specifically. “That’s great that you want to implement this new software, but what about this part?” Or, “How does it handle MFA? How does it handle identity management? Where is it being siloed? What are the protections on that? How are we backing that up? What are the training requirements? How are we making sure that the data that we put into it is then not accessible by the world or that we’re protecting it, that it’s proprietary? How are we making sure that it meets the compliance and privacy regulations for wherever we’re going to sell our product that that program has something to do with?”

Dave:   That compliance is big.

Steve:   Yeah, it’s huge. Especially if you’re doing any work with Europe, their compliance requirements are much stricter in terms of privacy than the United States is at this time. So you need to be aware of that, and that’s where a CISSP person really, really shines.

Dave:   Yeah. I’m proud that PCG is one of the few managed security and services providers that has two of these CISSPs on staff. Great insight, Steve. Any other closing thoughts on CISSP?

Steve:   Yeah, I hope I never have to take that exam again, but I’m glad that I did it because I’m really enjoying this part of my career, where I’m talking about the security arrangements of it, as opposed to just whether it’s humming and it’s blinking. Because the ramifications of it, like I said, it was just amazing how many different parts of the business it touches. Dave, it’s so important these days. Security has never been more important and will just continue to be going forward.

Dave:   Well, I think one thing I’ve noticed is the WISP, the written information security, your internet policy, your remote workforce. You’re able to take that, the years of experience and insight in security and how to apply that to many company policies.

Steve:   Yeah. Absolutely, Dave.

Dave:   All right, grateful for everyone joining us today in the wonderful world of being a CISSP. Have a great day.