Important Certifications You Want from Your Managed IT Services Partner

The certification group’s long name is usually shortened to (ISC)2 because the full name is a mouthful.

The Special Interest Group for Computer Security got several organizations interested in standardization and certification in the cybersecurity industry back in the mid ‘80s. One of the early products of that collaboration was founding the non-profit (ISC)2, in 1989.  

(ISC)² created and maintains a Common Body of Knowledge that their certifications are based upon, and which defines industry standards and best practices in information security.

The CISSP is a foundational information security certification issued by the non-profit standards group, for security analysts.  

CISSP is not just given to anyone willing to pay the issuing agency’s fee. In fact, as of July 2021, there are slightly fewer than 93,000 CISSP members in the U.S. Before an information security professional sits for the exam, they need five years of direct full-time paid work experience in two or more of the (ISC)² information security domains (listed below). They have to attest that their assertions regarding professional experience are true, accept the CISSP Code of Ethics and pass a background check.

Once all that is in place, they have to score at least 70 percent on a three-hour multiple-choice exam and get a passing grade in each of the eight domains covered by the test. Anyone who fails one of the domains fails, even if they aced the rest of the exam.

The information security professional who passes the test must then have their another (ISC)² certification holder in good standing endorse their qualifications.

The domains tested in the exam administered by the (ISC)2 include:

• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communications and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security

CISSP was adopted as a baseline for the U.S. National Security Agency’s ISSEP program, in 2003.

Also, ANSI certifies that CISSP meets the requirements of ANSI/ISO/IEC Standard 17024, a personnel certification accreditation program.

Information security professionals who earn the CISSP credential have proven they have what it takes to design, implement and manage a world class cybersecurity program.

ISSMP certification documents excellence in establishing, presenting and governing information security programs. Holders of this certification have demonstrated deep management and leadership skills used in leading incident handling or managing a breach mitigation team.

Only those who have a valid CISSP credential may obtain the ISSMP concentration specialty. The knowledge base and experience required to achieve this credential is intense. There were only 1,324 (ISC)² members holding the CISSP-ISSMP certification in the whole world, as of July 2021.

In order to earn the ISSMP concentration credential, CISSP holders must pass a 125-question exam that covers six domains of information security management knowledge:

• Leadership and Business Management
• Systems Lifecycle Management
• Risk Management
• Threat Intelligence and Incident Management
• Contingency Management
• Law, Ethics, and Security Compliance Management

SSCP certification holders have demonstrated  the advanced technical skills and knowledge necessary to implement and administer an IT infrastructure that incorporates the information security best practices and procedures established by (ISC)² cybersecurity experts.

The SSCP is designed for IT administrators, managers, directors and network security professionals responsible for the hands-on operational security of their organization’s critical assets, according to the credentialing agency’s website. They add that the designation is most often useful for Network Security Engineers, Systems Administrators and Engineers, Security Analysts and Administrators, Network Analysts and Database Administrators.

SSCP certification requires applicants with at least one year’s work experience in one of the SSCP domains get a grade of at least 70 percent on the 125 question, three-hour exam. The certificate has to be renewed every three years. 

The credentialing agency acknowledges commonalities between CISSP and SSCP credentials but argue that is true for most things in the field. The (ISC)2 insists the two certifications are completely different because they were developed from distinct perspectives and have different objectives.

The SSCP was designed for technical practitioners and covers how to use, design and apply security to technology. So, CISSP certification holders would probably find the SSCP exam more difficult since it’s focus is more technical in details.

CISSP certification, on the other hand, was designed for leaders and emphasizes building programs and applying security concepts for a business. The frames of reference between the certifications are diametrically opposed because SSCP focuses on technical aspects while CISSP involves the business aspects. The SSCP has more depth but CISSP has more breadth because it encompasses a wider viewpoint.

The Ponemon Institute’s 15th annual “Cost of a Data Breach Report” said the average cost of a data breach at medium-sized enterprises (ones with 3,400 to 99,730 records) was $3.86 million, in 2020.

The research is conducted independently by Ponemon Institute. The results are sponsored, analyzed, reported and published by IBM Security.

Mega breaches, from enterprises with between 1 million and 10 million records cost an average $50 million – more than 25 times the average cost for breaches of less than 100,000 records.

Lost business costs, such as increased customer turnover, revenue lost while the system was down and increased costs to attract new customers after suffering reputational damage, accounted for nearly 40 percent of the average total cost of a data breach. The study ball-parked the average 2020 cost at around $1.52 million per breach.

Stolen or compromised credentials and cloud misconfiguration were the leading initial threat vectors by the study, which said each was responsible for about 19 percent of reported malicious breaches. Third-party software vulnerability caused another 16 percent.

Organizations studied pointed to security skills shortages as a leading factor contributing to increased data breach costs. The same companies opined that managed security services lowered average data breach costs.

The study also indicated that a MSP may simplify security, and risk, through continuous monitoring supplemented by integrated solutions and services. 

Reach Out to BACS Today to Discuss Our Certifications and What They Bring to Your Business

It’s hard to keep what’s yours, yours, because there are many bad actors trying to make it theirs. This is especially true with information because that asset is as portable as it is valuable. The sophistication and persistence of attacks by cybercriminals puts the onus on the CIO or CISO of an enterprise because you have to be doing everything right, all the time. Cybercriminals only need to get it right one time to devastate an enterprise.

A cyberattack may be a data breach designed to capture customer PII for resale on the dark web or a ransomware attack that demands bitcoin payment in exchange for releasing your data. Digital threats are constant, expensive to prevent and recover from, and require an increasing share of an enterprise’s financial resources.

That probably explains the findings of the Ponemon Institute study that showed partnering with an MSP can lower costs of data breach prevention, detection, and recovery. The MSP may help deliver a little “shock and awe” to malicious actors trying to exploit an unknown unknown.

If you are looking for a free assessment of your security network, along with a conversation about how extra protection could save your business time and money, please contact us here at BACS IT today.