CISSP stands for Certified Information Systems Security Professional. The certification is backed by the International Information System Security Certification Consortium (ISC) ², which will celebrate its 30th anniversary in 2019. In order to obtain the CISSP credential, candidates have to display an appropriate level of knowledge of IT security and in order to maintain it, they must commit to continuous professional development.
For most SMEs, gaining CISSP certification would be overkill. It requires a degree of specialisation that benefits an expert but is just not required within an in-house team. Looking instead to ensure that your external IT team is CISSP accredited would be more advantageous, as these are the people who are in charge of your digital security and online systems.
Information security may be one of the most dynamic industry sectors there is. As we experience a period of rapid technological development, so the threats to system security just keep on changing in a way which would have been unimaginable to even our most imaginative ancestors.
For example, the idea of hackers stealing data through an online fish tank would once have been considered a wild science fiction fantasy, now it’s a sobering point in (recent) IT history.
As (ISC)² is only too well aware of this, they continually run educational events (mostly online) to keep their certified professionals ahead of the curve and they also negotiate discounts to real-world events run by other industry bodies.
Over recent years, consumers have become more aware of data security (and how it impacts them) through the worst method possible: a long succession of scandals demonstrating how even major companies can display a wide variety of security failings from basic carelessness to blatant abuse.
While it may seem very unfair to tar all companies with the same brush, it’s also completely understandable that customers will increasingly work on the basis of “once bitten twice shy” (even if they didn’t actually get bitten themselves) and start to look for evidence that a company can be trusted with their data rather than just assuming that companies can be trusted to be responsible unless there is evidence that they are not.
Having someone who is CISSP certified on your external IT team makes a clear statement that you are serious about information security and this will reassure customers that they can trust you.
Companies of all sizes are now increasingly thinking in terms of “centres of excellence” rather than operational silos. In other words, while departments are expected to have specialist expertise, they are also expected to work in partnership with other departments in a holistic manner and often also have to liaise with external parties of various descriptions in order to reach common goals.
With information security, team rivalries (such as competing for higher sales or wider customer reach) are often put aside as less important than the common threat of losing public confidence due to lack of security.
CISSPs have expertise in a wide range of relevant areas including the law, forensics and disaster recovery and if there is something they don’t know then they are well-placed to find out (and quickly) through the support they receive from (ISC)² and, in particular, their access to its resources.