The Top 5 Security Certifications Required by CISOs
First of a two-part series
A 15-year-old boy was arrested this week in connection with the cyber attack of UK broadband service provider TalkTalk. The personal information of 4 million customers may have been accessed, company officials revealed last week. More than one-fifth of the company’s value has been wiped out since news of the hack spread last week, according the Financial Times.
Security experts say the attack was nothing out of the ordinary and the fault lies with the company. The breach could expose TalkTalk to enormous financial liabilities and is already drawing intense scrutiny from lawmakers.
The TalkTalk hack highlights the increasing pressure on security professionals to anticipate and prepare for cyber attacks. One way is to ensure that the security staff and service providers have up-to-date security certifications. CISOs are increasingly looking for these credentials when hiring professionals who are responsible for enterprise security.
Here’s a list of the top industry-backed security certifications that IT organizations should look for in a service provider and among its IT staff:
1. PCI Certification
The Payment Card Industry (PCI) Data Security Standard (DSS) is endorsed by American Express, MasterCard Worldwide and Visa Inc. and others. PCI requires merchants and service providers that store, process or transmit customer payment card data to adopt information security controls and processes to ensure data integrity. It’s wise to affirm that your cloud provider is certified as a PCI Security Standards Council Approved Scanning Vendor (ASV) lab, which means the provider can validate adherence to DSS requirements by performing vulnerability scans of Internet-facing environments of merchants and service providers, and enables the provider to help you protect and harden your network from advanced threats. As an ASV, the provider can help you manage data security risks, evaluate the security of your systems that store payment account data and assist you in achieving compliance with the PCI DSS.
2. Certified Information Security Manager
The Certified Information Security Manager (CISM) comes from the Information Systems Audit and Control Association (ISACA) and helps identify security pros qualified to manage the audit, control and security of information systems. The CISM credential targets the needs of IT security professionals with enterprise-level security management responsibilities, and CISMs must pass a comprehensive examination and have at least five years of security experience, among other requirements.
3. Certified Information Systems Security Professional
CISSP certification is vendor neutral and backed by the (ISC)², the globally recognized, not-for-profit organization dedicated to advancing the information security field. The CISSP was the first credential in the field of information security to meet the stringent requirements of ISO/IEC Standard 17024 and is considered globally as a standard of achievement. CISSPs have the “proven proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks,” according to the (ISC)².
4. CompTIA Security+ Certifications
Providers who have in their IT ranks CompTIA Security+ certifications generally have expertise in areas such as cryptography, identity management, security systems, security risk identification and mitigation, network access control, and more. The CompTIA Security+ credential is internationally recognized and also approved by the U.S. Department of Defense to meet requirements for the information assurance (IA) technical and management certifications.
5. LPT Certification
The International Council of Electronic Commerce Consultants (EC-Council) offers a two-part EC-Council Certified Security Analyst/Licensed Penetration Tester (CSA/LPT) program designed to demonstrate a professional's ability to audit network security, perform penetration testing and recommend corrective action for any weaknesses found. According to the EC-Council, IT pros will need to demonstrate a mastery of the skills required to conduct a full black box penetration test of a network. The exam simulates a complex network of a multinational organization in real-time, consisting of multiple networks with different militarized and demilitarized zones.
Learn about Masergy’s Professional Services including security audits and penetration testing.