The Many Advisory Roles of a CISSP

A Long and Prosperous Career

Throughout your cybersecurity career, you will spend a lot of time in the world of identify, protect, detect, respond, and recover . Sometimes, the skills required for the job can range from the mundane, such as running a phishing campaign, to some nail-biting, all-nighters of remediation (after someone ignored your carefully crafted phishing campaign and clicked on a malicious link).

Your skills were not easily acquired. Perhaps you derived these skills from tinkering with machinery, dumpster-diving, and everything in between. Information security research has transitioned to more sophisticated tools and methods. The entire security profession has been elevated to new levels that require more than just technical know-how. In some cases, a person is required to possess a certification, such as a CISSP credential, in order to get a particular job. The CISSP credential shows that a person is not only a dedicated information security professional, it also indicates some expertise in managerial skills, such as policy development, regulatory compliance, and risk management.

Who Needs Soft Skills?

Many of the skills required in a corporate environment are classified as soft skills. 

Soft skills are a discipline unto themselves. When we examine the work of social engineers, we witness mastery of soft skills. But rather than just using these skills to elicit a desired response, soft skills are important for every day interactions, and are vital in many professional situations. The soft skills required to be an effective information security professional are more important than ever. One of these skills that immediately comes to mind is the advisory capacity that an information security professional will encounter. This is particularly true of a person who possesses the CISSP credential.

For many years, information security professionals have longed for “a seat at the table ” in executive meetings. Thanks to certifications, such as the CISSP designation, the field of information security has been given legitimacy in organizational decision-making.    

Many Hats and Many Roles

One of the greatest benefits of studying for the CISSP exam is the vast subject matter covered in the Common Body of Knowledge (CBK ). Students often wonder why so many topics are included in the CBK. The simple answer is that in a professional setting, a CISSP may need to work on multiple projects in different disciplines as a normal part of the daily routine. In fact, one could argue that the “daily” is anything but routine in the life of a CISSP.

You may find yourself on the way out of a meeting about database security, only to be approached by an executive who wants to know about a news story regarding a breach at a company similar to where you work. Or you may walk into a meeting about application security that drifts into a discussion about business continuity. A person who holds the CISSP credential will be invited into many advisory meetings. 

Sometimes, the invitations to participate will be formal, with a set agenda. Most often, however the conversation is impromptu, starting with a person stating “Can I ask you a question?” That is the perfect time to connect all the hard skills with the soft skills. The ability to gain the required experience as well as the required exam to achieve the CISSP credential makes you a subject matter expert in the field of information security.

But Wait, There’s More

A request for advice can come from a variety of sources, and a subject matter expert needs to be able to change direction and focus at a moment’s notice. Some of the many ways that a person with the CISSP credential will collaborate within a company include:

• Risk Management – the ability to accurately track and report on events that can be measured against key risk indicators for an enterprise.
• Business Continuity and Disaster Recovery – the knowledge of all the “moving parts” of devising and guiding an organization’s continuity and disaster planning, execution, and testing.
• Security Awareness – Promoting a security mind-set and weaving security into the culture of the company.
• Personnel Management – interacting with the Human Resources team to keep all staff members safe, as well as protecting the personal data of all staff members and business clients.
• Regulatory Compliance – working to make sure that all regulatory rules are followed.
• Audit – keeping accurate records for presentation to auditors.
• Finance – making sure that critical financial records are properly and adequately protected.
• Board of Directors meetings – the ability to assure those at the highest levels of the organization that the corporation is protected.
• Thought leadership – the ability to predict, yet not overreact to every vulnerability.
• Policy development – interdepartmental cooperation to set effective policy with diplomacy.
• Mentoring – teaching and guiding team members.

How the CISSP Credential Can Help You Succeed

The knowledge required to be a successful inforamtion security professional is vast, and constantly expanding. Every day, new events reshape the security landscape, requireing a combination of experience and knowledge. When an organization needs subject matter expertise, they can rely on those who hold the CISSP designation for a wide breadth of knowledge and experience that is not limited to just information security. The CISSP is ideal for experienced security practitioners, managers and executives interested in proving their knowledge across a wide array of security practices and principles , including those in the following positions:

• Chief Information Security Officer
• Director of Security
• IT Director/Manager
• Security Manager

(ISC)² was the first information security certifying body to meet the requirements of the American National Standards Institute (ANSI) ISO/IEC Standard 17024 and the CISSP certification has met Department of Defense (DoD) Directive 8570.1

To discover more about CISSP read our whitepaper, Why it has never been more important to be a qualified cybersecurity professional .