What’s Next After CISSP?
Managers Manage while Executives Lead
EC-Council supports your continued leadership journey and that’s why we encourage you to pursue the CCISO after you finish the CISSP. After all, CCISO was created by an Advisory Board full of CISSPs who recognized the need for an executive-level training program to follow CISSP!
We cannot afford to just teach managerial skills to leaders who are responsible for protecting the valuable information of organizations or to just deep dive on technical skills without hands-on War Games that test a CISO’s ability to respond swiftly and effectively to cyber-attacks! Our program goes way beyond basic management and tech skills to teach a CISO about determining which projects to fund and which to push off to future years, what technology to replace, what roles to outsource, what training to send their staff to, etc.
Our goal is for you get the best leadership jobs in the market. Why? Because we cannot afford to rest on our past laurels and leave you to fend for yourself.
The CCISO or the CISSP?
Many people think they need to decide between pursuing the CCISO or the CISSP but this is really a false dichotomy. The programs are suited for people at different stages of their careers. The CISSP covers middle management skills, while the CCISO teaches executive cybersecurity leadership skills. This is why you should consider taking a CCISO after your CISSP certification.
Moreover, a major difference between these two programs is the hands-on element that CCISO has incorporated into the training program, called War Games. War Games test a CISO’s ability to handle a cyberattack effectively and help to develop essential muscle memory to address crises. CISOs need to think and act fast to develop a commensurate response to breaches and other cyber incidents. War games in the cyber world were inspired by national defense approaches and tactics. They are used by executives all the time to test the readiness of their staff and programs.
The exercises in the CCISO class prepare students for handling real-world scenarios as well as allow them to apply what they just learned while still in class in order to cement the new concepts. The exercises take place toward the end of the class week as they build on the material in the class and CCISO Body of Knowledge. The class is split up into teams and during the games, each team must create an incident response plan based on the scenario chosen by the instructor. The response plans are evaluated by the instructor based on the communications approach, decision making effectiveness, cyberattack containment, data breach stakeholder notification, as well as other criteria. The class also responds to each plan presented, and they are encouraged to point out deficiencies and areas for improvement.
CISSP for Cybersecurity Managers
While the CISSP helps create a strong foundation for successful managers and even allows you to specialize in areas important to your current job or future goals. Depending on how you’d like to further your career, you can choose one of the three courses of CISSP concentration, which are engineering, architecture, and management. This choice will largely depend on your job description and career goals. There are lots of cybersecurity management certifications to further specialize your training, including the CSA certification for cloud security, or Lead Auditor, ISO 27001, or ISACA CISA, among others for auditing.
What’s Better, CISM or CISSP?
The CISM Certification concentrates on management and approach and only slightly touches on technical subjects. The CISSP certification by contrast is both technical and managerial and digs deeper into both of these areas. Created by (ISC)2, the CISSP certification has been the leading training program for and validation of IT security management skills since its inception in 1994. In the late 1980s to early 1990s, CISSP created baselines for managing an information security program at a time when the highest-ranking person responsible for security was the organization’s security manager.
Is CISSP a Good Cert?
Knowledge of the CISSP domains helps create a solid foundation for your cybersecurity leadership journey. For business-oriented security professionals, it is best to first go for a CISSP, before considering other leading certifications such as Certified Chief Information security officer (CCISO), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Risk and Information Systems Control Certification (RISCC), or CompTIA Advanced Security Practitioner (CASP).
How Long is CISSP Valid?
Your CISSP certification is valid for a period of three years. CISSP holders revalidate their (ISC)2 certification by presenting CPE credits and paying the yearly membership fee.
Why take the CCISO after CISSP?
Executives need to understand how to manage the budget of their programs in a strategic way because no one ever has enough money to fund all the projects they need or want. How a CISO goes about determining which projects to fund and which to push off to future years, what technology to replace, what roles to outsource, what training to send their staff to, etc. are some of the most important parts of a CISO’s job. CISSP did not serve this need. That’s why, back in 2011, EC-Council launched the CCISO program.
EC-Council, known for its Certified Ethical Hacker (CEH) program, launched CCISO with the intent of helping their members bridge the gap between middle management and executive management. Many EC-Council members, like most security professionals, had gone on from technical programs to earn the CISSP but felt they needed something to help them get to the next step in their careers. That is how CCISO began – as a way to support an underserved sector of the market: executive cybersecurity management.
By CISOs, for CISOs, after CISSP
The CCISO was built by groups of CISOs invited to form the advisory board, exam writing committee, and to write different sections of the CCISO BOK. These CISO advisors were interested in creating something that went beyond the CISSP to teach the skills truly needed to be an executive leader in information security. They debated and discussed via a long process and eventually determined there should be five domains to the program:
1. Governance and Risk Management
2. Information Security Controls, Compliance, and Audit Management
3. Security Program Management & Operations
4. Information Security Core Competencies
5. Strategic Planning, Finance, Procurement, and Vendor Management
Comparing the domains, we see that while the first domains of each program line up more or less, domain 5 of the CCISO program is not part of the CISSP program at all. While some of the same concepts are covered in each program, the CCISO program covers them from the perspective of executive management, so while it is interesting to compare the subject matter, it’s important to remember that the CCISO covering these topics differently from CISSP.
The following is an illustration of how several CISSP domains constitute a part of the CCISO program.
|CISSP Domain||CCISO Domain|
|1. Security and Risk Management||Governance and Risk Management|
|2. Asset Security||Governance and Risk Management|
|3. Security Architecture and Engineering||Security Program Management & Operations|
|4. Communications and Network Security||Information Security Core Competencies|
|5. Identity and Access Management||Information Security Core Competencies|
|6. Security Assessment and Testing||Governance and Risk Management|
|7. Security Operations||Security Program Management & Operations|
|8. Software Development Security||Information Security Core Competencies|
Packed with more, much more
In its 2020 version, the live CCISO training program comes with two other training programs: Risk Management Approach and Practice and Certified Project Manager in order to give students deep dives into risk and project management. The Program also includes an annual standing invitation to the Global CISO Forum, EC-Council’s executive conference, to help CISOs boost their networks; a free OhPhish license that enables CCISO to run a phishing simulation to test their company’s user awareness; and a 100-user license of EC-Council’s Certified Secure Computer User class to train end-users. CCISOs can tailor their OhPhish campaign to match their industry, company, and more to find out where the weak links are. EC-Council’s philosophy is they need to both train the CISOs as well as give them the resources to create the best security programs possible.