The COO of non-profit IT security training and certification body (ISC)² Wesley Simpson sat down with Security Advisor ME during his most recent trip to Dubai, to discuss the importance of continuous education for cybersecurity professionals in the era of a dynamic threat landscape.
Can you please give us a brief background of (ISC)²?
International Information System Security Certification Consortium or (ISC)², is the global, not-profit body focused on educating and certifying cyber, information, software and infrastructure security professionals. We have been in the market for over 25 years and are recognised for Gold Standard certifications and education programmes.
(ISC)²’s certifications are among the first information technology credentials to meet the stringent requirements of ISO/IEC Standard 17024, which is a global benchmark for assessing and certifying personnel. We also offer education programmes and services based on its CBK, a compendium of information and software security topics.
We have a growing presence across the Middle East and Africa region as part of our remit in the EMEA region. We have about over 120,000 members in 160 countries worldwide, and we have about 2,000 members in the Middle East alone.
Our members come from across a variety of verticals. We have ten different certifications or credentials that we offer across a variety of verticals from IT, healthcare, oil and gas, and so on.
How has the cybersecurity profession evolved over the years?
They cybersecurity profession is relatively new and the journey for CISOs is not over yet.
The security landscape has changed a lot and is continuously evolving every day. This is because of the threats looming around the industry. What’s more is that cybersecurity is constantly transforming due to the increased awareness and education being spread across the industry.
The thing about cybersecurity is that it is industry agnostic – it affects everybody. That’s why we don’t just target one specific area, we seek to enable current and potential ISC members regardless of what industry they are in.
How important is getting certified for a cybersecurity professional and at the same time if they are an (ISC)² certified member what advantages will that entail?
At (ISC)² what we always say is, “certification is just the start of the quest.” What that means is, once you pass the programme and become a CISSP, we don’t forget about you. As an organisation, want to inspire a safe and secure cyber world. That’s why we are creating an environment of life-long learning for our members. We want them to be the gold standard in the industry. We want companies to pursue our members, not just because of the certificates and titles that they have but because they know that these are professionals who have achieved a high level of expertise in their respective fields.
In general, as a professional in the security space, you can never stop learning. Education and innovation have to be a continuous process. Just like the threat actors out there are constantly changing their tactics, so should you to be able to stay ahead of them. I believe the role of certifying bodies like ourselves is to help people in the industry to grow more as professionals and expand their knowledge of the evolving industry.
A big issue in the industry today is the shortage of talent and skills within the security landscape. As an entity that’s focused on training cybersecurity professionals, what are you doing to address this issue?
This is a global issue. In fact, according to one of the studies that we have conducted titled, Global Information Security Workforce Study, we have estimated that there will around 1.5 to 2 million shortage of IT security applicants by 2020.
On our part, what we are doing to address this issue goes back to spreading awareness. We are constantly finding ways to help organisations attract and retain talents in this field.
First, we are looking at the academia. We aim to spread awareness at the early stages and promote the cybersecurity profession to educational entities. And, if possible, we are looking at ways of how we can introduce cybersecurity as part of school programmes and curriculum.
Then, once they start getting into the business, leaders and managers within an organisation should look across their departments and create a security-minded culture. Everybody needs to have that mind-set and there should be constant education and awareness on the importance of cyber security.
What are (ISC)²’s objectives over the year?
Our primary objectives are, of course, focused on moving the cybersecurity profession forward. It’s also centred on promoting and supporting our members to make them be the best technical professionals that they can be.
We aim to do this, by continuing to host programmes and events that will further enable collaboration between our members across the world. Cybersecurity issues are not something that (ISC)² alone can address, it will take efforts from all of us in the community to talk, collaborate and share our expertise to solve various issues in this space.
Between the people, process and technology elements of making IT security work – people is the most important factor. The other two components won’t really work unless you have right people in place. Having said that, another main objective that we have is finding the right partners in regions we have a presence in to help us further the cause.