What next after CISSP?
Created by (ISC)2, the CISSP certification has been the leading training program for and validation of IT security management skills since its inception all the way back in 1994. To date there are over 180,000 CISSPs around the world, and that number is growing all the time. It’s hard to overestimate the impact that CISSP had on the industry. The program came together at a time when security was getting serious as an industry about creating common definitions, strategies, best practices, and a whole host of areas that were somewhat ad hoc up until that time. The program proved to be invaluable to the industry and is one of the major reasons the security industry has made progress over the last decades. EC-Council has a lot of respect for the CISSP certification.
The CISSP is focused on its eight security domains, which are:
- Security and Risk Management
- Asset Security
- Security Architecture and Engineering
- Communications and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
In the late 1980s to early 1990s, the CISSP Common Body of Knowledge (CBK) created baselines for managing an information security program at a time when the highest-ranking person at a company who was responsible for security was a manager. In many cases, there was no full-time person in charge of security and instead, security was a subset of the CIO’s job.
Today, we have the executive role of CISO, and executives have vastly different responsibilities and skills than a manager.
High-level executives need to understand how to manage the budget of their programs in a strategic way, because no one ever has enough money to fund all the projects they need or want. How a CISO goes about determining which projects to fund and which to push off to future years, what technology to replace, what roles to outsource, what training to send their staff to, etc. are some of the most important parts of a CISO’s job.
While the CISSP covers many areas important to the role of an executive, until recently, there wasn’t anything on the market that covered these areas from an executive perspective instead of one focused on middle management.
In 2011, EC-Council launched the Certified CISO (CCISO) program.
The CCISO was created with the intent of helping professionals bridge the gap between middle management and executive management, making it the natural next step after the CISSP.
The CCISO was built by groups of CISOs recruited to form the advisory board, exam writing committee, and to write different sections of the CCISO Body of Knowledge (BOK). These CISO advisors were interested in creating something that went beyond the CISSP to teach the skills truly needed to be an executive leader in information security. They debated and discussed via a long process and eventually determined there should be five domains to the program:
- Governance and Risk Management
- Information Security Controls, Compliance, and Audit Management
- Security Program Management & Operations
- Information Security Core Competencies
- Strategic Planning, Finance, Procurement, and Vendor Management
The CCISO was designed from the beginning as a next step from CISSP. Almost all the founding members of the CCISO advisory board held the CISSP credential and none had any interest in reinventing what CISSP had already accomplished.
The domains were selected to complement and build upon the CISSP program to help create executives from middle managers.
While the programs should not be compared directly as they are truly complementary in nature, should you choose to compare them anyway, you will see that while the first domain of each program line up more or less, domain 5 of the CCISO program is not part of the CISSP program at all.
| Domains covered under CISSP | Covered in a CCISO Class under the domain |
| Security and Risk Management | Governance and Risk Management |
| Asset Security | Governance and Risk Management |
| Security Architecture and Engineering | Security Program Management & Operations |
| Communications and Network Security | Information Security Core Competencies |
| Identity and Access Management | Information Security Core Competencies |
| Security Assessment and Testing | Governance and Risk Management |
| Security Operations | Security Program Management & Operations |
| Software Development Security | Information Security Core Competencies |
| Domain covered in the CCISO Program | Domains covered in the CISSP Program |
| Governance and Risk Management | Security and Risk Management (partial coverage) |
| Information Security Controls, Compliance, and Audit Management | Security Architecture and Engineering (partial coverage) and Security and Risk Management (partial coverage) |
| Security Program Management & Operations | Security Operations |
| Information Security Core Competencies | Software Development Security, Identity and Access Management, Communications and Network Security |
| Strategic Planning, Finance, Procurement, and Vendor Management | none |
Hands-On Learning for Future Cyber Leaders
Another difference between the programs is the hands-on element that CCISO has incorporated into the training program, called War Games.
War games test a CISO’s ability to effectively handle a cyberattack and help to develop essential muscle memory to address crisis situations.
CISOs need to think fast and act fast to respond to cyber incidents. War Games in the cyber world were inspired by national defense approaches and tactics and are used by executives all the time to test the readiness of their staff and programs. The exercises in the CCISO class prepare students for handling real-world scenarios as well as give them a way to apply what they just learned immediately to cement the new concepts. The exercises take place toward the end of the week of class as they build on the material in the class and BOK.
The War Games are run by CCISO instructors who are tasked with serving as the exercise facilitator, selecting from a number of templates for the best fit for their class, providing intermittent updates during war game, capturing team best practices, and encouraging the use of CCISO BOK by teams. Each team has to create an incident response plan based on the scenario chosen by the instructor. The response plans are evaluated by the instructor based on the communications approach, decision making effectiveness, cyberattack containment, data breach stakeholder notification, as well as other criteria. The class also responds to each plan presented, and they are encouraged to point out deficiencies and areas for improvement.
In 2020, EC-Council included with live CCISO training two other training programs: Risk Management Approach and Practice and Certified Project Manager. EC-Council has created an Executive Management Program that combines CCISO training with deep dives into risk and project management. The Program also includes an annual standing invitation to the Global CISO Forum, EC-Council’s executive conference, to help CISOs boost their networks; a free OhPhish license that enables CCISO to run a phishing simulation to test their company’s user awareness; and a 100-user license of EC-Council’s Certified Secure Computer User class to train end users. CCISOs can tailor their campaign to match their industry, company, or organization to find where the weak links are. They also receive a 100-user license of EC-Council’s Certified Secure Computer User class to train any users who need it. EC-Council’s philosophy is they need to both train the CISOs as well as give them the resources to create the best security programs possible.
