ISC2 Town Hall 2023: What You Need to Know

By /

nnAt ISC2 Secure Congress, members had the opportunity to ask thenleadership team questions and get an update on what’s happening andnwhat’s planned for the organization.nn

n

nAt the heart of the recent ISC2 Security Congress event was the Town Hallnsession. We recap the announcements, the questions from members and thenresponses from ISC2 leaders on membership, certifications, workforce trends,ncurrent issues, and the challenges facing the cybersecurity profession. Youncan watch the whole session, which includes an introduction to some of our 2023 GAA winners,nnherenn.

n

n

n

Congress 2024

n

n

n

nTown Hall kicked off with the announcement of the location for SecuritynCongress 2024. We will be returning to Caesar’s Palace in Las Vegas for thenevent, which will take place from October 14-16 2024. You cannnregister your interest herennto receive more information and updates. It was also revealed that Congressnwill be returning to Nashville in 2025.n

n

n

n

Answering ISC2 Member Questions

n

n

n

nFollowing the Congress announcement, ISC2 CEO Clar Rosso invited the rest ofnthe panel to participate. Rosso was joined by:

n
    n
  • Jill Slay,n CISSP, Chair, Compensation/CEO Succession Committee Chair, ISC2 Board ofn Directors
    • n
  • Jon France,n CISSP, Chief Information Security Officer, ISC2
    • n
  • James Packer,n CISSP, CCSP, Vice Chair, Business Practices Committee Chair, Nominationsn Committee Chair, ISC2 Board of Directors
    • n
n

nMembers were able to submit questions to the panel using the ISC2 SecuritynCongress app.n

n

nAfter a fun opening question about how everyone was getting on with sayingnISC2 instead of (ISC) 2 following the branding update, the panelnwas asked about AI security and what they see as the biggest opportunitiesnfor artificial intelligence (AI) to address the most pressing issues we facenin cybersecurity.n

n

n

n

AI and Cybersecurityn

n

nJon France made the point that AI has already impacted all of us. He addednthat because of that “as a profession, we have a golden opportunity tonexecute on it, using it to ensure a safe and secure cyber world, and fornbusinesses to use it in a risk managed and beneficial.”n

n

nMembers raised concern about how those charged with regulating AI often lacknthe skills and knowledge needed to be effective, and asked what was beingndown to educate those responsible for developing regulations at this earlynstage. France explained that ISC2 is engaging closely with governmentnagencies around the world as part of its advocacy activities to help inform.n“We would welcome harmonized regulations, where those regulations makensense,” France added. James Packer added that “regulation being slow is notnunique to the AI issue. This is something we are constantly playing catch-upnon. Clearly regulation is helpful in providing some guidelines. But it isnthe members and professionals who are out there engaging with technologynfirms and expressing their concerns that are going to ultimately plug thengap of regulation being slow in providing guidelines on managing risk.”n

n

nThis is precisely why we developed our advocacy program, so that we couldnhelp educate regulators. Rosso explained: “Last fall, when we met with thenSEC about what it was proposing at the time around reporting and thenrequirement for cyber competency on boards, not only did we go to thenmeeting, but we also took expert members who could share first-handnexperience of what it’s like in the early days of responding to annincident.”n

n

nAsked about where AI fits in with certifications, ISC2 Chair Jill Slayncommented that “the CSSLP is quite useable for the security of some aspectsnof AI, particularly in relation to generative AI. If we are thinking aboutnmachine learning for hardware and software, surely that is another use casenfor the CISSP certification. However, there are going to be privacy, datanand regulatory issues which will need to be explored. ISC2 will be examiningnthat in the next year.”n

n

n

n

CPE Opportunities

n

n

n

nRosso responded to a question about earning CPE credits from reading membernmagazine content. She explained that while we moved away from a magazinenformat to a new web-based platform atnnwww.isc2.org/insightsnnat the beginning of 2023, members can still earn CPE credits from readingnthat content via thennbi-monthly quiznn. Rosso also reminded members that reading content is not the only way theyncan accumulate CPE credits. These can be earned from a variety of activitiesnincluding writing content for ISC2 to publish, watching webinars, attendingnevents, volunteering and much more. You can visit thennCPE Opportunitiesnnpage for more information on how to earn CPE credits.n

n

n

n

How We Develop Certifications

n

n

n

nDr. Casey Marks, ISC2’s chief qualifications officer, responded to a membernquestion asking what the organization was doing to maintain the integrity ofnits qualifications. He said: “It isn’t just what we do, it’s what you [asnmembers] all do. The very first step is for members, by members. It’s aboutnwhat you are doing in practice, what your colleagues are doing, thenfrequency and importance of the daily activities. The knowledge, skills andnabilities, along with the wherewithal to deploy it effectively, efficientlynand ethically. That’s the basis from where we start all our examndevelopment.”n

n

nMarks added that we conduct job task analysis for each certification everynthree years, open to all holders of the certification. We are alsonimplementing an intra-cycle survey to look at emerging topics andntechnologies.n

n

nEthics is already a component that underpins our current certifications andndomains. Ethical deployment is part of that. Each certification exam now hasnitems within each domain covering ethical deployment.n

n

nMarks concluded that we are always looking for volunteers to support examndevelopment and encouraged members tonnvisit the web site to know morenn.n

n

nA follow-up question asked how ISC2 compares with other certificationnproviders. Alongside reminding everyone that he has just been the custodiannof the qualifications for the last eight years and that others will follow,nMarks noted: “You [our members] have helped create certification programsnthat are world class. You have also put ethical and effective usage ofntechnologies first. This has ensured that we have been a leader in thisnindustry. Whether it’s the security of our exam development, inclusivenessnof our volunteers, exam delivery and the security thereof, we have the mostnstringent measures and robust posture of any certification program providernin this space.”n

n

n

n

The Role of Entry-Level Certification

n

n

n

nA question was asked about the One Million Certified in Cybersecuritynprogram and its commercial implications for ISC2. Rosso explained that thenprogram, which offers free courseware and an exam to a million eligiblenpeople, represents a significant investment to deliver, making it one of thenlargest certification investments that ISC2 and its partners have made.nRosso added that alongside the free materials and exams, those passing thenCC exam qualify for a lower AMF, if they choose to take up membership,nrepresenting another significant long-term financial investment innentry-level certification and in the people pursuing foundational careersnand skills.n

n

n

n

Why Does ISC2 Not Reveal Pass Scores?

n

n

n

nIt’s a question that comes up often, and Casey Marks explained that fornthose who don’t pass, we provide relative performance data, which shows hownclose or how far away they were from the passing standard in each of thendomains. Point scores [overall pass/fail] offer less accuracy and relevancenfor the candidate than relative performance. Also, as the majority of thenexams taken each year are English CISSP exams using Computer AdaptivenTesting (CAT), which is designed to exceed a single passing standard.nEveryone who passes effectively gets close to the same score as the CAT examnis designed to terminate at that passing point.n

n

nThis was followed with a question about thennrevisions to the concentrations pathwaynn. Marks explained that they have actually always been independentncredentials, even with the previous CISSP pathway. Following reviews of thenrequirements for the exam, the prerequisites, the JTAs etc. and made andetermination that seven years of experience within a requisite number ofndomains would represent a successful alternative pathway towards anconcentration in addition to the route for those who already have a CISSP.n

n

n

n

Space and Cybersecurity

n

n

n

nResponding to a question about the intersection of space and cybersecurity,nSlay explained about the increasingly important role of cybersecurity,nparticularly in so-called ‘Space Two’ activities – low Earth orbit (LEO)nsatellite and vehicle launches, often driven by commercial entities rathernthan government space agencies. “I have taken three years to study this, butnI have found there are no actual technical standards on satellite systemncybersecurity. NIST has recently come up with some standards on satellitensecurity, and [my university is] working on an IEEE standard in satellitencybersecurity. In the meantime, existing LEO launches are creating a greynzone for cyber warfare.”n

n

nSlay added that she views satellite/space cybersecurity as a new emergingndomain for professionals to consider.n

n

n

n

Cybersecurity in 5-10 Years

n

n

n

nFinally, the panel was challenged to provide some industry predictions fornthe next five to 10 years. France was first to offer up that predicting thatnfar forward is always a challenge, but that he sees two emergingntechnologies that will be disruptive for cybersecurity in that time – AI andnquantum computing. Highlighting some of the NIST competitions post quantumncryptography and secure algorithms, and how the evolution of these posenrisks and challenges for legacy code, namely insecure algorithms. Thenadoption of AI into organizations will, France suggests, represent ansystemic technology shift.n

n

nPacker followed up with his observation that there are still too manynorganizations out there that do not recognize the need and value ofncybersecurity and cybersecurity professionals. Too many think they are toonsmall, too insignificant, in the wrong geography etc. for cybersecurity tonbe a concern. He predicts that is finally going to change for the better innthe coming period. There is going to be a situation where every organizationnaround the world has some kind of investment in cybersecurity people,nservice, tools and technology, be it on premise or shared services. Packernalso predicted a change in security culture in society. “Those who arenfamiliar with the impact of cybercrime and financial fraud, they know allntoo well that this needs to be taken seriously, yet there is still a degreenof complacency.” Packer pointed to the role that education can play innrehabilitating criminals over punishment, using speed awareness courses asnan example. A similar approach has been used in several European countriesnfor responding to low-level cybercrime.n

n

nTo conclude, Slay pointed to an increasing overlap between cybersecurity andnengineering as a result of several emerging technologies. She alsonhighlighted the increasing role of risk management, pointing out that thosenmanaging risk will be increasingly important in the face of more emerging,nimmature technologies around the likes of AI. Slay also called for a greaternfocus on the symbiotic link between compulsory education and professionalndevelopment such as certification to ensure the right people, with the rightnskills and qualifications, are ultimately undertaking the right role.

n n

nn

]]>

Leave a Comment

Your email address will not be published. Required fields are marked *