At ISC2 Secure Congress, members had the opportunity to ask the leadership team questions and get an update on what’s happening and what’s planned for the organization.
At the heart of the recent ISC2 Security Congress event was the Town Hall session. We recap the announcements, the questions from members and the responses from ISC2 leaders on membership, certifications, workforce trends, current issues, and the challenges facing the cybersecurity profession. You can watch the whole session, which includes an introduction to some of our 2023 GAA winners, here .
Town Hall kicked off with the announcement of the location for Security Congress 2024. We will be returning to Caesar’s Palace in Las Vegas for the event, which will take place from October 14-16 2024. You can register your interest here to receive more information and updates. It was also revealed that Congress will be returning to Nashville in 2025.
Answering ISC2 Member Questions
Following the Congress announcement, ISC2 CEO Clar Rosso invited the rest of the panel to participate. Rosso was joined by:
- Jill Slay, CISSP, Chair, Compensation/CEO Succession Committee Chair, ISC2 Board of Directors
- Jon France, CISSP, Chief Information Security Officer, ISC2
- James Packer, CISSP, CCSP, Vice Chair, Business Practices Committee Chair, Nominations Committee Chair, ISC2 Board of Directors
Members were able to submit questions to the panel using the ISC2 Security Congress app.
After a fun opening question about how everyone was getting on with saying ISC2 instead of (ISC) 2 following the branding update, the panel was asked about AI security and what they see as the biggest opportunities for artificial intelligence (AI) to address the most pressing issues we face in cybersecurity.
AI and Cybersecurity
Jon France made the point that AI has already impacted all of us. He added that because of that “as a profession, we have a golden opportunity to execute on it, using it to ensure a safe and secure cyber world, and for businesses to use it in a risk managed and beneficial.”
Members raised concern about how those charged with regulating AI often lack the skills and knowledge needed to be effective, and asked what was being down to educate those responsible for developing regulations at this early stage. France explained that ISC2 is engaging closely with government agencies around the world as part of its advocacy activities to help inform. “We would welcome harmonized regulations, where those regulations make sense,” France added. James Packer added that “regulation being slow is not unique to the AI issue. This is something we are constantly playing catch-up on. Clearly regulation is helpful in providing some guidelines. But it is the members and professionals who are out there engaging with technology firms and expressing their concerns that are going to ultimately plug the gap of regulation being slow in providing guidelines on managing risk.”
This is precisely why we developed our advocacy program, so that we could help educate regulators. Rosso explained: “Last fall, when we met with the SEC about what it was proposing at the time around reporting and the requirement for cyber competency on boards, not only did we go to the meeting, but we also took expert members who could share first-hand experience of what it’s like in the early days of responding to an incident.”
Asked about where AI fits in with certifications, ISC2 Chair Jill Slay commented that “the CSSLP is quite useable for the security of some aspects of AI, particularly in relation to generative AI. If we are thinking about machine learning for hardware and software, surely that is another use case for the CISSP certification. However, there are going to be privacy, data and regulatory issues which will need to be explored. ISC2 will be examining that in the next year.”
Rosso responded to a question about earning CPE credits from reading member magazine content. She explained that while we moved away from a magazine format to a new web-based platform at www.isc2.org/insights at the beginning of 2023, members can still earn CPE credits from reading that content via the bi-monthly quiz . Rosso also reminded members that reading content is not the only way they can accumulate CPE credits. These can be earned from a variety of activities including writing content for ISC2 to publish, watching webinars, attending events, volunteering and much more. You can visit the CPE Opportunities page for more information on how to earn CPE credits.
How We Develop Certifications
Dr. Casey Marks, ISC2’s chief qualifications officer, responded to a member question asking what the organization was doing to maintain the integrity of its qualifications. He said: “It isn’t just what we do, it’s what you [as members] all do. The very first step is for members, by members. It’s about what you are doing in practice, what your colleagues are doing, the frequency and importance of the daily activities. The knowledge, skills and abilities, along with the wherewithal to deploy it effectively, efficiently and ethically. That’s the basis from where we start all our exam development.”
Marks added that we conduct job task analysis for each certification every three years, open to all holders of the certification. We are also implementing an intra-cycle survey to look at emerging topics and technologies.
Ethics is already a component that underpins our current certifications and domains. Ethical deployment is part of that. Each certification exam now has items within each domain covering ethical deployment.
Marks concluded that we are always looking for volunteers to support exam development and encouraged members to visit the web site to know more .
A follow-up question asked how ISC2 compares with other certification providers. Alongside reminding everyone that he has just been the custodian of the qualifications for the last eight years and that others will follow, Marks noted: “You [our members] have helped create certification programs that are world class. You have also put ethical and effective usage of technologies first. This has ensured that we have been a leader in this industry. Whether it’s the security of our exam development, inclusiveness of our volunteers, exam delivery and the security thereof, we have the most stringent measures and robust posture of any certification program provider in this space.”
The Role of Entry-Level Certification
A question was asked about the One Million Certified in Cybersecurity program and its commercial implications for ISC2. Rosso explained that the program, which offers free courseware and an exam to a million eligible people, represents a significant investment to deliver, making it one of the largest certification investments that ISC2 and its partners have made. Rosso added that alongside the free materials and exams, those passing the CC exam qualify for a lower AMF, if they choose to take up membership, representing another significant long-term financial investment in entry-level certification and in the people pursuing foundational careers and skills.
Why Does ISC2 Not Reveal Pass Scores?
It’s a question that comes up often, and Casey Marks explained that for those who don’t pass, we provide relative performance data, which shows how close or how far away they were from the passing standard in each of the domains. Point scores [overall pass/fail] offer less accuracy and relevance for the candidate than relative performance. Also, as the majority of the exams taken each year are English CISSP exams using Computer Adaptive Testing (CAT), which is designed to exceed a single passing standard. Everyone who passes effectively gets close to the same score as the CAT exam is designed to terminate at that passing point.
This was followed with a question about the revisions to the concentrations pathway . Marks explained that they have actually always been independent credentials, even with the previous CISSP pathway. Following reviews of the requirements for the exam, the prerequisites, the JTAs etc. and made a determination that seven years of experience within a requisite number of domains would represent a successful alternative pathway towards a concentration in addition to the route for those who already have a CISSP.
Space and Cybersecurity
Responding to a question about the intersection of space and cybersecurity, Slay explained about the increasingly important role of cybersecurity, particularly in so-called ‘Space Two’ activities – low Earth orbit (LEO) satellite and vehicle launches, often driven by commercial entities rather than government space agencies. “I have taken three years to study this, but I have found there are no actual technical standards on satellite system cybersecurity. NIST has recently come up with some standards on satellite security, and [my university is] working on an IEEE standard in satellite cybersecurity. In the meantime, existing LEO launches are creating a grey zone for cyber warfare.”
Slay added that she views satellite/space cybersecurity as a new emerging domain for professionals to consider.
Cybersecurity in 5-10 Years
Finally, the panel was challenged to provide some industry predictions for the next five to 10 years. France was first to offer up that predicting that far forward is always a challenge, but that he sees two emerging technologies that will be disruptive for cybersecurity in that time – AI and quantum computing. Highlighting some of the NIST competitions post quantum cryptography and secure algorithms, and how the evolution of these pose risks and challenges for legacy code, namely insecure algorithms. The adoption of AI into organizations will, France suggests, represent a systemic technology shift.
Packer followed up with his observation that there are still too many organizations out there that do not recognize the need and value of cybersecurity and cybersecurity professionals. Too many think they are too small, too insignificant, in the wrong geography etc. for cybersecurity to be a concern. He predicts that is finally going to change for the better in the coming period. There is going to be a situation where every organization around the world has some kind of investment in cybersecurity people, service, tools and technology, be it on premise or shared services. Packer also predicted a change in security culture in society. “Those who are familiar with the impact of cybercrime and financial fraud, they know all too well that this needs to be taken seriously, yet there is still a degree of complacency.” Packer pointed to the role that education can play in rehabilitating criminals over punishment, using speed awareness courses as an example. A similar approach has been used in several European countries for responding to low-level cybercrime.
To conclude, Slay pointed to an increasing overlap between cybersecurity and engineering as a result of several emerging technologies. She also highlighted the increasing role of risk management, pointing out that those managing risk will be increasingly important in the face of more emerging, immature technologies around the likes of AI. Slay also called for a greater focus on the symbiotic link between compulsory education and professional development such as certification to ensure the right people, with the right skills and qualifications, are ultimately undertaking the right role.
- ISC2 Security Congress took place October 25-27 2023 in Nashville, TN and virtually. On-demand replays of the sessions are available now.
- ISC2 SECURE Washington, DC takes place in-person on December 1, 2023 at the Ronald Reagan Building and International Trade Center. The agenda and registration details are here.
- ISC2 SECURE Asia Pacific takes place in-person on December 6-7, 2023 at the Marina Bay Sands Convention Centre in Singapore. Find out more and register here.
- Register you interest in ISC2 Security Congress 2024 in Las Vegas here.