There is currently no pre-designed training path for CISOs. Instead, there are opportunities to earn certifications that are designed to underpin the required professional competencies. There is a wide range of choices on offer. In the following, a few important certificates are briefly presented.
CISO certifications help the aspiring CISO or the CISO in training to advance in his or her career. However, this also applies to other areas and professional fields of IT security. It should be noted that certifications are only one part of a leader’s skill set. A number of the certifications require a certain number of completed professional years in a particular field before a candidate can qualify for the particular course or exam. Further, certifications also play an important role in guiding or training the CISO’s security teams. Some of the important certifications for prospective or even experienced CISOs include:
CCISO (Certified Chief Information Security Officer)
The EC-Council’s CCISO program was compiled by world-leading experts from the CCISO Advisory Board. It is primarily aimed at already experienced individuals with extensive expertise and aims to train IT security executives at the highest level. This means that only candidates who can demonstrate that they have at least five years of experience in three of the five CCISO areas will be considered.
The CCISO program focuses not only on technical knowledge but also on the application of IT security management principles from an executive perspective. If candidates do not yet meet these requirements but are interested in IT security management methodologies, they can pursue EC-Council’s Information Security Management (EISM) certification.
CRISC (Certified in Risk and Information Systems Control)
The CRISC certification from ISACA (Information Systems Audit and Control Association) addresses IT professionals who want to further their education in IT risk management. Such IT professionals are ideally CIOs, CISOs, business analysts, project managers, and IT professionals in the areas of risk management, control and audit, and compliance. As a prerequisite, however, candidates should already have more than three years of proven experience in IT, risk management, and information systems controls.
The required work experience must have been acquired within the last ten years prior to registering for the CRISC exam or within five years of passing the exam. The CRISC program focuses on the identification or assessment and monitoring of risk and its adequate response. In the CRISC program, the participant also learns how to develop control mechanisms for an information system as well as how to implement or maintain this system.
CISSP (Certified Information Systems Security Professional)
The CISSP certification was developed by the Information Systems Security Certification Consortium (ISC)2 and demonstrated theoretical knowledge and practical experience in the field of IT security. The CISSP program is reserved for experienced IT security professionals. As a prerequisite for certification, candidates need at least five years of experience in two of the eight defined areas of the CISSP. After earning the (ISC)2 CISSP certification, candidates may pursue additional certifications such as CSA, ISACA CISA or SSP.
CISA (Certified Information Systems Auditor)
The CISA certification is awarded by ISACA and is primarily aimed at IT professionals working primarily in the areas of governance and auditing. Typical occupations of CISA-certified professionals include information security or IT auditors, audit managers as well as non-IT auditors and relevant consultants. CISA demonstrates that the certified professional has the knowledge, experience and skills necessary to identify vulnerabilities in an enterprise environment and to implement technical protection measures.
To achieve this, candidates must have at least five years of professional experience in auditing, controlling, and securing information systems. Some of this experience may be waived upon submission of adequate education and training. Candidates who wish to prepare for the CISA exam may take CISA presentation courses or online training or use review manuals and study guides.
CEH (Certified Ethical Hacker)
In the EC-Council’s CEH course, the participant learns how hackers exploit weak defenses and how companies can protect themselves from these attacks. For example, the course program focuses on methods to protect against Trojans, SQL injections, MAC and DHCP attacks, and DDOS attacks. CEH certification requires more than two years of experience in the field of IT security. Subsequent certifications such as CHFI or ECSA are recommended.
CISM (Certified Information Security Manager)
The CISM certification primarily addresses IT security managers who are responsible for assessing, designing, managing, and monitoring an information security environment. CISM differs from CISSP in that CISSP focuses on operational and technical aspects of security, while CISM focuses on security strategies and their relationship to business objectives. As a prerequisite for participation, a sound knowledge of the main technologies available on the market and their implementation is required.
