Chapter 2

Putting Your Certification to Good Use

IN THIS CHAPTER

Bullet Staying active as an (ISC)2 member

Bullet Discovering the joy of giving back

Bullet Working with others in your local security community

Bullet Getting the word out about CISSP certification

Bullet Bringing about change in your organization

Bullet Advancing your career with other certifications

Bullet Finding a mentor and being a mentor

Bullet Achieving security excellence

Although this book is devoted to helping you earn your CISSP certification, we thought it would be a good idea to include a few things you might consider doing after you’ve earned your CISSP. If you’re still exploring the CISSP certification, the information in this chapter will help you better understand many of the benefits of being a CISSP, including your role in helping others.

So what do you do after you earn your CISSP? You can do plenty of things to enhance your professional career and the global community. Here are just a few ideas!

Networking with Other Security Professionals

Unless you work for a large organization, there probably aren’t many other information security (infosec) professionals in your organization. You may be the only one! Yes, it can feel lonely at times, so we suggest that you find ways to make connections with infosec professionals in your area and beyond. Many of the activities described in this chapter provide networking opportunities. If you haven’t been much of a social butterfly before, and your professional network is somewhat limited, get ready to take your career to a whole new level as you meet like-minded security professionals and potentially build lifelong friendships.

THE POWER OF ONLINE BUSINESS NETWORKING

We promise that we have no affiliations with LinkedIn when we say it, but hear this: LinkedIn is one of the best business networking tools to come along since the telephone and the business card. LinkedIn can help you expand your networking horizons and help you make contacts with other business professionals in your company, your profession, your region, and far beyond.

Chances are that you aren’t new to LinkedIn, so we’ll skip the basics here. People in the infosec business are a bit particular, however, and that’s what we want to discuss. Infosec professionals tend to be skeptical. After all, we’re paid to be paranoid, as we sometimes say, because the bad guys (and gals) are out to get us. This skepticism relates to LinkedIn in this way: Most of us are wary of making connections with people we don’t know. So as you begin to network with other infosec professionals on LinkedIn, tread lightly, and proceed slowly. It’s best to start making connections with people you actually know and people you’ve actually met. If you make connection requests with infosec people you haven’t met, there’s a pretty good chance that they’ll ignore you or decline the request. They’re not being rude; they’re just aware of the fact that many scammers out there will build fake connections in the hope of earning your trust and pulling some kind of ruse later.

Similarly, if you’ve been one of those open networkers in the past, don’t be surprised if others are a bit reluctant to connect with you, even those you’ve met. As you transition into an infosec career, you’ll find that the rules are a bit different.

Bottom line: LinkedIn can be fantastic for networking and learning, but do know that infosec professionals march to the beat of a different drummer.

It’s not what you know, but who you know. (Well, what you know matters too!)

If you’re just getting started in your infosec career (regardless of your age or other career experience), you’ll likely meet other infosec professionals that have at some point in their careers been in your shoes, who will be happy to help you find answers and solutions to some of those elusive questions and challenges that may be perplexing you. You may find that you’re initially doing more taking than giving, but make sure that you’re at least showing your appreciation and gratitude for their help — and remember to give back later in your career when someone new to infosec asks to pick your brain for some helpful insight.

As you venture out in search of other infosec professionals, put your smile on, and bring plenty of business cards. (Print your own if your employer doesn’t provide any.) You’re sure to make new friends and experience growth in the security business that may delight you.

Being an Active (ISC)² Member

Being an active (ISC)² member is easy! Besides volunteering (see the following section), you can participate in several other activities, including the following:

Attend the (ISC)² Congress. For years, (ISC)² rode the coattails of ASIS (formerly the American Society for Industrial Security; we blame Kentucky Fried Chicken for becoming KFC and starting the trend of businesses and organizations dropping the original meaning behind their acronyms!) and occupied a corner of the ASIS annual conference. But in 2016, (ISC)² decided that it was time to strike out on its own and run its own conference. In 2017, one of your authors (first name starts with P) attended and spoke at the very first stand-alone (ISC)² Congress and found it to be a first-class affair every bit as good as those other great national and global conferences. Find out about the next (ISC)² Congress at https://congress.isc2.org.
Vote in (ISC)² elections. Every year, one-third of the (ISC)² board of directors is elected to serve three-year terms. As a CISSP in good standing, you’ve earned the right to vote in the (ISC)² elections. Exercise that right! The best part is becoming familiar with other CISSPs who run for board positions so you can select those who will best advance the (ISC)² mission. You can read the candidates’ biographies and understand the agendas they’ll pursue if elected. With your vote, you’re doing your part to ensure that the future of (ISC)² rests in good hands with directors who can provide capable leadership and vision.
Attend (ISC)² events. (ISC)² conducts several in-person and virtual events each year, from networking receptions to conferences and educational events. (ISC)² often holds gatherings at larger industry conferences such as RSA and BlackHat. Check the (ISC)² website regularly to find out more about virtual events and live events in your area.
Join an (ISC)² chapter. (ISC)² has more than 150 chapters in more than 50 countries. You can find out more at www.isc2.org/chapters. You have many great opportunities to get involved in local chapters, including chapter leadership, chapter activities, and community outreach projects. Chapter events are also great opportunities to meet other infosec professionals.
Partake in free training. (ISC)² offers lab-style courses, immersive courses, and express training at the Professional Development Institute that can help expand your horizons. Find out more at www.isc2.org/Development.
Enjoy exclusive resources and discounts. (ISC)² membership has many perks in the form of discounts and access to exclusive content and services. Find out more at www.isc2.org/Member-Resources/Exclusive-Benefits.
Wear your digital badge proudly. You can set up your digital badges and use them on LinkedIn, business cards, blogs, and elsewhere. Best of all – they’re free. Learn more at https://credly.com.

It’s important for (ISC)² to have your correct contact information. As soon as you become a CISSP (or even before), make sure that your profile is accurate and complete so that you’ll receive announcements about activities.

Considering (ISC)² Volunteer Opportunities

(ISC)² is much more than a certifying organization: It’s also a cause, and you might even say it’s a movement. It’s security professionals’ raison d’être, the reason we exist — professionally, anyway. As one of us, consider throwing your weight into the cause.

Volunteers have made (ISC)² what it is today, and they make valuable contributions toward your certification. You can’t stand on the sidelines and watch others do the work. Use your talents to help those who’ll come after you. You can help in many ways. For information about volunteering, see the (ISC)² Volunteering website (www.isc2.org/Membership/Volunteer-Grow).

Most sanctioned (ISC)² volunteer activities are eligible for CPE credits. Check with (ISC)² for details.

Writing certification exam questions

The state of technology, laws, standards, and practices within the CISSP Common Body of Knowledge (CBK) is continually changing and advancing. To be effective and relevant, CISSP exams need to have fresh new exam questions that reflect how security is done today. Therefore, people working in the industry — such as you — need to write new questions. If you’re interested in being a question writer, visit the (ISC)² website to apply.

Speaking at events

(ISC)² now holds more security-related events worldwide than it has at any other time in its history. More often than not, (ISC)² speakers are local volunteers — experts in their professions who want to share with others what they know. If you have an area of expertise or a unique perspective on CISSP-related issues, consider educating others via a speaking engagement. For more information, visit the (ISC)² website at www.isc2.org/Membership/Volunteer-Grow, and find the speaking opportunities that interest you.

If you speak at an (ISC)² Congress, your conference fees are waived. You need to pay only for transportation, lodging, and meals.

Helping at (ISC)² conferences

(ISC)² puts on a fantastic annual conference called the (ISC)² Congress. This conference is an excellent opportunity to learn new topics and meet other infosec professionals. But the conference doesn’t run itself; it’s powered by volunteers! Go to the (ISC)² Congress website at https://congress.isc2.org to find information about volunteering.

Reading and contributing to (ISC)² publications

(ISC)² publishes quarterly online magazines called InfoSecurity Professional INSIGHTS and Cloud Security INSIGHTS that are associated with InfoSecurity Professional magazine. You can find out more at www.isc2.org/InfoSecurity-Professional/InfoSecurity-Professional-Insights.

The (ISC)² Blog is a free online publication for all (ISC)² members. Find the blog, as well as information about writing articles, at https://blog.isc2.org.

Supporting the (ISC)² Center for Cyber Safety and Education

The Center for Cyber Safety and Education, formerly the (ISC)² Foundation, is a not-for-profit charity formed by (ISC)² in 2011. The center is a conduit through which security professionals can reach society and empower students, teachers, and the general public to secure their online lives through cybersecurity education and awareness programs in the community. The center was formed to meet those needs and expand altruistic programs, such as Safe and Secure Online, the Information Security Scholarship Program, and industry research (the center’s three core programs). Find out more at www.iamcybersafe.org.

Participating in bug-bounty programs

As an (ISC)² member, you can earn CPE credits and contribute to a safer world by participating in Bugcrowd’s bug-bounty programs. You even have a chance to be honored in the organization’s hall of fame. Find out more at www.bugcrowd.com/customers/isc-2.

Participating in (ISC)² focus groups

(ISC)² has developed focus groups and quality-assurance testing opportunities. (ISC)² is developing new services, and it needs to receive early feedback during the requirements and design phases of its projects. Participating in these groups and tests can influence future (ISC)² services that will aid current and future certification holders. (ISC)² doesn’t have a web page dedicated to this topic; you’ll be notified of opportunities by email.

Joining the (ISC)² community

(ISC)² has developed a new interactive community that’s full of discussion groups. With more than 16,000 members in the first year, the community is well designed and easy to use. The community has more resources than we can list here! You can sign up and join discussions at https://community.isc2.org.

Getting involved with a CISSP study group

Many communities have CISSP study groups that consist of volunteer mentors and instructors who help those who want to earn the certification.

If your community doesn’t have a CISSP study group, consider starting one. Many communities have them already, and the organizers can give you advice on starting your own. You can find out more from nearby (ISC)² chapters and other local security groups, or visit https://community.isc2.org/t5/Study-Groups/ct-p/CertificationStudyGroups to find a group near you.

Helping others learn more about data security

In no way are we being vain or arrogant when we say that we (the writers of this book and you, the readers) know more about data security and safe Internet use than perhaps 99 percent of the general population, for two main reasons:

Security is our profession.
Security is not always easy to do.

A legion of volunteer opportunities is available to help others keep their computers (and mobile computing devices) secure and use the Internet safely. Here is a concise list of places where you can help:

Service clubs
Senior centers
WHY VOLUNTEER?
Why should you consider volunteering for (ISC)² or for any other professional organization? Here are two main reasons:
- Volunteerism of any kind is about giving back to a larger community. Consider the volunteers who helped you earn your CISSP certification. There are many of them, but they aren’t always visible.
- Volunteering looks good on your résumé. We consider this fact to be a byproduct of volunteering, not the primary reason for it.
Volunteering for (ISC)² or any other cause should be a reflection of your character, not simply an activity to embellish your résumé. Although your intention in volunteering may be to help others, volunteering will also change you — for the better.

Consider it a good idea to periodically check the (ISC)² website for other ways you can help.
Schools (be sure to read about Safe and Secure Online earlier in this chapter)
Alumni associations and groups
Your place of employment

Using a little imagination, you can undoubtedly come up with additional opportunities. The world is hungry for the information you possess!

Becoming an Active Member of Your Local Security Chapter

In addition to (ISC)², many security organizations worldwide have local chapters, perhaps in or near your community. Here’s a short list of some organizations that you may be interested in:

International Systems Security Association (ISSA): www.issa.org
ISACA: www.isaca.org
Society for Information Management (SIM): www.simnet.org
InfraGard: www.infragard.net
Open Web Application Security Project (OWASP): https://owasp.org
ASIS International: www.asisonline.org
High Technology Crime Investigation Association (HTCIA): https://htcia.org
Risk and Insurance Management Society (RIMS): www.rims.org
Society of Information Risk Analysts (SIRA): www.societyinforisk.org
The Institute of Internal Auditors (IIA): www.theiia.org
International Association of Privacy Professionals (IAPP): https://iapp.org
Disaster Recovery Institute International (DRII): https://drii.org
Computer Technology Investigators Network (CTIN): www.ctin.org

Local security groups provide excellent opportunities to find peers in other organizations and discover more about your profession. Many people find that the contacts they make as part of their involvement with local security organizations can be especially valuable when they’re looking for new career opportunities.

You certainly can find many more security organizations with local chapters beyond the ones we include in the preceding list. Ask your colleagues and others about security organizations and clubs in your community.

Many communities have local information security groups and clubs that are not affiliated with national or global organizations. Through word of mouth, you might find one of these groups located near you.

Spreading the Good Word about CISSP Certification

As popular as the CISSP certification is, some people still don’t know about it, and many who may have heard of it don’t understand what it’s all about. Tell people about your CISSP certification, and explain the certification process to your peers. Here are some facts that you can share with anyone and everyone you meet:

The CISSP certification started in 1994.
CISSP is the top-tier information security professional certification.
More than 142,000 security professionals in more than 170 countries have the CISSP certification.
CISSP was the first credential accredited by the ANSI (American National Standards Institute) to ISO (International Organization for Standardization) Standard 17024.
The average CISSP salary is $131,030 (U.S.).
The organization that manages the CISSP certification has other certifications for professionals who specialize in various fields of information security. The organization also promotes information security awareness through education programs and events.

Promote the fact that you’re certified. How can you promote it? After earning your CISSP, you can simply put the letters CISSP after your name on your business cards, stationery, email signature, résumé, blog, and website. While you’re at it, put the CISSP logo or your digital badge on there, too (and be sure to abide by any established terms of use).

Many other certifications available from (ISC)² are described later in this chapter.

Leading by example

Like it or not, security professionals, particularly those with the CISSP certification, are role models for those around them. From a security perspective, whatever we do — along with how we do it — is viewed as the standard for correct behavior.

Being mindful of this fact, we need to conduct ourselves as though someone is looking — even if no one is — at everything we do.

Using Your CISSP Certification to Be an Agent of Change

As a certified security professional, you’re an agent of change in your organization: The state of threats and regulations is ever-changing, and you must respond by ensuring that your employer’s environment and policies continue to defend your employer’s assets against harm. Here are some of the essential principles for being a successful change agent:

Identify and promote only essential changes.
Promote only those changes that have a chance to succeed.
Anticipate sources of resistance.
Distinguish resistance from well-founded criticism.
Involve all affected parties the right way.
Don’t promise what you can’t deliver.
Use sponsors, partners, and collaborators as co-agents of change.
Change metrics and rewards to support the changing world.
Provide training.
Celebrate all successes.

Your job as a security professional doesn’t involve preaching; instead, you need to recognize opportunities for improvement and reduced risks to the business. Work within your organization’s structure to bring about change in the right way. That’s the best way to reduce security risks.

Earning Other Certifications

In business and technology, no one’s career stays in one place. You’re continuously growing and changing, and ever-changing technology also influences organizations and your role within them.

You shouldn’t consider your quest for certifications to be finished when you earn your CISSP — even if it is the highest-level information security certification out there! Security is a journey, and your CISSP certification isn’t the goal, but a (major) milestone along the way. CISSP should be part of your security lifestyle.

Other (ISC)² certifications

(ISC)² has several other certifications, including some that you may aspire to earn after (or instead of) receiving your CISSP. These certifications are

Associate of (ISC)²: If you can pass the CISSP or SSCP certification exams but don’t yet possess the required professional experience, you can become an Associate of (ISC)². Read about this option on the (ISC)² website.
CCSP (Certified Cloud Security Professional): This certification on cloud controls and security practices was co-developed by (ISC)² and the Cloud Security Alliance.
SSCP (Systems Security Certified Practitioner): This certification is for hands-on security techs and analysts. SSCP has had a reputation for being a “junior” CISSP certification, but don’t be fooled — it’s anything but that. SSCP is highly technical, more so than CISSP. For some people, SSCP may be a stepping stone to CISSP, but for others, it’s a great destination all its own.
CSSLP (Certified Secure Software Lifecycle Professional): Designed for software development professionals, the CSSLP recognizes software development in which security is part of the software requirements, design, and testing so that the finished product has security designed and built in, rather than added afterward.
HCISPP (HealthCare Information Security and Privacy Practitioner): Designed for information security in the healthcare industry, the HCISPP recognizes knowledge and experience related to healthcare data protection regulations and the protection of patient data.
CAP (Certification and Accreditation Professional): Jointly developed by the U.S. Department of State’s Office of Information Assurance and (ISC)², the CAP credential reflects the skills required to assess risk and establish security requirements for complex systems and environments.

CISSP concentrations

(ISC)² has developed follow-on certifications (think accessories) that accompany your CISSP. (ISC)² calls these certifications concentrations because they represent the three areas you may choose to specialize in:

ISSAP (Information Systems Security Architecture Professional): Suited for technical systems security architects
ISSEP (Information Systems Security Engineering Professional): Demonstrates competence for security engineers
ISSMP (Information Systems Security Management Professional): About security management (of course!)

All the concentrations require that you first be a CISSP in good standing, and each has a separate exam. Read about these concentrations and their exams on the (ISC)² website at www.isc2.org/Certifications/CISSP-Concentrations.

Non-(ISC)² certifications

Organizations other than (ISC)² have security-related certifications, one or more of which may be right for you. None of these certifications competes directly with CISSP, but some of them overlap with CISSP somewhat.

Nontechnical/nonvendor certifications

Many other certifications are not tied to specific hardware or software vendors. Some of the best include

CISA (Certified Information Systems Auditor): Consider this certification if you work as an internal auditor or your organization is subject to one or more security regulations, such as Sarbanes-Oxley, HIPAA, GLBA, or PCI. ISACA manages this certification. Find out more about CISA at www.isaca.org/cisa.
CISM (Certified Information Security Manager): Similar to (ISC)²’s Information Systems Security Management Professional (ISSMP) certification (which we talk about in the section “CISSP concentrations” earlier in this chapter), you may want the CISM certification if you’re in security management. Like CISA, ISACA manages this certification. Read more about it at www.isaca.org/cism.
CRISC (Certified in Risk and Information Systems Control): This certification concentrates on organization risk management, controls, and information security. Find out more at www.isaca.org/crisc.
CGEIT (Certified in the Governance of Enterprise IT): Look into this certification if you want to demonstrate your skills and knowledge in the areas of IT management and governance. Effective security in an IT organization depends on governance, which involves the management and control of resources to meet long-term objectives. You can find out more about CGEIT at www.isaca.org/cgeit.
CDPSE (Certified Data Privacy Solutions Engineer): This relatively new certification from ISACA is all about technical skills within the growing privacy profession. For more information, visit www.isaca.org/cdpse.
CPP (Certified Protection Professional): Primarily a security management certification, CPP is managed by ASIS International. The CPP certification (www.asisonline.org/certification) designates people who have demonstrated competence in all areas constituting security management.
PSP (Physical Security Professional): ASIS International also offers this certification, which caters to professionals whose primary responsibility focuses on threat surveys and the design of integrated security systems. Read more at www.asisonline.org/certification.
CIPP (Certified Information Privacy Professional): The International Association of Privacy Professionals (IAPP) has this and other country-specific privacy certifications for security professionals with knowledge and experience in personal data protection. Find out more at https://iapp.org/certify/cipp (login required).
CIPP/US (Certified Information Privacy Professional/U.S.): Privacy in the United States is growing fast, and IAPP has developed a U.S. version of the CIPP. Read more at https://iapp.org/certify/cippus.
CIPP/C (Certified Information Privacy Professional/Canada): Privacy in Canada is growing in importance, so much that IAPP has a Canadian version of CIPP. Find out more at https://iapp.org/certify/cippc.
CIPP/E (Certified Information Privacy Professional/Europe): Privacy in Europe is so important in our industry that the IAPP has developed a version of the CIPP especially for European privacy matters. See more at https://iapp.org/certify/cippe.
CIPP/A (Certified Information Privacy Professional/Asia): IAPP has an Asia version of the CIPP certification that focuses on privacy laws and practices in Asian countries. Find out more at https://iapp.org/certify/cippa.
CIPM (Certified Information Privacy Manager): This certification is designed for privacy program leaders in organizations; it focuses on building a privacy team and privacy operations. Find out more at https://iapp.org/certify/cipm.
CCISO (Certified Chief Information Security Officer): This certification demonstrates the skills and knowledge required for the typical CISO position. Read more at https://ciso.eccouncil.org.
CBCP (Certified Business Continuity Planner): A business continuity planning certification offered by the Disaster Recovery Institute. You can find out more at https://drii.org/certification/cbcp.
DRCE (Disaster Recovery Certified Expert): This certification recognizes knowledge and experience in disaster recovery planning. For more information about DRCE and related certifications, visit www.bcm-institute.org/certification.
PMP (Project Management Professional): A good project manager — someone you can trust with organizing resources and schedules — is a wonderful thing, especially on large projects. The Project Management Institute (www.pmi.org) offers this certification.
PCI QSA (Payment Card Industry Qualified Security Assessor): The Payment Card Industry Security Standards Council developed the QSA certification for professionals who audit organizations that store, transmit, or process credit card data. This certification is for PCI auditors. Find out more at www.pcisecuritystandards.org.
PCI ISA (Payment Card Industry Internal Security Assessor): This certification, also from the Payment Card Industry Security Standards Council, is for security professionals within organizations that store, transmit, or process cardholder data. Find out more at www.pcisecuritystandards.org.
GIAC (Global Information Assurance Certification): The GIAC family of certifications includes categories in Audit, Management, Operations, and Security Administration. GIAC non-vendor-specific certifications complementing CISSP are GIAC Certified Forensics Analyst (GCFA) and GIAC Certified Incident Handler (GCIH). Find more information at www.giac.org/certifications. Several vendor-related GIAC certifications are mentioned in the next section.

Technical/vendor certifications

We won’t even pretend to list all the technical and vendor certifications here, but these are some of the best-known vendor-related security certifications:

AWS Certified Security – Specialty: AWS offers numerous certifications in architecture, data analytics, and (of course) security. Find out more at https://aws.amazon.com/certification/certified-security-specialty.
CCIE (Cisco Certified Internetworking Expert) Security: Cisco offers several product-related certifications for specific products, including ASA firewalls and intrusion prevention systems. Find out more at www.cisco.com/certifications.
Check Point Security Administration certifications: You can earn certifications related to Check Point’s firewall and other security products. Visit www.checkpoint.com/certification.
CEH (Certified Ethical Hacker): We know, we know — an “ethical hacker” is a contradiction in terms to some people, but it provides real business value for others. Read about it carefully before signing up. This certification is offered by the International Council of E-Commerce Consultants (EC-Council). You can find out more at https://cert.eccouncil.org.
ENSA (Network Security Administrator): Also from EC Council, this certification recognizes the defensive view as opposed to the offensive view of CEH. You can read more at https://cert.eccouncil.org.
LPT (Licensed Penetration Tester): Another EC Council certification takes penetration testing to a higher level than CEH. Learn more at https://cert.eccouncil.org.
CHFI (Certified Hacking Forensics Investigator): Also from EC Council, this certification recognizes the skills and knowledge of a forensic expert who can detect computer crime and gather forensic evidence. Find out more here: https://cert.eccouncil.org.
CSFA (CyberSecurity Forensic Analyst): This certification demonstrates the knowledge and skills required for conducting computer forensic examinations. Part of the certification exam is an actual forensics assignment in the lab. Check out www.cybersecurityforensicanalyst.com/ for more information.
CompTIA Security+: A security competency certification for PC techs and the like. We consider this certification an entry-level certification that may not be for you. Still, you may advise your aspiring colleagues who want to get into information security that this certification is an excellent place to start. You can find out more at www.comptia.org/certifications/security.
OSCP (Offensive Security Certified Professional): Offered by Offensive Security, OSCP is considered one of the top penetration testing certifications available. Many people consider CEH the entry-level pen testing cert and OSCP the top dog. Find out more at www.offensive-security.com.

You can find many other security certifications. Use your favorite search engine and search for phrases such as “security certification” to find information.

Choosing the right certifications

Regularly, technology and security professionals ask us which certifications they should earn next. Our answer is almost always the same: Your decision depends on where you are now and where you want your career to go. There is no single “right” certification for everyone; determining which certification you should seek is a very individual thing.

When considering other certifications, ask yourself the following questions:

Where am I in my career right now? Are you more focused on technology, policy, operations, development, or management?
Where do I want my career to go in the future? If (for example) you’re stuck in operations, but you want to be focusing on policy, let that goal be your guide.
What qualifications for certifications do I possess right now? Some people tackle certifications based on the skills they already possess, and they use those newly earned certifications to climb the career ladder.
What do I need to do in my career to earn more qualifications? You need to consider what certifications you may be qualified to earn right now and what experience you must develop to earn future certifications.

If you’re honest with yourself, answering these questions should help you discern what certifications are right for you. We recommend that you take time every few years to do some long-term career planning; most people will find that the answers to the questions we’ve listed here will change.

You might even find that some of the certifications you have no longer reflect your career direction. If so, permit yourself to let those certifications lapse. There’s no sense hanging on to old certifications that no longer exhibit (or help you attain) your career objectives. Each of us has done this at least once, and we may again someday.

Most non\technical certifications require you to prove that you already possess the required job experience to earn them. People make this common mistake: They want to earn a certification to land a particular kind of job. But that’s not the purpose of a certification. Instead, a certification is evidence that you already possess both knowledge and experience.

Finding a mentor, being a mentor

If you’re somewhat new to infosec (and even if you’re not!), and you find yourself asking many questions about your career, perhaps you would benefit from a mentor. A mentor is someone who has lived your professional lifestyle and been on the security journey for many years.

We suggest you shop around for a mentor and decide on one after talking with a few prospects. Mentors often have different approaches, from casual discussions to more structured learning.

If you’re not sure where to find a mentor, start with one or more of your area's local security organizations or activities. You may have to find a long-distance mentor if you live outside a major city, but the experience can still be rewarding!

As you transition in your career from a security beginner to a security expert, consider being a mentor yourself. You’ll find that although you’ll be helping another aspiring security professional get their career started, you’ll also learn quite a bit about security and yourself along the way.

Being mentored is not just for beginners. Even accomplished leaders have mentors who help them on their professional journeys.

Building your professional brand

You are defined by more than just your job title and your certifications. As you take your career further into information security expertise (and perhaps leadership), you’ll want to establish your brand above and beyond the job you are in today. Infosec professionals tend to stay in their positions for three to four years — a small fraction of a career. Instead of remaking your brand each time you change employers, elevate your brand to set it apart from your employers. Here are some of the ways you can spread your wings:

Create a LinkedIn profile. LinkedIn has become the de-facto platform for building your brand. If you haven’t done a lot with LinkedIn, we suggest that you pick up a copy of LinkedIn For Dummies, 4th Edition, by Joel Elad (John Wiley & Sons, Inc.) and go all in.
Join (ISC)² and other communities. You might find your niche through the (ISC)² communities discussed earlier in this chapter, where you can help and be helped.
Use other social media. If you are serious about building your brand, you might also consider creating a professional Twitter and/or Instagram account.
Start a blog. Your opinions and insights matter, and a blog is a great way to express yourself through articles and other information about yourself and your contributions to the profession.
Print personal business cards. If you are a business-card type of person, consider getting your own business cards. Go plain or go fancy. Peter prefers the minimalist approach, as you can see in Figure 2-1.

An illustration of making own personal business cards. — Photo courtesy of authors
FIGURE 2-1: Make your own personal business cards.

Building your brand is about contributing to the profession, not seeing what you can find for the taking.

Personal Branding For Dummies, 2nd Edition, by Susan Chritton (Wiley), is a great way to learn more about your brand and how you can use it to help others and get ahead.

Pursuing Security Excellence

We think that the best way to succeed in a security career is to pursue excellence every day, whether you’re already in your dream security job or just starting.

The pursuit of excellence may sound like a lofty or vague term, but you can make a difference every day by doing the following:

Do your best job daily. No matter what you do for a living, be the very best at it.
Maintain a positive outlook. Happiness and job satisfaction are due in large part to your attitude. Having a good attitude helps make each day better and allows you to do a better job. Because optimism is contagious, your positive outlook will encourage your co-workers, and pretty soon, everyone will be whistling, humming, or doing whatever else they do when they like their jobs. Have an attitude of gratitude.
Continually improve yourself. Take the time to read about security practices, advances, developments, and changes in the industry. Try to figure out how innovation in the industry can help you and your organization reduce risk even more, with less effort.
Understand your value. Take the time to understand how your work adds value to the organization; try to develop more ways to add value and reduce risk.
Understand the big picture of security in your organization. Whether or not you’re responsible for some aspect of security, take the time to understand your organization's principles to increase security and reduce risk. Use the security and risk management principles in Chapter 3, and see how those principles can help improve security even more. Think about your role in advancing the cause of asset and information protection in your organization.
Understand information security on a global scale. Take the time to understand big-picture trends globally: what nation-states pose the greatest threats, developments in security and privacy laws, workforce trends, and changing attitudes about information security. This information will help you stay current in this rapidly evolving industry.

If you make the pursuit of excellence a habit, you can change for the better over time. You end up with an improved security career, and your organization gets better security and reduced risk.