Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Who Should Attempt the CISSP Exam?

I'm often asked who the CISSP certification is aimed at; my university students typically ask whether they should attempt the certification before or while in their first job, for example (almost certainly not, for the undergraduates - they usually could not meet the experience requirements, while some of the Masters students could).

Primarily, the CISSP is for those who are moving upwards from a technical background in one or a few of the CBK Domains (e.g. network security, security architecture, etc.) into a management or supervisory position where they will need to:

• utilise a broad understanding of the other domains, to which they may already have had some exposure
• supervise technical professionals across all or most domains
• understand how *all* aspects of security need to be covered in balance, and
• communicate - in *both* directions - with senior management, that is, not just advise management.

The last point is probably the key one. Communication to management will mainly involve translating technical assessments of threats, vulnerabilities, etc. into business risk which management can relate to their existing understanding of risk, and this is a key reason why cybersecurity risk assessment processes and risk matrices, etc. should be aligned with the existing risk management processes across the rest of the enterprise.

But it also works the other way: translating senior management business concerns and requirements into technical security requirements. Once managers understand the risks posed to the assets they own, in part due to the business processes they rely upon, it is up to them to decide the level of risk they will accept. This is a business decision, and not one that security professionals are equipped to make.

Although some of this operates at the level of C-suite and board concerns with governance and policy, some of it involves other managers' specific concerns with opportunities presented by new technologies (cloud, apps, machine learning, related privacy issues), etc. as well as managing risks associated with specific business processes or information assets as they change.

In any case, I have found a security governance and management course is of benefit to students and practitioners who are still in the early stages of their career. Many tend to focus tightly on their particular interests or immediate job concerns - typically penetration testing, which is always an attractive aspect of cybersecurity for novices (something I don't understand - long hours, lots of reverse engineering and disassembling code, keeping on top of the latest vulnerabilities and exploits; I'd burn out).

However, a governance and management course helps them put it all in perspective and realise a) that their particular role is far from the only one needed in any large enterprise, let alone the most important one, and b) how their role fits in and the factors which influence the demand for their services. It certainly rounds them out as a professional.

For undergraduate students in cybersecurity, governance, risk and management is sometimes offered as a third-year subject; it's usually found in Masters programs. But for those already in the workforce, or who have not completed a specialist cybersecurity degree, tackling the CISSP - whether by self-study or a course - is probably the best way to get a comprehensive overview of the other areas of the field, how they all fit together, and how they are managed.

All this leads me to conclude that, right now, the CISSP is not of value just to the CISO level, especially in larger enterprises.

A Look Inside the Bulgarian 'Virus Factory'

A fascinating read in The Guardian last week provides an insight into the minds of competitive young virus authors in Bulgaria in the 1980's. These were the heady days of virus development, where curiosity was the driving force, in a search for new techniques to infect the MS-DOS systems of the era. It was a kinder, gentler time, when the massive profits provided by ransomware had not yet become a factor.

Shapiro, Scott J, On the trail of the Dark Avenger: the most dangerous virus writer in the world, The Guardian, 9 May 2023. Available online at https://www.theguardian.com/news/2023/may/09/on-the-trail-of-the-dark-avenger-the-most-dangerous-virus-writer-in-the-world.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.