The statistics are sobering: 43% of cybersecurity breaches involve small businesses, and 10% of all breaches in firms small and large were in the financial industry, according to the 2019 Data Breach Investigations Report published by Verizon.
It is important to reiterate these are breaches, which are defined as an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party. Given that many independent financial advisors are small businesses in the financial industry, these numbers should give most advisors pause when considering how prepared they are in terms of data security.
I’ve been asked by advisors many times how to choose a cybersecurity consultant to work with, given the plethora of digital security certifications out there. The number of these professional markers only continues to grow and thus confuses outsiders looking for a sign of expertise.
When I was working as an editor for PC Magazine more than a decade ago, the choice was pretty simple: The CISSP, which stands for Certified Information Systems Security Professional, from (ISC)² Inc. (the international, nonprofit membership association for information security professionals) was by far the most popular and respected.
A colleague and friend who worked with me at the magazine as one of our lab’s technical directors took the test after months of study and preparation, passed it and received his certification. It immediately gave him credibility with the many security technology vendors, experts and academics we interacted with in our work.
“The CISSP is still the gold standard. Worldwide there are more than 140,000 holders of the certification,” said Mark Aiello, president at CyberSN, a recruiting and placement firm for cybersecurity professionals. The test is difficult, can take significant time and money to prepare for, and requires the person seeking it to study 10 different digital security domains and have five years of professional experience.
But those holding the designation are in high demand—unfortunately.
“There are half a million open jobs here in the U.S., somewhere between 2 and 3 million jobs open worldwide, and so many require a CISSP. That is more openings than certificants existing in the world,” said Aiello.
William Carlson, a senior instructor with Cybrary, a cybersecurity and IT video learning firm, who has a CISSP himself, said that while he has great respect for that designation there are others that an advisor can consider when vetting a consultant or employee.
Alternatives
“Ultimately there is a much more holistic view, especially given that so much of what an advisor is using today will be cloud based,” Carlson said.
There are several certifications available from (ISC)² and ISACA (Information Systems Audit and Control Association) that cover cloud-based security concerns. This includes the CCSP (Certified Cloud Security Professional from (ISC)²), the CSX-P and CISM (Certified Cybersecurity Practitioner and Certified Information Security Manager respectively) both from ISACA.
“With these you are looking for someone that has some cloud experience—as many say about the CISSP, it is 40 miles wide and 2 inches deep—and these cloud-specific certifications are going to cover a lot of hot button topics [around online security] that you see in the news right now and that are probably of concern to advisors,” Carlson said.
CyberSN’s Aiello agreed that both the CCSP and CISM are good alternatives to seeking out hard-to-find CISSP candidates. CISSP holders are often older and usually seeking more senior positions. Larger firms see CISSP holders as experienced veterans in the cyberwars able to hit the ground running.
Younger security pros are attracted to the more recent certifications, because they can be less taxing in terms of preparation time and cost, and more specific to internet technologies of interest to younger professionals.
“If I were hiring someone, given two otherwise equal candidates, I’d go with the one that had one of these certifications over the one that didn’t,” Aiello said.
He also brought up two other certifications that are becoming increasingly well regarded, the Certified Ethical Hacker (CEH) and the Offensive Security Cyber Professional (OSCP) designations. Both are focused on looking for vulnerabilities in networks that can be exploited for access.
Train and prepare thyself
Simone Petrella, CEO of cybersecurity training and education firm CyberVista, said that while both the CISSP and CISM certificates are good designations to look for in an individual if a firm has a full-time managerial position in cybersecurity, it’s not always a good fit for some companies where cybersecurity may not be a full-time gig.
“Those are the two that are the closest, but they are not perfect. There is not a cert out there that is a perfect fit,” she said. While her firm offers training in both, she’s seen enough demand from executives across industries that the company introduced a modular, self-paced online training program called Resolve.
“It is really geared toward people that are not cybersecurity pros but have to manage risk, cyber risk. It is industry agnostic and prepares them to monitor security on an ongoing basis and covers some of the major regulations,” Petrella said. It can also better prepare these executives to choose the right people to hire for cybersecurity roles, or outsource to a consultant or service provider.
“When it comes to financial services there is no one certification that I would point to,” said John P. Pironti, who has no fewer than seven designations in the field, including the CGEIT, CISA, CISM, CRISC, CISSP, ISSAP and ISSMP.
The president of security consultancy IP Architects LLC, Pironti said any outside advisor in security, regardless of the acronyms that trail after the name, should be asked specific questions that get at the person’s actual experience and how they would handle a threat.
“A good question for anyone you might consider hiring would be: ‘When is the last time you handled a ransomware attack, and how did you handle it?’” he said.
“A response from the consultant that I would hope for would be something along the lines of: ‘I’m ready to help you in a reactive mode, but here’s how I would prevent it in the first place,” he said.