Which CISSP concentration for security consulting role?

Big-JJ

I've taken a new consulting job and will be doing the following:

• Devise cyber security program that supports the organization's strategic goals for C-executives
• Design and review security policies, processes, and procedures
• Conducting security maturity assessments and diagnostics
• Design and implement security operating models
• Design security awareness programs and phishing campaign
• Implement risk management frameworks

Any recommendation on which CISSP concentration will be most helpful in doing my job better?

So far I've got MBA, CIA, CRMA, CISA, CISM, CRISC, CISSP, PMP.

Thanks

Info_Sec_Wannabe

With your current certifications (and experience), bullets 2 to 6 can be taken care of. However, for the first one, I'm guessing it would overlap with @UnixGuy's other thread (at least IMHO).

https://community.infosecinstitute.com/discussion/138071/resources-to-create-cyber-security-strategy-for-cisos#latest

UnixGuy

@Big-JJ : I held a few jobs similar to the you're describing! I do not believe the CISSP is the most helpful resource here (having said that, I do not hold CISSP so I could be wrong..).

For Security maturity assessments, you're better off learning frameworks such as NIST for example. If you work for a consulting firm, they'll have templates and stuff they said for previous engagements that you can leverage (you will also learn consultant speak heh).

I think ISACA might be more relevant. I do not like way ISACA charges for membership, renewals, exams, and cert fees. I hold CISM and CRISC, both are kind of relevant. CISA is good for people new to audit or more junior staff.

For the consulting, you can do really well and progress without any cert. The certs are 'nice to have'. You need to get good at running workshops with clients, analyse data, review programs and give practical advice.

People skills <== might be the most important aspect of the job.

Depending on the firm you're working with, expect do a lot of Powerpoint and potentially Excel. Certs won't teach you that.

Some clients will use CIS 20, ISO27K1, NIST, .etc or a combination of those.

Check ISACA NIST assessment free template, download and you can use it, but I'm 90% certain your firm will have a version of that that you can use.

Feel free to message me directly, I got really good at the consulting game and quite enjoyed it!

SteveLavoie

Big-JJ said:

Any recommendation on which CISSP concentration will be most helpful in doing my job better?

So far I've got MBA, CIA, CRMA, CISA, CISM, CRISC, CISSP, PMP.

Thanks

I think you have all certification required for that.. Time to get what you learn from all those certification in practice

shochan

yeah, sounds like you just need to get your hands dirty & learn the job itself.  Even if you make mistakes you should learn from those and see what you can improve on.  

JDMurray

Will you be a business consultant for technical C-levels or a technical consultant for business C-levels?

Big-JJ

JDMurray said:

Will you be a business consultant for technical C-levels or a technical consultant for business C-levels?

From what I know, business consultant to business C-levels. t never hurts to be more technical but not sure of the benefits for this role at this point.

JDMurray

In that case, the MBA with anything on policies and governance will be what you are needing.

scasc

Sounds like the job I do . You have the necessary certs, more about knowing frameworks in detail to then define gaps, risks and roadmaps to improve based on most urgent priorities. Saying that if you really wanted a cert, I would honestly suggest GIAC GSTRT or GSLC. As these touch on the points you mentioned.

csjohnng

Given your education and certification, you have the enough tooling to go for consulting and approaches the C-level.
Of course, there is no harm to get related CISSP concentrations if you have time and I have provisionally passed the 3rd one yesterday.

egrizzly

@Big-JJ

To answer your question directly the ISSAP is the one you want.  It satisfies the bullet points you have listed and then some.  As others pointed out though, you really do not need it in practice as the CISSP, CRISC, and CISA certs have already covered that knowledgebase.  To get practical experience just print out some business cards, visit a few business networking events, and market your fees as low as you can without seeming too weird. 

To add to my reply, know that your only knowledge-gap is knowing how the frameworks work at high-level and close-up.  All the bullet points you mention there have already been answered thoroughly by the availability of the various industry-standard frameworks.  Here's a formula to determine which framework to use:

1.) What kind of company is it (e.g. healthcare, marketing, finance, oil & gas, etc)
2.) What are the People, Process, and Technologies they use to accomplish their business goals?

From the two questions above you can then decide which frameworks to assign in designing the companies cybersecurity program.  E.g. assuming it's a Pharmacy, well their #1 would be Healthcare.  Their #2 would basically include:

• a corporate network (NIST-CSF)
• people that work with healthcare data (HIPAA)
• credit cards to process customer orders ( PCI-DSS)

So the cyber security program you design is all layed out for you between the NIST-CSF, HIPAA, and PCI-DSS frameworks.  Then just dig into the frameworks line-by-line to get the specific elements needed and map out a reasonable timeline.

We can do another example. Let's do a Marketing company that produces fliers for other businesses.  Well, #1, the type of company would be Marketing, obviously.  Their #2:

• People that use internet-connected computers everyday (NIST-CSF)
• A corporate network (NIST-CSF)
• Computers that produce graphics, video, etc ( NIST-CSF)

So the cyber security program you design for the second company is all layed out for you with just the NIST-CSF framework.  That's all you need to do.

To provide more relevant info, there was a very helpful thread previously discussed here where @scasc
basically provided a good link for the various frameworks and how to understand and use them when faced with a task such as yours.  The link is right here >>> https://www.frankkim.net/blog/how-to-make-sense-of-cybersecurity-frameworks

Well, hope this all works out for you. Have fun with it, and the best of luck.

AverageJoe

I agree with those who say no need for additional certs.  You've already got plenty and should have a good understanding of most of those topic areas as is, and the fact that you already landed this role should stand as confirmation unless there was some condition that you'd gain "the appropriate certification" or something similar.  

That said, I'd consider the CISSP-ISSMP and CISSP-ISSEP as good possibilities.  I've always heard the ISSMP is along the same lines as the CISM you already have, so that may be the easier cert to earn with the ISSEP probably being the one you'd learn more from.  Just my guess, though, as I do not have either.

balance

 I wouldn't go after any other certs . You have more than enough .