A Guide to the Certified Information Security Manager (CISM) qualification

CISM

There are now a vast number of courses and qualifications available for IT and cyber security professionals. Some are achievable over only a few days, whilst some may take years to complete. In terms of Information Security, there are a great deal of courses and qualifications out there, but one of the best-known and highly regarded is the Certified Information Security Manager (CISM) qualification, which is awarded by ISACA (the organisation previously known as the Information Systems Audit and Control Association).

The Qualification

The Certified Information Security Manager qualification was first launched in 2002 and is now a globally accepted qualification amongst the IT community.

Who is it for?

The CISM is for IT professionals with a specific interest in IT security. It is awarded to individuals who meet the following requirements:

  1. Pass the CISM exam.
  2. Adhere to ISACA’s Code of Professional Ethics.
  3. Agree to comply with the Continuing Professional Education (CPE) Policy
  4. Have relevant work experience.
  5. Submit an Application for CISM Certification.

The Exam

One of the criteria for certification is passing the main exam. The exam covers the four CISM areas outlined below:

  • Information Security Governance (24% of exam)
  • Information Risk Management and Compliance (30% of exam)
  • Information Security Program Development and Management (27% of exam)
  • Information Security Incident Management (19% of exam)

The exam consists of 150 multiple-choice questions covering the areas above. Candidates have four hours in which to complete the exam.

Since 2017, the exam can now be taken via computer-based testing (CBT) at a number of registered exam centres. This also means that the candidate’s exam score can be displayed straight away.

In order to register for the exam, candidates must first register online with the ISACA, find a testing centre nearby, and pay for the examination in advance.

The fees for this exam are $575 USD (approx. £475) for SACA Members and $760 USD (approx. £625) for non-members.

Required Experience / Qualifications

Those who wish to become qualified must possess a minimum of five years of relevant work experience. This experience must be verified and include at least three years of information security management work in three or more of the specified areas. This experience must have been gained in the 10-year period prior to the application date, or within 5 years from when the exam was originally passed.

There are, however, several certifications and types of experience that can be used towards the 5-year information security work experience requirements (but not toward the 3-year specific requirements).

Certifications and experience that count for two years of the five include:

  • Certified Information Systems Auditor (CISA)
  • Certified Information Systems Security Professional (CISSP)
  • Post-graduate degree in either information security or a related field such as business administration, information systems, or information assurance.

Certifications and experience that count for one year of the five include:

  • One year of information systems management experience
  • One year of general security management experience
  • Skill-based security certifications such as CompTIA Security +, SANS Global Information Assurance Certification (GIAC), Disaster Recovery Institute Certified Business Continuity Professional (CBCP), Microsoft Certified Systems Engineer (MCSE), or ESL IT Security Manager.
  • A completed information security management program at a relevant institution (i.e. one aligned with the Model Curriculum).

Continuing Professional Education and Jobs Prospects

A key element in obtaining certification is that the candidate agrees to follow the Continuing Professional Education (CPE) policy. This policy is there to ensure that all certified candidates keep their knowledge current and maintain proficiency in the field. Staying up-to-date means that individuals are better able to provide leadership and value to their organisations. At least 20 hours of CPE are required each year in order to maintain the CISM certification.

Professionals who pass the CISM qualification can go into a wide range of roles including (but not limited to):

  • Information Security Manager
  • Information Security Analyst
  • IT Audit Manager
  • Director of Cyber Security & Information Assurance
  • Cybersecurity Consultant

According to the website IT Jobs Watch, the average (median) annual salary for an ISACA Certified Information Security Manager is £65,000. You can find out more about other cyber security job salaries in this article on our sister site, Cyber Security Jobs.

How to set up a Home Testing Network / Lab

home network lab

Today’s constantly changing cyber security landscape means that keeping your network secure is more essential than ever. A key part of this is penetration testing. You might think that this is a specialist area that needs to be left to the experts, but in fact, you can set up your own network penetration testing lab in house.

Not only is this a good way of securing your systems but it also helps to improve your configuration and security skills so that you are less likely to leave attack routes open in future. Carrying out penetration testing in a lab environment is also much safer, as some of the tools used can cause problems if applied to a live network. Your own lab is also a good way of experimenting with the latest testing tools and techniques.

Physical versus virtual

In the past, you would have needed a physical server as the core of your testing setup. Today, however, you can do it in a fully virtualised environment. You can combine the two, with a single virtual machine offering a number of virtual environments, or you can go for a completely cloud-based solution.

You need to be aware, however, that virtual machines don’t always precisely replicate the characteristics of physical ones, so certain techniques may not yield the same results. Even so, to get started, a virtual environment is probably best. If you need to increase the realism of your tests later, you can look at using old hardware, either surplus within the organisation or purchased second-hand.

The principal advantage of virtual machines in the cloud is scalability. You can easily add capacity as you need it. Infrastructure as a Service (IaaS) allows you to replicate all kinds of network scenarios without the need for expensive hardware. Virtual machines can be used to host a range of different environments, including Windows and Linux.

Inside the lab

Having decided on the environment you are going to use, what does your lab actually contain? At its simplest, all you need is the computer to be tested and the one that is going to carry out the testing. As your needs evolve, the number of machines may increase.

If you are just beginning, it’s best to start simple and build up to something more complex. The key thing is to replicate the target system as closely as possible. For newbie testers, it’s important to understand what it is that makes a system vulnerable. Fortunately, the internet is your friend here and there are a number of places where you can download applications and virtual machines that are pre-configured to be vulnerable. This is a good way of getting started and learning how your testing tools work.

As your skills improve, you’ll want to start adding complexity to your test setup. This means increasing the number of targets, adding machines running different operating systems and different software. This ensures that you gain experience as to how mixed networks look from an attacker’s point of view. You can also expand the potential attack surface by adding services such as FTP, databases, email and so on.

On the machine that’s carrying out the testing, you really need to be able to run both Windows and Linux as there are different tools available for each OS and their capabilities differ. Once again, there are pre-configured testing tools that you can download to help you get started. Alternatively, you can build your own toolkit. There are a number of things you need for this, a set of basic network utilities including FTP and Telnet is essential. You’ll need some packet capture software, a port scanner, and a vulnerability scanner. You may also want to look at getting a password cracker as well as a scripting tool.

It isn’t hard to get started, setting up a testing lab with just a couple of virtual machines and some pre-configured image downloads. You can then add complexity and sophistication as your skills develop.

What is Cyber Security Challenge UK And Should You Take It?

cyber security challenge UK

Are you interested in cyber security but don’t know how to turn it into a career? If so, it’s worth investigating Cyber Security Challenge UK and it doesn’t matter how old you are or what qualifications you have (or don’t have). In this article we take a look at everything you need to know.

What is Cyber Security Challenge UK?

It’s an initiative set up to identify and encourage people with cyber security skills, with the aim of recruiting them into the industry. The programme offers both competitions to test a variety of skills across multiple age groups, together with education at all levels to help students and teachers develop cyber security knowledge and to promote future career prospects in the sector.

The principal competition starts with online qualifying challenges designed to test your skills. These aren’t necessarily all technical; cyber security also requires an aptitude for risk identification, problem solving and understanding psychology. From there, successful participants move on to face-to-face semi-finals and then to the Masterclass grand finale where an annual champion is chosen.

With a significant shortage of skills in the sector already biting, if law enforcement and security agencies can’t recruit suitable talent, the UK won’t be able to combat the rising tide of cyber crime. Cyber Security Challenge UK is looking to solve that potential issue with its competitions and its numerous events in schools, colleges and universities.

How do you enter?

To enter, simply go to the Cyber Security Challenge UK website and register to play. Once registered, you can play online or download the app for a faster, more engaging experience.

You need to be 16 or over, a UK or EU citizen and a UK resident to enter the main competition, although the organisers have the discretion to admit under-16s with exceptional abilities. If you’re under 18 and get to the face-to-face stages, you must attend with an adult. If you currently work in the cyber security industry, you can register for the online competition but you cannot progress to the face-to-face stages.

There are also rules for the frequency with which you can enter. If you win a Masterclass place, you can’t enter any further face-to-face competitions in that calendar year. If you reach two or more Masterclasses or are crowned champion, you can no longer participate in face-to-face events. This is to ensure that as many potential cyber security professionals as possible can reach the semi-final and final stages. You can, however, still play online and attend educational events.

Who’s behind it?

Cyber Security Challenge UK is funded primarily via sponsorship, including the UK Government, the National Crime Agency and GCHQ. As a Not for Profit organisation, it provides a route for both private and public enterprises to find exceptional talent that can defend the UK’s financial institutions, national security and overall digital economy in years to come.

As a result, the range of sponsors reflects the diverse needs of the cyber security industry. Sponsors include universities, defence organisations, government departments, technology companies of all sizes, law firms, together with education and training businesses.

What about the educational events and activities?

Cyber Security Challenge UK is very much about the long term, an integral part of which is working to support and even change mainstream education. Cyber security developments don’t form a major part of any standard educational offering at GCSE and A-level, but the promotion of lesson plans, free summer camps and resources for parents should help to foster an interest in young people and encourage them onto a pathway that leads to a cyber security career.

In universities, the organisation offers a variety of boot camps tailored to both technical and non-technical undergraduates. Again, the emphasis is on finding the right people, unrestricted by age, background, or qualifications, setting them on a path where they are seen by the right recruiters.

Ultimately, if this is a sector that appeals to you, you meet the requirements and you think you have the necessary skills, this is a great starting point. Register, play, and see where it takes you.

5 Free Learning Resources For the Cyber Security Beginner

Starting a career in cyber security can lead to personal financial security. Experis, in fact, reported a four percent year-on-year salary increase coming into 2018, with other analysts reporting a seven percent salary increase for cyber security specialists in 2018 – the biggest for IT professionals in Europe.

If you’re looking to become a cyber security professional but lack practical experience or the finances to take classes in a university, there are plenty of ways you can get into the industry.

Here are five of our top free beginner cyber security resources and course to get you started:

Introduction to Cyber Security

Learn the fundamentals of cyber security to protect private and personal data. Know the basics of authentication, networking, threat identification, cryptography application, risk management, recovery, and the law surrounding cyber security.

The Open University offers this eight-week course through Future Learn, with support from the UK Government’s National Cyber Security Programme and accreditation from GCHQ Certified Training, APMG International, and the IISP.

The free version gives you a 10-week access to all the educational materials, but you’ll have to pay for certification.

Cyber Security: Safety at Home, Online, in Life

Considering how much personal data is stored online through the proliferation of smart devices, social media use, and online shopping, the threat of cyber attacks has increased. With this course, you’ll understand the practical applications of cyber security on the everyday goings-on of the average individual and how that relates to commercial businesses.

Newcastle University offers this three-week course through Future Learn. Enrolling in this course for free gives you access for five weeks. You will have to pay to get certification.

Network Security

Establish foundational knowledge on cryptography, cryptanalysis, and systems security in the context of securing networks. Lessons are taught through seminal papers and monographs that have impacted the industry, developing your security research skills in the process.

The Georgia Institute of Technology (Georgia Tech) offers this 16-week course through Udacity.

This free course nets you instructor videos and interactive quizzes, but you will not receive any accreditation unless you are part of the Georgia Tech OMSCS program.

Cyber Security for Small and Medium Enterprises: Identifying Threats and Preventing Attacks

While the biggest cyber crimes people hear about concern multinational corporations and industry giants, small- and medium-sized businesses are just as vulnerable to cyber attacks. This course teaches you how to identify risks and prevent threats that SMEs uniquely face when it comes to cyber security.

Deakin University will be offering this two-week course through Future Learn. You can only get credit for this online course if you complete the entire Cyber Security Management program it is part of.

Secure Android App Development

Mobile applications have become an integral part of modern living, with so much confidential information tied to these apps. The freedom and flexibility of app development on Android, however, comes at the price of great cyber security risks. Learn how to identify and solve common security problems in mobile apps that can be fixed in the development stage with the use of HPE Fortify SCA.

The University of Southampton’s Cyber Security Academy offers this four-week course through Future Learn.

 

Once you have developed these beginner skills, take the next step in your education by looking for advanced cyber security courses through our very own network of providers. If you’re ready for that career defining first job, then check out our sister site, Cyber Security Jobs.

What does an Ethical Hacker do?

There is a stigma attached to the word ‘hacking’ and for very good reason. Hacking is associated with the malicious and unauthorised intrusion into a computer or network from an outside party or system with the express aim of stealing, sabotaging, damaging, compromising systems, software or data. As individuals who can undertake such an operation, often without leaving any trace of their identity or origin, hackers are highly experienced and skilled, often with a background in coding and programming.

In this article, we’re going to take a look at the area of cyber security known as ethical hacking (also referred to as penetration testing), what ethical hackers do and exactly when and why hacking can ever be ethical.

When is Hacking Ethical?

Hacking becomes ethical when its purpose is to identify the risks and vulnerabilities of a given system or network to outside attack. By attempting to bypass a system’s security measures, ethical hackers can expose inherent flaws and then deploy effective countermeasures and fixes to improve the system’s overall cyber security. For this reason, ethical hackers must be able to put themselves into the shoes of a would-be cybercriminal or cyber terrorist in order to best try to outwit the target system’s security.

 

 

what does an ethical hacker do

 

Because ethical hackers use the same techniques as malicious hackers, many are often themselves reformed hackers, who have been headhunted by security agencies or the IT security departments of large companies. In this sense, ethical hacking is inherently the same as malicious hacking in its methodology and practice. Crucially though the end goal is one of exposure and not exploitation.

How does an Ethical Hacker help improve Cyber Security?

An ethical hacker’s first task is to seek to understand and learn how a system operates and its underlying cyber security measures. They will then research and meticulously document their attempts at bypassing that system’s security, before discussing their findings with those responsible for designing the IT security infrastructure, as well as senior management. The results of the investigations are then used by the organisation to fix any backdoors or vulnerabilities in their system. They will then work closely with the teams responsible for implementing these fixes, often to re-test them and identify any remaining vulnerabilities or unintended consequences.

In creating their methods and investigations, an ethical thinker must penetrate a system from a hacker’s perspective. While doing so, they must also keep in the back of their mind the real-world consequences of the possible cyber security attacks. ‘What would an attacker do? Bypass first-level security? Make illegal wire transfers? Steal customer information? How can the system not only prevent but quickly identify and recover from such malicious attacks?’

The ethical hacker must perform his hacking through an open process where managers and the IT team collaboratively know their system’s vulnerable points and how to counteract high-skilled malicious attacks.

Information security, the industry where ethical hacking belongs to, is still young and developing. There is a significant lack of knowledge of what ethical hacking is and what its results should include. Because of that, the roles, responsibilities, and tasks of an ethical hacker can vary greatly from day to day.

How to become an Ethical Hacker

The job market for ethical hackers continues to grow, along with the cases of cybercrime that organisations are subjected to. It can go by the titles of Information Security Analyst, Security Consultant, or simply Ethical Hacker. In the UK the average annual salary of an ethical hacker / penetration tester is £37,442.

Whilst there are no mandatory qualifications for becoming an ethical hacker, successful candidates will have a strong background in coding and programming and several years’ experience working in IT or IT security.

 

certified ethical hacker course

 

For those wishing to pursue a career in penetration testing, it is recommended that a foundation course in IT security like the CompTIA Security+ and Network+ qualification, ISO27001 Foundation courses. For those with experience in IT security, the Certified Ethical Hacker course is very relevant but more general cyber security courses can lead to a role in penetration testing such as the Certified Information Systems Security Professional (CISSP). You may then consider specialising in ethical hacking by obtaining a more advanced certification such as the OSCP or Kali Certified Penetration Tester qualification.

 

oscp-ethical-hacking-course

 

One of the most important factors to become a good ethical hacker is to learn how a hacker thinks. Hacking is not all about technical knowledge. It involves tactical and strategic thinking, problem solving and a certain degree of creativity. As controversial as it might be to say it, the reason that some of the best ethical hackers in the world are former cybercriminals is that they have more experience than most of thinking like a criminal.

It’s likely if you’re reading this though that you don’t have a background in cybercrime and if that’s the case, then one way to demonstrate your propensity for penetration testing is to build your own testing environment in which you can practice and document your results. This will also help you learn in a simulated real world environment, giving you the vital experience that it is very hard to learn in a classroom.

Is a Degree in Cyber Security worth it?

Cyber security professionals at the start of their career can expect to have the fastest growing salaries in the UK, according to Robert Half. But many people wanting to go into IT security are still confused as to the career path to take. In this article we’re going to take a look at cyber security degrees and whether they’re the best route into the profession.

is-a-cyber-security-degree-worth-it

The Case for getting a Cyber Security Degree

Let’s make no mistake; cyber security is not an easy field to get into without a degree. Whilst it’s by no means impossible and there are cyber security professionals without one, the odds of landing a solid entry job are stacked considerably more in your favour if you have a relevant degree under your belt.

Of course, experience and industry recognised cyber security certification is also essential, most entry level cyber security jobs will require you to have a relevant degree. A degree in cyber security would obviously qualify you but, so too would degrees in many related fields like forensic computing and computer science.

STEM subjects (Science, Technology, Engineering and Mathematics) are also relevant entry points into the field of cyber security. Although these subjects themselves aren’t directly related to IT and IT security, they do teach students the relevant disciplines such as logical thinking, problem solving, solving equations and mathematical certainty. Many of these are directly applicable to programming, coding and other related fields.

Whilst many will argue that experience and relevant IT certification will trump a degree when it comes to applicable knowledge and practical skill development, the fact is that almost all entry level IT security jobs will require a degree. In this sense a degree in computer science or any STEM subject should be seen as an absolute must.

The Case for getting a Cyber Security Master’s Degree

Of course the educational route needn’t stop at degree level and many universities now offer master’s degrees in cyber security or information security (infosec). The jury seems to be mostly out on this one when it comes to just how useful a master’s degree can be, compared to relevant experience and certification. It really depends on the field you want to go into and what the expectations are. If you have an idea of where you’d like to end up, then it makes sense to find those jobs online and see what the entry requirements are.

There’s quite a lot of forum discussions on this online but this typically impassioned thread from Reddit is pretty illuminating, especially from the point of view of becoming a penetration tester (ethical hacker) .

PostGrad.com has put together a list of the ten best cyber security related masters courses in the UK and Europe, which is well worth checking out. GCHQ in the UK also approves certain post degree courses and CBR have listed their top ten master’s courses here.

Is a Cyber Security Degree more Important than Certification?

Bachelor degrees in cyber security are not an alternative to taking a relevant courses and qualifications in cyber security and shouldn’t be seen as such. It’s extremely important to separate education (GCSEs, A Levels, Degree, Master’s Degree, etc), certification (CISSP, Certified Ethical Hacker, etc) and experience (industry, internships, setting up your own testing environment, etc).

Employers will look at all three areas separately and being educated to degree level will show academic commitment, as much as it will show relevant education in the field. The one area I didn’t mention here are soft skills, which can in part be honed through experience, tutorship and professional development.

What will you learn on a Bachelor’s Degree Course?

Cyber security degrees will focus on the information security aspect of computing, whilst computer science degrees can be tailored to specialise in cyber security related fields. With both you will learn some key principles relating to IT security including:

• The fundamentals of cybercrime, including common methods and motivations
• Digital forensics, what it is and how it can help uncover cyberattacks and trace attackers
• Strategies for protecting information systems and networks
• Use of common programs that can monitor and track cybercrime online
• Common logical mathematics, programming and coding

What you study will depend on the particular course you are taking and any specific modules you opt for within that degree. It pays to have an idea of what you want to do post university so you can tailor your course to the career you most want to pursue.

Post Graduate Job Opportunities

In 2012, US State Department senior advisor Alec Ross said “If any college student asked me what career would most assure 30 years of steady, well-paying employment, I would respond, ‘cybersecurity’.” This was a pertinent comment six years ago and it arguably more pertinent today, especially in the light of a growing IT recruitment crisis.

But knowing what area or field to get into can be difficult at this early stage of your cyber security career. One thing’s for sure and that is that you’ll almost certainly need to aquire some certification or qualifications on your journey. It’s also likely that your employer may well pay for you to do this to fast track your career.

Two jobs that can often represent the first step on the cyber security ladder are Network Security Engineer and Security Administrator, both of which are responsible for the day to day administration of an organisation’s cyber security infrastructure.

For more information on the various roles out there, check out our sister site’s guide to cyber security job salaries in the UK.

For league tables on all UK computer science degrees, check out this site.