In interesting set of reference material, that is regularly coming back in data protection, cybersecurity and information security discussions I lately had with peers and colleagues. May you can use it too…
Feel free to provide some feedback yourself, if you know additional pointers I should add.
You know where to find me.
Change history
2022-04-27 14:00: Added EDPB announcement to references section
2022-02: The Dutch Ministry of Justice and Security requested an analysis of US legislation in relation to the GDPR and Schrems II by GreenburgTraurig.
Switzerland
In a recent article (In French) by ICT journal, the Canton of Zurich published a
In the midst of the #COVID19 corona pandemic, the ISO (International Organization for Standardization) has unlocked free reading access to a bunch of relevant standards, including
ISO 22301:2019, Security and resilience – Business continuity management systems –Requirements
ISO 22316:2017, Security and resilience – Organizational resilience – Principles and attributes
ISO 22320:2018, Security and resilience – Emergency management – Guidelines for incident management
ISO 13485:2016, Medical devices — Quality management systems – Requirements for regulatory purposes
The general access page with all online, fully accessible standards can be found here: https://www.iso.org/covid19.
Important note:
these standards are available online, but not downloadable (for legitimate downloads you need to purchase your copy in the ISO shop or with your national standards organisation)
there is no guarantee for continued free access once the Covid pandemic is over, if ever. That’s the sole discretion of the ISO, of course.
Just in case you get into SOC2 and want to know how to map it to existing information security implementation, whatever it may be, GDPR, ISO27001, NIST, … check this page
“ SOC reports refer to an audit of internal controls to ensure data security, minimal waste, and shareholder confidence; SOX relates to government-issued record keeping and financial information disclosure standards law. In other words, one is about keeping information safe, and the other is about keeping corporations in check.“
The main title of the (ISC)² article on CCSP vs CCAK is “CCSP Certification vs. CCAK Certificate: What Are the Distinctions?”
That’s exactly what you get. A list of technical differentiators between CCSP and CCAK, but according to (ISC)².
But if you hope to get an actual answer to what the right certification is, for you… they forget to ask …you.
What do you think would be the conclusion, if you ask that question to either one of the contestants while you compare 2 certifications? Of course each party will simply draw the conclusion that their own certification is the best choice.
To answer the most important question, the dilemma CCSP or CCAK, is simple: do you need technical or audit skills for cloud security?
The answer
In essence, the answer is simple:
if you need cloud audit skills, dive in to the Cloud Security Alliance (CSA) and ISACA Certificate CCAK.
if you want to have architect level technical cloud expertise and knowledge, choose CCSP
if you want cloud security knowledge, in basic or advanced hands-on, there are other choices to start with (more about it below)
So, if you ask the question “what is the right certification for you”, you immediately know that there is no right answer, but there are many options. Options for a multi level expertise roadmap in cloud security, based on your current skills and your future goals.
If you like a tough challenge: why not jump into the CCAK or CCSP, CCSP or CCAK, whatever, right away.
But if you would like to boost your chance of success… take a deep breath and better plan smartly.
And don’t start with CCSP/CCAK, but prepare your track towards CCSP/CCAK first.
First some background to plan your roadmap
Setting expectations
Just to set expectations, this article only focuses on the personal education and certification options, offered by (ISC)², ISACA and CSA. Including other education provider would lead us too far. There are way more other (cyber)security certifications available, but we focus on the cloud security track, which limits the options…
Feel free to comment with other options for cloud security training. I’ll update the article where relevant.
CSA CCSK
The Cloud Security Alliance launched the CCSK in 2011. And as they explained here, “the CCSK was quite literally the industry’s first examination of cloud security knowledge when it was released back in 2011. “
The CCSK is an easy entry, high level introduction to Cloud Security, and it doesn’t require you to have deep technical cloud security expertise.
But it still is a nice baseline for the cloud security essential knowledge.
You need at least five years of cumulative, paid work experience
CCSP is pretty much the same level of difficulty as CISSP, but has focus on cloud security.
The CCSP was launched in 2015, as a cooperation between (ISC)² and CSA. (see CSA press release here), a couple years after the CCSK launch in 2011. The CCSP is the bigger brother of the CCSK, more advanced, and as CSA rightfully mentions in there CCSK-CCSP comparison blog, the CCSP is on the level of CISSP with a major cloud flavor.
That’s where the dummy math description comes from…
CCAK (Certificate of Cloud Auditing Knowledge) is cohosted by ISACA and CSA. And then you immediately know the approach is different than the approach of (ISC)².
As ISACA mentions on their product page: “The Industry’s First Global Cloud Auditing Credential”.
CISSP
For completeness, I mentioned the CISSP ( Certified Information Systems Security Professional). I don’t think it needs a lot of explanation, it’s pretty much the reference standard for IT Systems security. (ISC)² references it as “The World’s Premier Cybersecurity Certification”.
It’s a pretty heavy exam, and it does require at least 5 years professional security experience. This is not an entry level exam.
Due to the experience requirements, CISSP might be a tough credential to start with, although you can pass the exam, and continue to build your experience to grab the CISSP title…
If you want the plan your credentials the smart way, or you’re fresh in cyber-, information or IT-security, you better start with SSCP.
You can buy a double-try access ticket for the CCSK online exam (60 questions, 90 minutes), so if you would fail the first attempt, study again and retry the exam.
Then plan your track: only technical (no interest for audit) or audit, or both
Only technical
If you focus on technical expertise in cloud security, CCSP is a reference standard (at least, on of them…) .
As mentioned: CCSP = CISSP + CCSK.
So the track is clear
After passing the CCSK exam,
Take the CISSP exam
then take the CCSP
This is the easier route if you already have 5yr+ experience. It’s not the cheapest route, as you pass the CISSP first, but it’s worth the effort. (you only need to pay 1 yearly fee at (ISC)², so after 1 certification, … no extra cost in yearly membership fee) For junior, less experienced, security engineers, start with SSCP before jumping into CISSP, and then CCSP.
Audit
When you target IT security audits, you need to take a different route depending your background. Having the CCSP/CISSP background is extremely useful to boost your career in audit.
But for the CCAK, the core audit baseline is CISA.
Keep in mind, similar to CISSP and CCSP, CISA has the same requirements regards professional experience, 5 years.
But if you’re a ISACA CISA, you can add CCSK to the track and land on the CCAK.
Both?
Then it’s obvious, first tech, then audit, meaning a smart combination of
CCSK
(SSCP > ) CISSP
CCSP
CISA (or alternative)
CCAK
Alternative routes
ISO27001 Implementer & Auditor
And alternative route to the auditing experience is ISO27001 auditing, but you’ll need some implementation experience before you can audit.
CISM
Within the ISACA portfolio, the CISM (Certified Information Security Manager), covers the same areas as most ISO27001 (lead) implementer courses.
Which can be helpful to ramp up for the CISA audit part, to gain some hands-on in IT & Infosec governance.
Visualizing your cloud security education roadmap
Lots of blah for a simple choice?
Allow me to visualize the options…
The difference between “certification” and “certificate”, does it really matter?
In it’s blog post (ISC)² tries to put CCSP above CCAK by saying “CCSP is a certification; CCAK is a certificate.”
And they continue “A certification recognizes a candidate’s knowledge, skills, and abilities, typically framed by a job role, while a certificate’s scope is narrower and only documents training course completion. A certification often requires continuing professional education (CPE) to stay in front of trends, while a certificate’s body of knowledge does not evolve over time or require CPE credits to maintain.“
And their explanation is at least flawed and cutting corners to benefit CCSP.
There are many explanations and interpretations of “certification”, depending the context. But in essence, “certification” is a process and a certificate is a document (the result).
When you certify for “CCSP” at (ISC)², you need to comply with the CCSP condition and then get a document, your CCSP certificate. Idem for CCAK, you need to comply with their conditions.
Both the certification process for CCSP as the process for the CCAK are used by other similar education providers.
Eg, PECB, ISACA, EC-COUNCIL, … and others require to pay a yearly fee, keep CPE/CPD (continous professional education or development). Some yearly fees are cheaper as others.
Like CSA, Microsoft and others ask for a 1 time exam fee, and then update the exam on longer term, not yearly, and do not require a yearly maintenance fee.
It’s a choice of the certificate owner, how the evaluation and exams are done.
Some of them comply to the ISO17024, and education standard. There are huge benefits to comply (like increased credibility, compatibility with other certifications, …). But it’s not mandatory.
(ISC)² uses an exam, with experience requirement and continuous education once you pass the exam, but you do not need to pass the exam again, unless it’s upgraded to a new build or major version.
But CSA does exactly the same, for example when CCSK was upgraded from v3 to v4, you needed to pass the exam again.
Not on a yearly basis, but the program is updated, the exam is updated… on a regular basis, without yearly fee.
It’s rather a (small) financial effort, not of significance for most companies paying the bill. (Although as an individual, the cost of certification can become a serious burden…)
And it’s certainly not relevant when choosing between CCSP and CCAK. CCAK is cheaper, as referenced in the (ISC)² comparison chart.
References
(ISC)²: CCSP Certification vs. CCAK Certificate: What Are the Distinctions?
I must admit, it’s a great opinion article to get a nice discussion going with companies. At least it helps to raise awareness of ransomware and ransom payments. But unfortunately the article is not a Greek ancient-wise talk [σοφςς].
But he’s right about the reprehensible statements made by some of the ransomware victims. It is outrageous that a company dares to claim that ‘only’ 300K has been paid.
(translated quote) “We understand that we are suffering reputation damage, but we can’t be blamed,” the company manager told reporters. That statement in the press will haunt him for a while.
And it’s not the first time we’ve witnessed such statements. For another company from the Westhoek (Western Belgian Region, near the coast) , it was “less than 1 million”…
It’s very meaningful, how little business leaders worry about ransomware or how careless they can be to protect their business.
And Brian puts forward a very nice theory how to stop ransomware, … in the ideal world.
But unfortunately, the article does not show in any way that the opinion-maker, in real life, has ever been on the side of a defenseless victim who is completely under the control of some remote criminal.
Because the choice to (NOT) pay a ransom is only available if you have a well-functioning and thoroughly tested backup and restore system.
At that moment, when it happens, all preventive measures have clearly failed already. Way too late to have regrets…
Prevention only works BEFORE the criminal strikes. Or when he has left again, to avoid repetition.
People do not choose to pay ransomware. It’s the last resort.
They just have no choice. All other means are already exhausted or unavailable.
You don’t pay a ransom if your backup/restore system works properly.
Without a guaranteed recovery function, mathematics is very simple
If you
DO NOT pay = 100% GUARANTEE that you LOSE your DATA and you’re almost certain that your company will also be dead very quickly, or at least suffer long-term or irreparable damage.
PAY = there is SOME chance that you may see (something) of your data again. That’s always better than the previous option, no matter what it costs.
The third option in between is that the cost of the ransom is lower than the real cost of restoring your data. If you run into a cheap criminal, you can only try to talk him out of it and limit the damage. Pure math.
What if…?
It’s very easy to imagine: if a good-looking homejacker just rings the doorbell at your home. And your dearest opens the heavily armed front door.
A few seconds later, the robber asks you to clear your bank account completely with a gun to your dearest one’s head.
Are you going to pay or not?!
Do you have a choice?!
Replacing your dearest… is not an option, I would think.
With ransomware, the situation is exactly the same.
Well, Brian Schippers apparently doesn’t think so.
In his article Mr. Schippers is very convinced that you should certainly not pay a ransom. But the article does not offer any concrete, useful solution or practical suggestion as alternative.
He talks about a “security solution”… and reading between the lines you easily know where it should come from.
But there is no mention of decent and continuous training of people, thorough awareness training and thorough backup/restore or even better offline backup, even in the current age of cloud.
Because with “wise” software alone, it won’t work.
Even with the best technical security you have, people remain the weak point.
And the stronger the security, the more crime will target people directly.
And people make mistakes. People make software. Each software contains errors.
And mistakes will always be exploited.
And you only need just one employee who is fooled by a cleverly designed, but infected mail or a noble unknown on the phone.
It happens in no time, there are more than enough statistics in practice.
Because the hack or phishing is so well designed these days, that even cyber professionals can’t easily detect fake mails.
“The budget should not be a problem.”
Yes, yes, of course it shouldn’t, Brian! Nice slogan.
NOT.
Because the practice proves something completely different:
cyber protection < a very small percent of the IT budget < a small percent of the company budget.
Well, now what?!
It would be quite different if business leaders and managers were personally held liable for a pertinent lack of “state-of-the-art” (i.e. up-to-date) security that aligns both people, processes and technology very well.
Only THAT would solve the whole ransomware problem, very quickly. Deprive the criminal from his leverage.
Don’t look too far. Just look at how the insurance companies are doing in real life.
See how they implement car, fire, liability or other insurance. If it is shown that you are negligent, knowingly refuse to implement sufficient security … then the insurance will not pay or will claim back the refund.
Easy and simple, isn’t it?
Not so in cyber insurance, that’s the wild west. For a couple a thousand Euros in insurance, you get a bag of money of a couple millions to pay the criminal.
You bet on hackers to give up.
And if you bet hackers will give up soon, start by giving a “tournée générale” (buying a beer to everyone).
Because cybercrime and ransomware is big business. They make a lot of money with crime, so they won’t give up. Not now, not ever.
[BTW, it’s not because known ransomware groups suddenly disappear that they’re gone too. We don’t know the facts about that yet…]
But criminals don’t respect any law or rule. And they certainly don’t have ethical principles. It’s just a business that makes a lot of money.
So they are always have a head start and they are very motivated. And they will twist your arm even harder… or worse.
Finally
We must keep repeating that state-of-the-art security is all about security solutions at different layers and levels, which look beyond technology.
When you keep claiming you should not pay for ransomware, you’re running after the facts. In practice, it doesn’t solve anything… People in distress and panic will ignore law and ethical guidelines.
Also in physical life, many authorities officially declare that they do not give in to ransom demands. Is paying a ransom prohibited by law? But in many cases, money is paid clandestinely. Reality check.
So?
Make sure that the liability for implementing poor security measures hurts the right person, in the right place. Not the employees, but their boss.
And consequently:
So make sure that cybersecurity is sponsored at the top management level.
Toegegeven, het is een geweldig opinie-artikel om een lekkere discussie met bedrijven op gang te trekken. Het helpt tenminste om de bewustwording van ransomware en losgeld aan te wakkeren. Maar het artikel is jammer genoeg geen Griekse oude-wijzen praat [σοφός].
En hij heeft wel gelijk over de laakbare uitlatingen van sommige slachtoffers. Het is schandalig dat een bedrijf durft beweren dat er ‘maar’ 300K betaald is.
Herinnert U het nog: “We begrijpen dat we imagoschade lijden, maar ons valt niks te verwijten.”, zei de bedrijfsverantwoordelijke in de pers. Die uitspraak in de pers zal ‘m nog wel een tijdje achtervolgen.
En het is niet de eerste keer dat we dergelijke uitspraken mogen noteren. Voor een ander bedrijf uit de Westhoek, was het “minder dan 1 miljoen”…
Het zegt heel veel, hoe weinig zorgen bedrijfsleiders zich maken over ransomware of hoe nonchalant ze kunnen zijn om hun bedrijf te beschermen.
En Brian heeft een heel leuke theorie om ransomware te stoppen in de ideale wereld.
Maar de tekst toont jammer genoeg op geen enkele manier dat de opiniemaker ooit met praktijkkennis aan de zijde heeft gestaan van ‘n weerloos slachtoffer dat volledig onder controle is van een of andere crimineel op afstand.
Want de keuze om losgeld (NIET) te betalen, heb je ENKEL EN ALLEEN als je een goedwerkend en grondig getest backup en restore systeem hebt.
Op zo’n moment hebben alle preventieve maatregelen duidelijk al gefaald. Dus dat zijn vijgen na Pasen.
Preventie werkt alleen VOOR de crimineel toeslaat. Of als ie weer vertrokken is, om herhaling te voorkomen.
Mensen kiezen niet om ransomware te betalen. Het is het laatste redmiddel.
Ze kunnen gewoon niet anders. Alle andere middelen zijn dan al uitgeput.
Je betaalt geen losgeld als je backup/restore systeem goed werkt.
Zonder gegarandeerde herstelfunctie is de wiskunde heel simpel
NIET betalen = 100% GARANTIE dat je je DATA KWIJT bent en zo goed als zeker dat je bedrijf ook heel snel kapot is, toch tenminste langdurige of onherstelbare schade lijdt.
BETALEN = enige kans dat je mogelijk nog (iets) van je data terug ziet. Da’s altijd beter dan vorige optie, wat het ook kost.
De derde optie hiertussen is dat de kost van het losgeld lager is als de reële kost om je data terug te zetten. Als je een goedkope crimineel tegenkomt, kan je maar proberen om ‘m om te praten en de schade te beperken. Pure wiskunde.
Wat als…?
Het is héél gemakkelijk voor te stellen: als een goedogende homejacker gewoon aanbelt bij je thuis. En je allerliefste doet de zwaar bewapende voordeur open.
Een paar seconden later vraagt de overvaller jou om je rekening volledig leeg te maken met een pistool tegen het hoofd van je allerliefste.
Ga je betalen of niet?!
Heb je keuze dan?!
Jouw allerliefste vervangen… is geen optie, zou ik denken.
Met ransomware is de situatie net hetzelfde.
Nou, Brian Schippers vindt dus blijkbaar van niet.
Mr. Schippers roept in z’n opinie artikel hoog van de toren dat je zeker geen losgeld mag betalen. Maar enige concrete, bruikbare oplossing of praktische suggestie biedt het artikel anders niet echt.
Hij spreekt volop over “security oplossing”…het schemert anders wel duidelijk door waar die vandaan moet komen.
Maar er wordt echter geen woord gerept over goede en continue opleiding van mensen, doorgedreven awareness training en doorgedreven backup/restore of beter nog offline backup, zelfs in het huidige cloudtijdperk.
Want met “wijze” software alleen, zal het niet lukken.
Zelfs met de beste technische beveiliging die je hebt, mensen blijven het zwakke punt.
En hoe sterker de beveiliging, hoe meer de criminaliteit zich op de persoon zelf richt.
En mensen maken fouten. Mensen maken software. Elke software bevat fouten.
En er zullen altijd fouten uitgebuit worden.
En je moet maar 1 medewerker hebben die om de tuin geleid wordt door een slim ontworpen, maar besmette mail of een nobele onbekende aan de telefoon.
Het is zo gebeurd, meer als genoeg cijfers in de praktijk.
Want de hack of phishing is tegenwoordig zo goed ontworpen dat zelfs cyberprofessionals vals en echt moeilijk kunnen uit elkaar houden.
“Het budget mag daarbij geen probleem zijn.”
Ja ja, tuurlijk mag dat niet, Brian! Mooie slogan.
NOT.
Want de praktijk zegt helemaal iets anders: cyberbescherming < een heel klein percent van ‘t IT budget < een klein percent van het bedrijfsbudget.
Nou, wat dan wel?
Het zou helemaal wat anders zijn als bedrijfsleiders en managers persoonlijk aansprakelijk zouden zijn voor een pertinent gebrek aan “state-of-the-art” (dus up-to-date) beveiliging die zowel personen, processen als technologie goed op mekaar afstemt.
DAT zou pas het hele ransomware probleem oplossen, heel snel.
Heel ver moet je niet kijken. Kijk maar hoe de verzekeringen het aanpakken in het fysieke leven.
Kijk wat toegepast wordt in auto-, brand-, aansprakelijkheids- of andere verzekering. Als aangetoond wordt dat je nalatig bent, willens en wetens weigert om voldoende beveiliging te spenderen … dan vordert de verzekering het terug.
Simpel toch?
Niet in cyberverzekering, dat is het wilde westen. Voor een koppel duizend Euro aan verzekering, zit je op een zak geld van een koppel miljoen Euro.
Wedden dat hackers het opgeven?
En als je erop wedt dat hackers het snel zullen opgeven, begin dan alvast maar met een tournée générale te geven.
Want cybercriminaliteit en ransomware is big business. Ze kunnen met misdaad veel geld verdienen, dus die geven niet op. Nu niet, nooit niet.
[BTW, het is niet omdat gekende ransomware groepen plots van de aardbol verdwijnen dat ze ook weg zijn. Daar weten we het fijne nog niet van…]
Maar criminelen houden zich aan geen enkele wet of regel. En ethische principes hebben ze al helemaal niet. Het is gewoon een business, die veel opbrengt.
Dus ze zijn altijd in het voordeel en erg gemotiveerd. En ze zullen je arm nog harder omwringen… of erger.
Tot slot
We moeten blijven herhalen dat goede beveiliging draait om beveilingsoplossingen op verschillende lagen en niveaus, die verder kijken als alleen maar technologie.
Je kan nog lang roeptoeteren dat je geen ransomware mag betalen. Dan loop je achter de feiten aan. Dat lost niets op in praktijk.
Ook in het fysieke leven, roepen heel wat staten officieel dat ze niet toegeven aan losgeldeisen. Is daar losgeld betalen bij wet verboden? Maar er wordt op veel plaatsen clandestien toch geld over tafel geschoven. Realiteit.
Dus?
Zorg dat de aansprakelijkheid voor gebrekkige veiligheid pijn doet, bij de juiste persoon, op de juiste plaats. Niet bij de werknemers, maar bij hun baas.
En bijgevolg,
Zorg dus dat cybersecurity gesponsord wordt op topmanagement niveau.
End 2020 IDG published a study on Security priorities, and it provides important guidelines to the priorities of securing yourself and your company
Protection of confidential and sensitive data
End-user awareness
Corporate resilience
Enhance access control
Understand external threats
Application security
Plan for unexpected risks
This pretty much confirms that your customers, stakeholder’s and staff interest in protecting personal data is driving security from business perspective.
If you see the increase of cyberattacks and ransomware hitting the business, it’s pretty obvious that Business Continuity Management and Disaster recovery must be on top of your priority list. You need to have a tested plan against successful cyberattacks and ransomware, to avoid extended business damage and massive (ransom) costs … afterwards.
To put a plan together, you need to understand who is your adversary and what the current state of cybersecurity is. And this study is a simple but smart guide to define your priorities.
The better you prepare, the less it will cost. But you’ll only be able to tell when it goes wrong.
You must be logged in to post a comment.