I Passed! I just passed the exam of ISSAP® — (ISC)2® It was one of the most challenging exams I took in my life. All the answers to the multiple choices are correct, but it is required to choose the best answer in most cases. I checked the member count from the official website. There are 25 active holders in Hong Kong and 2061 worldwide. Information Systems Security Architecture Professional from . The caption of the notification email | Copyright by the author However, it was worth it in many ways. Not only the technical knowledge of this exam is useful. It also tells me how to become a successful security professional; it is the mindset. Being a great security professional is not just about how excellent your technical skills. It would be best if you were particular about the choices or suggestions based on the different contextual information you had. Significant in Cybersecurity = Nothing Happens. Let’s talk about what it is like to become a security professional. Ten years ago, when I was studying for my Master of Computer Forensics, the professor once said, It was only a funny sentence at that moment, but it is wisdom when I looked back now. “The best security happened when nothing happened.” Photo by Adolfo Félix on Unsplash If everything is working according to plan, there would be no security outbreak. Security professionals, should not be handling security incidents all day. What is more important should be security planning and design. ideally, That is the process of allocating resources such as time and people to maximize visibility. is not the technical know-how or the certifications. The key is the problem that we are trying to solve is different. What is different between IT and Cybersecurity What is the most frightening thing about a human being? You can try to answer it by thinking about scary movies. The one thing that is in common is the unexpected or unknown ghost/ monster or sudden death of the character. As humans, we do not know — the unknown is what we truly afraid of. In a security professional’s daily life, our primary goal is not to make sure everything is running as expected but to . When everything is considered and handled, IT should be happy and business as usual — Nothing happens. make sure the unexpected or unknown are minimized or mitigated The Basics Concepts — Pillars Security is more of a concept than technical knowledge. I always tell my colleagues. Nothing is more important than thinking with a security mindset. My sole purpose of training in every webinars/ events is to . promote these concepts down to different users, not just technical people Interestingly, all concepts are combined from the elements of three. Each of them contains three pillars considering the same subject. In this article, I would like to walk through the core of the core from a Cybersecurity perspective. 1# CIA — Confidentiality, Integrity, Availability CIA triad is what we called the “Chapter One” of Information Security. According to the : NIST Special Publication 800–12 information security was defined as protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide The careful implementation of information security controls is vital to protecting an organization’s information assets and its reputation, legal position, personnel, and other tangible or intangible assets. Confidentiality, Integrity, and Availability. Protecting the organization’s assets is the ultimate goal of information security, including tangible and intangible assets. The CIA triad | Copyright by the author : CIA triad further defined as data, objects, and resources are protected from unauthorized viewing and other access. Confidentiality — data is protected from unauthorized changes to ensure that it is reliable and correct. Integrity — authorized users have access to the systems and the resources they need. Availability — Confidentiality often conflicts with Integrity and Availability, and also for the other two. For example, data availability is decreased when data encryption is in place, but confidentiality and Integrity are enhanced. It is always vital for a security professional to of any information system design. balance all three aspects 2# DiD — Defense in Depth (Layered Approach) Photo by Ronni Kurtz on Unsplash Defense in Depth is the idea of having to protect assets and information. If one measure failed, the next one is in place to counter the attacks. This multi-layered method with intentional redundancies strengthens the Security of a design as a whole and addresses diverse attack vectors. multiple security measures implemented in layers The goal of a DiD design is to delay the attack as long as possible. If the attack time is too long, the enemy would change the target or eventually give up. Example of Defense-in-Depth Security Model | Copyright by the author We usually use as an analogy of this concept. Soldiers are deployed in different teams with physical defense systems like towers, bridges, and walls built in order. Enemies are required to defeat all the defenses to gain access to the palace. Castle Defense 3# PPT — People, Process, Technology PPT is a framework, not only for Security but in modernized business processes. The PPT framework has been around since the early 1960s. Business management expert developed his model for creating change in an organization in a paper with the title “ ” Harold Leavitt Applied Organization Change in Industry. Photo by Yohan Cho on Unsplash People can develop skills. Some people already obtained their skills. Security Professionals with technical expertise can think through the risks impacting the systems. People without skills can also be trained or learned if required. People — (The Blacksmith) The defined, repeatable, and improvable steps you document and train on to perform a function. Processes can drive the effectiveness and success of the security program. They are often one of the critical assets we review when implementing an information security program. Process — (The making of the heating meal and forging) Tools used to achieve, speed up, or develop the impact of the security goals. The investment of tools allows more incredible speed, profit, efficiency, and use of resources. Companies focus heavily on technical means as the specification of tools is easy to measure and understand by management. The effectiveness of security tools can seldom be measured by their return on investment (ROI). Technology — (The hammer) PPT are three separate areas of resources. Each of them should be considered when developing a security program. As one of the least considered or invested pillars, people would be the weakest link. 4# PDC — Preventive, Detective, and Corrective Methodology Photo by Markus Spiske on Unsplash are separated into three: detective, corrective, or preventive controls. From Security Perspective, they can be explained by when is the control takes place concerning an attack. Internal controls BEFORE — Preventive controls are designed to Controls may be automated, manual, or hybrid. keep attacks from occurring in the first place. DURING — Detective controls are designed to detect attacks that may have occurred. AFTER — On the other hand, correct controls are designed to correct attacks that have been detected. PDC concepts are not just used in Security but also widely in audit and risk assessment. The PDC framework is often used in conjunction with the DiD methodology and forms a Matrix of Controls to map with different layers. Photo by Jason Strull on Unsplash Final Words An excellent security professional should consider the cost and benefits by using these pillars Without this mindset, it is impossible to provide valuable advice or actions regarding security postures. to use all the factors and prioritize the options with valid reasons in very stressful and limited time. I think it is all for now, as I already introduced the essential concepts in Cybersecurity and those are: — Confidentiality, Integrity, and Availability 1# CIA triad — Defense-in-Depth 2# DiD Approach — People, Process, Technology 3# PPT framework — Prevent Detect Correct 4# PDC Methodology With all four of them in mind when considering Security, it would be a great way to learn and understand any prospects’ challenges and limitations now and in the future. Happy reading and learning Cybersecurity. Also published at https://medium.com/technology-hits/the-one-thing-that-makes-a-great-cybersecurity-professional-6f5d696749a7