Security associations CISOs should know about

Security organizations help CISOs gain valuable industry certifications, tap into peer insights, stay in touch with changing technology, and offer networking opportunities. Here are some CISOs can join or follow to stay in the know.

ISC2

International Information System Security Certification Consortium (ISC2) focuses on cybersecurity and information security, with around 664,000 members globally. Its certifications are recognized by many organizations, government agencies, academic institutions and industry bodies. There are local chapters, regional events, and professional development opportunities and its membership has tripled in size in the past four years.

As the size of the workforce gap increases, with a deficit of 4.8 million globally, according to ISC2’s just released Workforce Study, the organization is highlighting the importance of educating and encouraging people into the profession. “No matter where they are in their professional journey, membership opens opportunities for career advancement, lifelong learning, advocacy, networking and thought leadership in cybersecurity,” says Casey Marks, chief qualifications officer at ISC2.

Marks says that CISSP is the No. 1 security credential required by employers on LinkedIn and has been named a “gold standard” in cybersecurity.

ISACA

Information Systems Audit and Control Association (ISACA) focuses on IT governance, audit, risk management, and cybersecurity, with around 180,000 members.

ISACA has local chapter events, global conferences and the ISACA Engage platform offering mentorship, volunteering, and professional development, and initiatives such as SheLeadsTech that supports women in information security and IT professions.

According to ISACA’s 2024 State of Cybersecurity survey, two-thirds of respondents report difficulties retaining qualified cyber professionals. ISACA says if offers a clear pathway for security professionals at every level, including 70+ free CPE credits per year, discounted exam registrations, and the Cybersecurity Fundamentals Certificate as an entry point.

Certifications also include the Certified Information Security Manager (CISM), and the upcoming Certified Cybersecurity Operations Analyst (CCOA) certification that validates the ability to analyze and respond to threats in real-world situations.

ISSA

Information Systems Security Association (ISSA) is open to international cybersecurity professionals and has more than 7,500 members across more than 150 chapters around the world.

ISSA focuses on helping members in their careers, managing technology risk and protecting critical information and infrastructure. The organization offers mentorship and networking opportunities, helping members stay up to date with information security, risk, privacy, and opportunities to earn CPEs/CPUs credits. “The primary aim of ISSA and its local chapters is to foster success for current, future, and past security professionals, and local chapters offer a welcoming environment where industry peers can network, mentor, lead, and stay informed about the latest security industry trends,” says Jimmy Sanders, president ISSA International.

In addition to local chapter events, there are annual conferences, educational resources and other opportunities for knowledge sharing. It doesn’t offer certifications but supports a wide range of security-related ones by partnering with organizations to provide training and professional development.

CSA

Cloud Security Alliance focuses on education, professional development, and certification for cloud and cybersecurity professionals. Security professionals can join a local chapter as volunteers that work to solve cloud vulnerabilities and challenges. Chapters provide access to resources, working groups, research opportunities, and networking events focused on cloud security best practices, and there are more than 100 chapters across 50 countries with more than 126,000 volunteers.

CSA also offers a range of certifications including Certificate of Cloud Security Knowledge (CCSK), Certificate of Competence in Zero Trust (CCZT), and Certificate of Cloud Auditing Knowledge (CCAK) that are recognized credentials.

Organizations can join the CSA for access to resources, insights, and to be part of a global cloud community.

CISO community organizations

There are a number of other organizations intended to foster a CISO community. For Jill Knesek, BlackLine CISO, professional organizations are useful if they enable CISOs to share real-world experiences and insights on security threats and solutions that help strengthen security across the board.

Knesek highlights the importance of conferences, leveraging networks, and using industry reports to stay informed about trends and best practices that feed into risk assessment and the overall security posture of the organization. “We have our own personal experiences, but the most important thing is to know what other CISOs are seeing and understand what they’re doing to combat these risks,” she says.

SANS CISO Network is a member focused networking group based around an online platform with expert content, reports, and presentations as well as events and in-person networking sessions.

CISO Society is a private community offering presentations and workshops, reports, frameworks and other resources, and virtual and in-person events.

CISO ExecNet is a peer-to-peer networking organization for senior infosec professionals with roundtables, a national symposium and other networking events as well as newsletters and other resources.

CyberRisk Collaborative (CRC) is open to CISOs, senior security executives and those who report to CISOs and offers a range of reports, tools and resources as well as regional events for networking and knowledge sharing.

Organizations that support diversity in cybersecurity

McKinsey and Gartner research consistently shows that diverse teams have better outcomes, and industry research from ISC2 found diversity in security teams contributed to their success  While progress is being made and the cybersecurity workforce is becoming more diverse, it’s not uniform across gender and ethnicity, according to 2023 ISC2 workforce research.

Knesek would like to see more encouragement for young people to consider cybersecurity as a career path, getting in early at high school before they’ve settled on which university path to take. The message needs to be that there are roles that suit all types, from highly technical roles to others with a focus on GRC and the compliance and risk side of things. “And there’s a growing demand for soft skills such as communications, so the profession can accommodate all sorts,” she says.

With so many different directions on offer, Knesek would like to see more encouragement for everyone to consider cybersecurity as a career path, “and especially women being encouraged to take that path,” she says.

However, women are still a minority and to help support their involvement in the profession, there are several organizations with a mission to attract, retain and advance women in the cybersecurity field.

They include Women in Cybersecurity (WiCyS), BlackGirlsHack, WOMCY Latam Women in Cybersecurity, and Breaking Barriers Women in Cybersecurity. A few others include InfoSec Girls, She CISO Exec, and Women Cybersecurity Society. In addition, Cyversity has a mission to support women, underrepresented communities and veterans in the industry.

There are also organizations working to support neurodiversity in cybersecurity to help the profession become more inclusive and support neurodiverse cybersecurity professionals such as Genius Armoury.

Organizations for CISOs working toward a board appointment

Cybersecurity professionals with an eye on the board might want to familiarize themselves with organizations that will help them better understand technology leadership in the boardroom. “These organizations can help CISOs to work better with their board of directors and also to develop professionally to eventually serve on boards,” says Paul Connelly, technical advisor to several boards and former CISO.

Connelly suggests some that may be beneficial for CISOs looking for a future board appointment.

The National Association of Corporate Directors (NACD), a peer-to-peer network with more than 24,000 individuals, 1,750 boards, and 20 chapters across 35 locations. It also offers directorship and cybersecurity certifications.

Digital Directors Network (DDN) is a network focused on digital, cybersecurity, and systemic risk governance open to directors, C-suite executives, and tech executives to help prepare boardrooms to manage security and risk across digital systems.

Private Directors Association (PDA) is an association for private company directors to promote qualified and diverse members and championing board excellence. With 20 chapters across the US, it has more than 3,400 members that include directors, executives, and private company owners. PDA also offers a range of courses in board governance including the Certificate in Private Company Governance.

Industry-aligned associations

Information Sharing and Analysis Centers (ISACs) share cybersecurity threat intelligence and best practices among member organizations with an industry-specific focus such as finance, energy or healthcare and each one tailors its insights to that sector’s security requirements.

Financial Services ISAC (FS-ISAC) has a focus on the financial sector, while Research Education Networking ISAC (REN-ISAC) has a focus on higher education and the research community, and the Critical Infrastructure ISAC (CI-ISAC), which is based in Australia.

No organization, regardless of its resources, can tackle these challenges alone, and collaboration is essential to develop a comprehensive understanding of the threats, notes Chirag Joshi, founder of cybersecurity consultancy 7 Rules Cyber. This is where cross-sector ISACs, like the CI-ISAC, and industry-specific ISACs, such as FS-ISAC, help by providing structured platforms for cooperation, enabling organizations to share critical and relevant threat intelligence, he says.

Membership differs between ISACS but typically requires an organization with a CISO, CIO or equivalent IT security executive. They offer regional and global summits, monthly meetings, intelligence feeds, webinars and member groups geared around functional interests or sub-sectors.

“They bolster capacity to respond swiftly and effectively to incidents, fostering a unified defense across industries and sectors against the increasingly complex landscape of cyber threats,” says Joshi.