The Certified Information Systems Security Professional (CISSP) is a certification offered by the International Information System Security Certification Consortium (ISC). The CISSP certification is recognized worldwide and is often a requirement for many cybersecurity positions. To obtain your CISSP certification, you must qualify as an expert in your field, have demonstrated experience, and pass a rigorous examination proving your capabilities. Once you qualify, you are entitled to the benefits that the certification brings.
For a high-earning Cybersecurity Director, CISO, or Enterprise Architect, the CISSP certification is an “insurance policy” for your professional reputation. Losing a CISSP certification often triggers a review by your employer. Because the CISSP is a baseline requirement for certain compliance and most high-level federal contracting roles, its revocation can result in an immediate loss of security clearance eligibility and “for cause” termination.
If you have been accused of misconduct and are at risk of losing your CISSP certification, the LLF National Law Firm’s Professional License Defense Team can help you. Our team has experience nationwide in defending cybersecurity professionals and professionals in other industries. To find out how the LLF National Law Firm can help you, call 888-535-3686 or fill out our confidential, online contact form today.
The Global Standard Under Fire
In both the United States and worldwide, it is estimated that approximately 70% of senior security roles require an active CISSP certification. Loss of the credential is often viewed by senior management of most reputable companies as a total failure of professional integrity.
For federal governmental contractors and federal employees, a CISSP certification revocation may result in a “fail” for IAT/IAM Level III requirements, leading to an immediate career blackout. It may be impossible to obtain employment with any company with governmental contracts or any large corporation.
In addition, the loss of a CISSP certification can have other unexpected consequences for your career and potentially for the company you work for. In certain circumstances, plaintiff attorneys have begun to cite the CISSP Code of Ethics in civil litigation following major data breaches. Accordingly, companies will be pressured to terminate the employment of professionals who have lost their certification, as it may reflect poorly on them during litigation.
The “Ethical Canons” Trap: The Four Pillars of Revocation
Unlike many professional certifications, a failure to maintain ethical standards is the most common reason for permanent revocation of your CISSP certification. Violating the CISSP Code of Ethics will likely lead to sanctions by the ISC, including suspension or revocation of the CISSP certification. The four most common reasons for sanctions are (in order of priority):
- Protect Society & Infrastructure: Failing to report a critical vulnerability that endangers public safety.
- Act Honorably and Legally: Personal conduct, including criminal charges or “dishonesty” in non-work settings.
- Provide Diligent Service to Principals: “Moonlighting” conflicts or failing to disclose a personal stake in a vendor recommendation.
- Advance the Profession: This is the “whistleblower” canon—failing to report another member’s violation can lead to your own revocation.
Common Triggers for an ISC Investigation
There are myriad reasons the ISC will begin an investigation or disciplinary proceeding regarding a cybersecurity professional’s CISSP certification. However, the most common triggers for an investigation include:
- After a major hack, companies often look for a “fall guy.” If you are accused of negligence in your security architecture, a formal complaint to ISC may be forthcoming, as companies will try to shift the blame to you
- ISC is increasingly auditing the requirement that a professional have five years of experience, long after the certification has been issued. If they find a discrepancy in your initial application, they can void the certification entirely.
- High earners often impermissibly delegate their 120-hour triennial CPE logging. If an audit finds falsified attendance records, the revocation is usually summary and permanent.
The Disciplinary Lifecycle: The Peer Review Panel
The disciplinary process with respect to a CISSP certification is unique among professional organizations.
The first step is the filing of an affidavit of complaint. Essentially, an affidavit can be filed by anyone with personal knowledge of the facts giving rise to the complaint. Unlike other professional organizations, the ISP does not act as an investigator; they act as a judge based on the evidence provided.
If the ISC decides to proceed, a notice of complaint is sent, and the burden of proof effectively shifts to the professional. This is potentially a very serious development, and the notice will contain the allegations against you. This notice should not be taken lightly. Even if you think a notice is frivolous, it is vitally important to consult with the LLF National Law Firm immediately after receiving it so that a response can be drafted with professional help.
The next step is the peer review hearing. This is a “quasi-judicial” process. Unlike criminal matters, you are not innocent until proven guilty under the disciplinary process. You will appear before a panel of peers that balances technical jargon with legal standards. Engaging the LLF National Law Firm to stand by your side will enhance your chances of avoiding discipline.
Professional Defense Strategies (Our Solution)
Although you have the right to defend yourself in any proceeding before the ISC, you do so at your own risk. Due to the stakes involved, including loss of a high-paying job, every complaint should be taken seriously.
The LLF National Law Firm Professional License Defense Team generally utilizes the following strategy for dealing with a complaint:
- Putting forth a “good faith” defense proving that security decisions were made based on the best available data at the time, even if a breach later occurred.
- Mitigating management pressure. We will document cases where you recommended a fix but were overruled by budget or leadership – protecting your personal diligence responsibilities.
- Administrative correction. We will handle CPE audits by reconstructing legitimate learning logs (webinars, white papers, conferences) to replace flagged entries.
- Consent agreement negotiation. Seeking a private admonishment or additional ethics training in lieu of a public, searchable revocation.
How We Can Help
The Professional License Defense Team at the LLF National Law Firm has experience in dealing with professional misconduct allegations. We have worked with cybersecurity professionals nationwide to assist them against even the most serious charges. We understand the devastating professional and reputational consequences that can result from a proceeding being brought against you.
Your certification is too valuable to take any complaint against you lightly. You need a strong team on your side to defend you and help you maintain your certification and mitigate any penalties. Our Professional License Defense Team has the experience you need. Call the LLF National Law Firm today at 888-535-3686 or fill out our confidential contact form.