Information Security has become a major issue for businesses and organizations in the context of digital transformation, business model changes, cyber threats, and compliance requirements. Information Security (IS) is on the agenda of the CEO, decision-makers, and is no longer considered solely a technical discipline. It has benefited in recent years from numerous recommendations regarding the importance of good governance and management. Security is paramount to every business. Cybersecurity is a growing and rapidly changing field, and the central concepts that frame and define this increasingly pervasive field must be understood by professionals who are involved and concerned with the security implications of information technology (IT).
Information Security (IS) is currently making a serious contribution to business development by ensuring not only reliable operations but also new opportunities for qualitative differentiation. It is increasingly seen as a value creator or facilitator of operations in new business models. As the cloud comes to the picture, this rises again new questions to the board of directors, is our data secure up there? do we have control? I heard that if we move to the cloud we are secure, is that true? What about privacy, compliance and data regulation? Cloud security is a shared responsibility, what does that mean? the list of questions goes on and on… For this reason, it is imperative that before adopting cloud computing, organizations must first understand the security considerations that are inherited by the cloud computing model. These considerations must be revised before adopting—ideally during the planning process.
Security in the realm of information technology has been fascinating to me for a long time. For the last 2 years, I embarked on a journey toward Information Security (IS). I challenged myself and enrolled in the highest Swiss federal diploma of higher education in Information and Communication Technology (ICT) – ICT Security Expert. After nearly two years of hard study and sleepless nights, I am happy and grateful now that I passed the Swiss Federal Exam!!!
Bypassing this exam, I received the ICT Security Expert, Advanced Federal Diploma of Higher Education title which is the highest level of a diploma under the Professional Training program which is led by the ICT Professional Education in Switzerland.
You can read about the graduation ceremony in the press release published by the ICT Berufsbildung here: Twelve new ICT Security Experts for a safer Switzerland.
In this article, I would like to share my experience to help anyone interested to take this journey and pass the Swiss ICT Security Expert, Advanced Federal Diploma of Higher Education.
First of all, this diploma is dedicated to my wife and my family who have supported me and their patience while I was busy preparing for the final exam.
I would like to thank my employer itnetX (Switzerland) AG which is supporting me in the best possible way and especially to allow me to sit and study beside my busy working schedule!
I would like also to thank all my instructors and colleagues at the Institute Swiss Teaching Computer Management (ISEIG), and especially M. Patrice Schneider and M. Deniz Mutlu for their support and help me to prepare for this exam successfully. Many thanks, guys!
Last but not least, I want to thank all the 13 experts who assessed my level during the final oral exam. After nearly 6 hours of open discussions with real-world security scenarios, simulations, and presentations (This was the toughest challenge for me). All the experts judged my level of expertise and signed my passing score. Thank You All!
ICT Security Expert Roles
The ICT Security Experts help ensure that information is better protected against unauthorized access. In all areas of life, information and communication technologies are becoming more and more important, which at the same time increases the vulnerability of the economy and society. They contribute to raising awareness of this issue in society.
The ICT Security Experts work on behalf of private companies and public institutions in the field of Information Security (IS). Regardless of the size of the organization, their activity covers the global context of information security in the organization. Through their in-depth understanding of the organization’s areas of activity and processes, they work with a wide range of stakeholders in security-related areas. This includes the management and the Board of Directors, specialists, heads of functional and business units and external service providers.
The ICT Security Experts reduce the information security risk of the organization at the level defined and acceptable by the management and the board of directors. They identify possible gaps in the security strategy and develop measures to address these gaps. They advise the organization’s crisis committee on all aspects of ICT security. They create awareness of safety at all levels by developing and implementing appropriate awareness campaigns.
ICT Security Experts perform different functions. They advise lead projects, contribute their specialist knowledge in teams and work independently. Their working environment encompasses the entire organization.
The ICT Security Experts communicate with the various stakeholders in a way that is adapted to the target groups. Their knowledge of all areas of the organization’s activities enables them to deal with security issues throughout the organization. In doing so, they also make use of their basic knowledge of business economics. The framework for their activities is provided by the legal guidelines applicable to the relevant sector and the organization’s strategy.
An organization’s information security is under constant threat. For this reason, ICT Security Experts constantly analyze and test technologies and processes to change the product and process landscape in their area of responsibility if necessary. This requires a high level of innovation.
Last, ICT Security Experts exchange their knowledge about the threat situation and protection against dangers with specialists. The exchange of sensitive data requires viable networks. ICT Security Experts set up and maintain such networks.
Main Skills and Competency
The main operational skills of the ICT Security Experts are as follows:
- Anchor the security strategy.
- Implement the Information Security Management System (ISMS).
- Lead the security program.
- Manage stakeholders’ needs.
- Create security awareness training.
- Control security events.
- Guarantee the security of information.
- Create an incident response plan.
- Create a business continuity and disaster recovery plan.
In order to be able to carry out this activity in a professional manner, the ICT Security Experts are fully familiar with their organization and its products, processes, and information and are able to guarantee appropriate information security. They detect and assess risks, define and coordinate risk management measures and ensure the effectiveness of defense measures.
The exam is divided into three main sections as the following:
- Examination Part 1, Portfolio work and interview with experts (40 minutes): The candidates maintain a portfolio in which they make the link between theory and practice. The portfolio is a thoughtful and commented collection of materials of different types in which candidates apply theoretical knowledge of practical examples of daily work through a transfer service. The individual portfolio is the basis for the expert interview, during which candidates answer questions from experts about their work.
- Examination Part 2, Written case studies (120 minutes): The candidates receive realistic cases that are handled in writing. The choice of cases is made in such a way that a selection of operational skills from all areas of operational skills is controlled. This part is the toughest one since the time is always a constraint to finish the written part within 2 hours. You need to manage your time really well. It’s impossible to write like a robot!
- Examination Part 3, Oral cases and interviews with experts (300 minutes): The candidates deal alone or as a team with different situations that are close to reality in several scenarios. The development of the solution is observed, analyzed and evaluated. In the case simulation, different attitudes are also controlled, with particular emphasis on teamwork skills, communication skills, and judgment. This is another tough part, you will receive 5 different scenarios, you have 10-15 minutes to prepare and then you need to present your solution to the experts.
Lessons Learned and Exam Preparation
The key success to pass this exam is to work with Information Security on a regular basis, theory, books and training videos alone are not enough to pass this exam. For this reason, to be eligible and register for this exam in the first place, you need to have at least 3 years of working experience in Information Security.
The resource materials that I recommend to have around while you are studying and preparing are the following:
- Certified Information Security Manager (CISM) by ISACA.
- Certified in Risk and Information Systems Control (CRISC) by ISACA.
- Control Objectives for Information and Related Technology (COBIT) by ISACA.
- COBIT 5 for Information Security by ISACA.
- Cybersecurity Fundamentals Certificate (CSX) by ISACA.
- Hermes 5 project management by the Swiss Confederation.
- Certified Information Systems Security Professional (CISSP) by (ISC)2.
- Certified Cloud Security Professional (CCSP) by (ISC)2.
- CompTIA Advanced Security Practitioner (CASP+).
- ISO/IEC 27001 Information Security Management.
- ISO/IEC 27002 Information technology — Security techniques — Code of practice for information security controls.
- ISO/IEC 22301 Societal security — Business continuity management systems — Requirements.
- ISO/IEC 27005 Information technology — Security techniques — Information security risk management.
- The EU General Data Protection Regulation (GDPR).
As you can see, the final exam covers a wide range of topics that might show up in the exam and you need to be familiar with most of them. Based on my experience by taking this exam, you should be familiar really well with the following topics:
- ISO/IEC 27001 (Information Security Management System).
- ISO/IEC 27002 (Code of practice for information security controls).
- ISO/IEC 27005 (Risk Management).
- General Data Protection Regulation (GDPR).
- Malware, Ransomware, and spear-phishing attacks.
- Business Continuity and Disaster Recovery.
- Cloud security and cloud storage.
- Bring your own device (BYOD) and mobile device management (MDM).
- Incident Response.
- Project Management.
- Confidentiality, Integrity, Availability, the three famous principles of the CIA triad.
- The concept of security by design and security by default architecture.
Last but not least, please make sure to consult and read each module below which is part of the exam provided by the Swiss, ICT Professional Education:
- System Management:
- Network Management:
- Project Management:
- Business Management:
- Service Management:
- Security/Risk Management:
- 670: Guaranteeing Information Security in Business Continuity Management.
- 668: Operate and improve an information security management system.
- 667: Implementing an information security management system.
- 666: Defining and anchoring governance for the information security strategy.
- 665: Develop an information security strategy.
To prepare for this federal exam, I highly recommend you to attend a formal instructor-led training class which might take more than one year or so of study. You can find the list of all certified partners recognized by the ICT Swiss federal based on your preferred location.
If you are planning to take this federal exam in Switzerland… I wish you all the best and Happy Studying!!!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.