Becoming a Cybersecurity Practitioner (CSXP)

Daniel Brecht
August 17, 2018 by
Daniel Brecht


The growing concern of cybercrime is pushing more and more companies to staff their IT teams with professionals that are able to implement proper security measures as well as key controls and mechanisms that minimize threats and vulnerabilities. Choosing the right resources, however, might be not so clear-cut, and hiring teams often rely on certifications to screen applicants.

ISACA (previously known as the Information Systems Audit and Control Association, and that now goes by its acronym only) recently published a cybersecurity workforce research that highlights how "the worldwide cyber-security skills gap continues to present a significant challenge," with 59 percent of the surveyed infosec professionals conveying there are unfilled security positions within their organization.

Get certified with an Exam Pass Guarantee

Get certified with an Exam Pass Guarantee

Looking to get certified? Many of our boot camps are backed by an Exam Pass Guarantee, ensuring you leave with the certification you want.

In addition to the problems of underrepresentation of women and minorities in cyber, IT and infosec careers, there is also a skills gap that continues to be present and that many organizations are finally trying to address through ad-hoc programs. In fact, the ISACA's 2018 State of Cybersecurity research pointed out that a global shortage of two million cybersecurity professionals is expected by 2019.

That is where ISACA itself comes in. The organization is behind Cybersecurity Nexus (CSX), a new platform launched in 2014 to address the growing cybersecurity skills crisis and develop a skilled workforce. CSX is designed to provide IT security and cybersecurity professionals with the knowledge and technical skills to defend their organization from security breaches and cyberattacks. The program offers training and education to address all skill levels and specialties as well as a performance-based certification; in addition, it includes ample possibilities for networking with other like-minded professionals in the field.

So Why Should I Consider CSX?

The strength of the ISACA's Cybersecurity Nexus™ (CSX) resides mainly in its strong practical, hands-on approach that focuses on real-world abilities. A key part of CSX, in fact, is its training and certification tracks that were developed for skills verification with exams that are conducted in a live, virtual 'cyber lab' environment. This is intended to test not just the mere theoretical knowledge of candidates, but also their technical savviness.

There are three levels of CSX programs, consisting of a Practitioner, a Specialist and an Expert track. These are aligned with globally-accepted standards and frameworks, including the NIST Framework for Improving Critical Infrastructure Cybersecurity, NIST SP 800-53 Revision 4, ISO 27000 and COBIT 5.

The CSX Practitioner, Specialist and Expert training series provide insight into the importance of cybersecurity and the integral role of cybersecurity professionals in any organization.

ISACA CSX Practitioner (CSXP) Certification Exam

The recently updated ISACA CSX Practitioner (CSXP) Certification is an entry-level certification for professionals who want to demonstrate technical skills and abilities in cybersecurity. Those who sit for the certification exam are expected to possess quantitative and digital technology skillsets (e.g., threat intelligence) and have the capacity to analyze business processes for risks by carrying out a vulnerability assessment.

This ISACA's vendor-neutral, performance-based certification measures and validates technical cybersecurity skills and abilities and can make it easier for employers to find, recruit and retain an experienced workforce comprised of experts from across the IT security field. It allows a job applicant to stand out by demonstrating practical skills that are valuable in an organization's infosec team.

In order to provide the greatest assurance that the exam is always in line with the requirements of cybersecurity practitioners, the certification is periodically reviewed and, in fact, has just been updated to reflect the current job needs and skills.

Who should obtain a CSXP? The likeliest targets are …

  • IT Security Practitioners or Security Specialist

Getting CSXP-certified will likely increase one's professional credibility and possibly earning potential.

Taking the Exam

In order to be certified, professionals do not need many prerequisites: they only need to pass the CSX Practitioner examination and comply with ISACA's Code of Professional Ethics and CSX CPE Policy. Afterwards, they can schedule an exam on their ISACA Nexus account.

The CSX Practitioner Certification (CSXP) examination differs from other programs in that it contains no multiple-choice questions or simulations. Candidates are given 30 varying-duration tasks to be completed in four hours, with minimal instructions and using multiple virtual machines. The exam is administered via Prometric and using PSI Testing Solutions remote proctors. The cost is $400 for members and $500 for non-members.

Once released, results are available on the MyCertifications page of the ISACA website. Candidates who pass the CSXP exam earn the certification without further action. A PDF containing a printable certificate will also be made available.

The topics covered aim at assessing the actual performance of professionals in regular job tasks in five security functions  Identify, Protect, Detect, Respond, and Recover. The topics, including the percentage of time for them on the exam, are listed below.

  1. Business and Security Environment (ID), 23% — This section includes tasks that cover typical business environments such as data communication and digital infrastructure. It also covers the building of a security environment at the network, operating system and application level, as well as in virtual and cloud environments.
  2. Operational Security Readiness (PR), 23% — This section covers tasks related to the protection of digital and data assets, security tools, proper configuration and access management. It also tests knowledge of how well a professional prepares for the protection of an organization from the creation of threat modeling to contingency plans.
  3. Threat Detection and Evaluation (DE), 27% — This section tests candidates on their ability to monitor and analyzing traffic for threat detection. It covers vulnerability scanning, penetration testing and use of appropriate tools as well as the analysis of packets and data logged by the systems.
  4. Incident Response and Recovery (RS&RC), 27% — The last section revolves around tasks related to the response to attacks and the after-intrusion procedures. It involves incident handling, mitigation and containment of the attack as well as all the actions to be carried forward in the aftermath of an incident, including reporting and lesson-learned sessions.

As seen, the exam covers tasks that most professionals are required to perform in their daily activities. Therefore, there are really no prerequisites to take the CSXP cert exam and no specific training is required for the CSXP certification; ISACA, in fact,  encourages any candidates who feel that they have the knowledge and ability to pass the examination to attempt it.

The fact that there are no prerequisites, however, is my no means an indication of easiness. The test difficulty lies in the fact that, unless a candidate has true familiarity with the tools of the trade and has current hands-on experience, the tasks will be indeed hard to complete in the allotted time.

How Can I Maintain My CSXP Certification?

The certification is valid for three years as long as the professional attains and reports 30 qualifying CPEs annually. Note that certification-holders will be required to demonstrate proficiency annually in a lab or other skills-based environment in addition to participating in knowledge-based learning. At the end of the three years, the CSX Practitioner exam will need to be passed again.

There are many ways to earn the required CPEs. One possibility is to maintain the CSXP certification by enrolling in the Cybersecurity Nexus™ (CSX) Virtual Cyber Academy Self-Paced Training (requires a subscription) or attending ISACA Conferences

that consists of sessions and tracks, as well as education courses. The North American conference will be held in Las Vegas, October 15th-17th, and CSX 2018 Europe will be hosted at the Intercontinental London on October 29th-31st.

These conferences can be quite valuable for infosec professionals. Not only can one gain hands-on skills and invaluable knowledge in the fields of cybersecurity and information security, but participants can earn up to 32 CPE hours by attending one of these conferences.

What Are Some Ways to Prepare for the CSXP?

ISACA offers CSXP exam prep training (US $1,795 non-member/$1,495 member/$1,295 student) to help prepare learners for the CSXP exam. CSX Practitioner training consists of hands-on lab exercises, combined with instruction on key cyber security concepts. Those who enroll in the CSX Practitioner Training will experience cybersecurity scenarios based on recent, real-world situations and be given live incidents to detect and mitigate.

ISACA also offers opportunities for employers that would like to build the cybersecurity skills of their workforce. This is done through an on-demand and real-world training solution in a live network environment — the Cybersecurity Nexus™ (CSX) Training Platform. The platform provides courses, labs, tools and scenarios intended to build individual skills in a variety of cybersecurity roles and offers a number of different packages.

In addition to this offer, there are plenty of other learning opportunities available online. InfoSec Institute provides award-winning security education solutions for either a company or individual in need of skills training and certification prep courses. The Institute is one of those offering Learning Resources for Cyber-Security Beginners that offer courses (e.g., CySA+ Training Boot Camp) at reasonable prices as well as informative material for professionals in different IT and security careers.


Addressing the cybersecurity talent shortage of qualified candidates for cybersecurity jobs, in the short and long term, is a goal for many organizations nowadays. Cybersecurity training and certification are playing a vital role in shaping a workforce that can better address new challenges in the digital environment. Cybersecurity Nexus fits in with this goal, and the vendor-neutral CSXP qualification is specifically designed for cybersecurity professionals who understand the risks and need to safeguard sensitive data.

So how does a credential help? Certification demonstrates an individual's skills and proves to employers that the individual has necessary knowledge of the tools to be used, information to have and standards to know. A certification like the CSXP, based on an exam that tests knowledge and performance in a real-work situation, can offer employers confidence that their employees are up to the job. And when your employers know they can trust you, your career only benefits.


State of Cybersecurity 2018, ISACA

Discover CSX, ISACA

CSX Practitioner Certification, ISACA

ISACA is First to Combine Skills-based Cybersecurity Training with Performance-based Exams and Certifications to Address Global Cyber Talent Shortage, Dark Reading

Cyber workforce findings, Professional Security Magazine Online

Get certified with our Exam Pass Guarantee

Get certified with our Exam Pass Guarantee

Many of our boot camps come with an Exam Pass Guarantee: if you fail on your first attempt, we'll invite you to re-sit the course for free and cover the cost of your second exam.

5 Great 'Starter' Cybersecurity Certifications, Business News Daily

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.