nThe Certified Information Systems Security Professional (CISSP)ncertification is considered to be the gold standard in information security.nThis is so because of all the doors that certification opens to a CISSPnprofessional. Those doors lead to many different types of positions andnopportunities, thus making the information security community dynamic andnmultifaceted.
nIn this installment, we talk to influential trailblazernnDr. Christine Izuakornn. Christine shares with us hernincredible story as the youngest student and first African-American woman tonachieve a P.hD in Security Engineering, how she planned her journey tonachieve her dream job and how her passion for cybersecurity had fueled hernevery step of the way.
nnWhat job do you do today?
nI am the founder and CEO ofnnCyber Pop-upnn, which is an on-demand cybersecurity service platform for small and mediumnsized businesses. It’s completely powered by vetted and highly skillednfreelancers. n
nnWhat problems does your business solve?
nThe issue is that there’s this huge cybersecurity talent shortage,nand there’s not a lot of experts available yet. Everyone needs help. We fillnthat gap by bringing expertise to the small and medium sized businesses thatncan’t afford to hire a full cybersecurity team or even a singlencybersecurity expert. We’re bridging that gap and allowing organizations tonget access to our experts, on-demand, whether it’s for a few hours, or for ansingle project so that they’re not left exposed without any cybersecuritynresources at all. It can be anything from a Virtual CISO, to creating ancybersecurity strategy or policy, reviewing infrastructure to find securityngaps, doing assessments – it’s a broad range of services for clients allnover the US. n
nnnWhat was life like when you started your career in cybersecurity?n
nnIt was a little hectic because I was doing so many different thingsnat once, but I loved the industry so much because I loved everything that Inwas learning and doing. It never felt overwhelming or like it was too much.nIt was just fun to me. It’s always been fun. n
nnWhat was your first cybersecurity job?
nI wanted to make sure that while I was in school I was stillngetting experience, so I ended up working full time through my masters andnthrough my Ph.D. I got a two-month internship with Continental Airlines innHouston and they kept extending my internship until I was there as an internnfor a year. At the end of my internship, there were different openingsnbecause the cybersecurity team was growing there. I recall at least threenoffers to choose from, which was a really nice position to be in, so Inaccepted one, and never looked back. n
nnWhy did you first decide to get into cybersecurity?
nInitially, I was trying to be a medical doctor in school, andnfailed. So I started thinking that I was not meant to work in the medicalnfield at all. I started taking different electives, trying to figure outnwhat I wanted to do, what I wanted to pursue as my career. I was trying justnrandom electives in school. I took finance, I was doing marketing, I wasndoing accounting. I just wanted to get as much exposure to different areasnto see what I liked. I found a cybersecurity class, not really knowing whatnit was about, but it sounded kind of cool.
nnI absolutely fell in love with with the cybersecurity class I took. Therenwas an encryption assignment and it just felt like a game. The assignmentnwas to decipher an encrypted message. I was up until probably two or threeno’clock in the morning trying to figure it out, and didn’t even realize thatnI was up that late, because again, it just felt really fun. I had so muchnfun in that encryption class, that I decided to switch my major and startednstudying security management. I followed that path all the way fromnundergrad, to master’s, to Ph.D.n
nnDuring that same time, I knew that in order for me to grow into the rolenthat I wanted to be in, I needed experience. You can do everything you wantnfrom an education standpoint and all of that, but a lot of people valuenhaving the hands-on experience.n
nnI also started doing a ton of research to figure out what a career inncybersecurity looked like, how much money can a person make, and what arenthe future opportunities in that field in the next five years. This was 10nyears ago, the industry was just starting to grow and the projection ratesnwere just crazy in a positive way. It looked really good and it still ringsntrue today. Not only is it such a high demand area, but it remains a funnprofession. I didn’t want to miss out on this career.n
nnnYou earned your undergraduate degree, a Master’s, and were workingntowards a PhD in Cybersecurity. What made you decide to undertake thenCISSP credential?
nThroughout my entire career, my goal was to become a ChiefnInformation Security Officer, and I would go to different job sites verynearly in my career and look at what the qualifications were for that role,nand what people were asking and looking for when they were hiring. I sawn“CISSP” on almost every job posting, so I knew that it was something thatnwas highly sought after then, as it is now. But also, just for me, I wantednto make sure that I had checked every box, so there would be no reason whynsomebody would come to me and say “you’re not qualified”, or “you can’t donthis”.n
nnI knew that especially as a woman of color in cybersecurity 10 years ago,nthat I needed to go above and beyond in order to get into that positionnbecause I didn’t see a lot of women who were CISOs. I didn’t see a lot ofnpeople of color who are CISOs either. So I wanted to make sure that I wentnabove and beyond to meet every requirement so that I would have thatnopportunity. That was the logic behind me going for almost every credentialnthat I could think of that would provide value.n
nnIncreasing the visibility of underrepresented groups of people has alwaysnbeen important to me. When people see “CISSP” next to my name, and knowingnthat they can also succeed as I did, I think is a great motivator for anstudent. It’s always been important to me and as soon as I finished my Ph.D.nprogram, I became a part-time professor. I intentionally taught at classesnor at schools where there’s underrepresented groups, and people who tend tonget overlooked in the industry. When I would walk in the classroom, and theynwould see me and then see my credentials, it was mind-blowing to many ofnthem. I was asked so many questions about how to get a CISSP and I lovednsharing that information with them. That’s something that I didn’t expectnbecause I wasn’t doing it to be an example, but the fact that it ended upnbeing that way has become very important to me. I love that I can have thatnimpact now.n
nnnHow do you think you have personally benefited from becoming a CISSP?
nIt helped me get a broader view of cybersecurity, and the timingnmight give some context to those too. I sat for the CISSP exam towards thentail end of my Ph.D. program. I did both of those things while I wasnworking. I feel like the CISSP course of study allowed me to grow so quicklynbecause it is such a broad and standardized framework where you learn anlittle bit of everything.n
nnIn a Ph.D. program, you find one super, super-focused area, and then you dignreally deep into that. My Ph.D. program was focused more on securitynengineering, and how to solve very specific problems. So I learned how tonfocus really well on that topic. But then, with the CISSP, having those twonthings occurring simultaneously, while also being in a true work environmentnand applying everything in my day-to-day work, just allowed me to digest andnretain the information so much more. It allowed me to grow so much morenquickly as a security professional.n
nnHow did you prepare for the exam?
nI attended a “boot camp” for a week and then I took the exam a weeknlater. It was cool to meet other people in the class. It was cool to justnlike get a deeper insight into areas that I didn’t have as much experiencenin. One of the most beneficial things about the boot camp is before I wentnin, I had five or six years of experience. I went through the CISSPnframework and looked at the areas where I already had experience where Inalready had done a lot of research and insight. Not to say that I didn’tnfocus on those, but I knew that I had a better grasp in those areas. Then, Inspecifically highlighted the areas where I didn’t have as much expertise,nwhere I had only studied them in a school setting.n
nnIn the boot camp, during those topics that were being covered, I would benable to ask the instructor very specific questions, be able to dive deeperninto it more, be able to meet other people in that boot camp who hadnexpertise in the areas I was not as familiar with, and be able to soak up asnmuch as I could, and learn from them in that short amount time.n
nnWhat most surprised you about CISSP?
nThe one thing that surprised me was realizing that as I was takingnthe practice exams if I was to answer the questions the way that I would innmy real workday, I would fail. I really needed to stick to the true standardnand framework. I think that that’s important in a positive way because it’sna learning process. It taught me that everything that I was learning workingnin one company was not going to work everywhere. It made me a strongernprofessional to know what the standard is, and to know what the bestnframework is, or the way to approach things so that when I’m put inndifferent and unfamiliar positions, I still have a solid foundation that Incan work from.n
nnDid it change how you approached your work?
nI’m all about constant evolution and constant self-improvement.nWith everything that I was doing around that time again, I was growing sonquickly, and applying so many new things, that it definitely helped menbroaden my perspective and my approach. For example, shortly after Infinished my Ph.D. program, I got promoted into a global strategy role where,ninstead of focusing on just one area of cybersecurity, I was undertakingnvulnerability management and some social engineering. I also becamenresponsible for global security strategy across all of the differentnsecurity domains reporting directly to the CISO. Gaining that broad range ofnunderstanding of all of the different CISSP domains, I was able tonimmediately apply everything that I was learning into that new role. I wentnfrom being a regular analyst all the way to reporting to a C-Levelnexecutive. A huge part of that leap and that transition came from the broadnknowledge that I had just gained about the industry in addition to thenexperience in such a short amount of time.n
nnWhat steps brought you to the job you do today?
nThere was a pivotal moment maybe two years ago. Even though mynsupervisor was such an amazing mentor and leader, I realized after being sonclosely exposed to the day-to-day responsibilities of a CISO, that I didn’tnwant to be a CISO! I had spent the last nine years preparing for that role.nTo get so close and then realize that my heart and my passion was in anothernplace was a huge epiphany. That’s also where the stars align very perfectly,nbecause, around that same time, I had realized that my biggest passions lienwithin the human elements of cybersecurity, such as training and educatingnand developing people.n
nnThis goes along with not only understanding the talent shortage problem, butnalso in a greater scheme of things beyond cybersecurity. I’m very passionatenabout helping people reach their full potential, so this idea that startednto brew for years, and these shifts started happening, it was almost likenthe stars were aligning. The business model that my company has today justnperfectly meets with all of those passions. I realized in that moment that Inwanted to be the CEO of the cybersecurity company. So I did it, I made thatnleap of faith.n
nnWhat ambitions do you have for your career ahead?
nI’ve done so much in the last 10 years, and I love my company and Infeel like it’s my baby now. My ambitions are no longer necessarily tied tonmy personal career. I want to buildnnCyber Pop-upnnto reach its full potential and to be everything that I know it can be. Innthe process, it can truly impact the people in cybersecurity, and genuinelynhelp people through our freelancer model, as well as through build this armynof super-creative freelancers. I want to help people who don’t typically getnexposure or access to this industry, not just from a company or a smallnbusiness standpoint, but through professional development. By giving themnthe opportunity to have that impact in jobs now, they can gain morenexperience, they can contribute value, and they can go on to work at thencompanies that they want to work for in the future. My aspirations and mynfocus at this point are more so on that side, and I’m now just reallynfocusing on impactful contributions.n
nnWhat is it about your job that you love?
nI love that my job centers on everything that I care about becausenI care about helping people reach their full potential. I care about helpingnpeople get secure. I care about helping people just understand theirncybersecurity risks, and I feel like just every single thing that I carenabout is baked into one place. I couldn’t imagine being anywhere else atnthis point. It’s the best position.n
nnnWhat is the biggest challenge you have faced in your career?
nI would categorize that into two buckets. The biggest challengenthat I faced in my career from a technical standpoint is knowing thatnexperience is king in cybersecurity, and trying to do everything that Incould to make sure that in addition to having credentials that I hadnexperience in many different areas. I’m a very framework-heavy person. Inliterally have a spreadsheet just like I had when I was preparing to be anCISO. I created a spreadsheet with all the different domains that a CISOnshould understand and have experience in. I did this through research onndifferent job postings and things like that. And then I would try tondocument, like my experience in those areas.n
nnThe biggest challenge was trying to get as much experience as I could innthose areas in the timeframe that I wanted, which meant that I couldn’t justngo to work and do my job and go home. That wouldn’t be enough for me to getnthe experience that I wanted towards becoming a CISO. I would do my job. Inwould do volunteer pro bono projects for non-profits, so that if there wasnan area that I couldn’t learn through my current cybersecurity job, I couldnstill acquire those skills through the pro bono work and get the experiencenthat I needed.n
nnOn the opposite side, I felt a lot of imposter syndrome. As a woman of colornin the cybersecurity space, not seeing a lot of people like me. Progressingnso quickly and getting to the point that I did I thought that people onlynsaw how young I was and how fast I got there. That’s why the imposternsyndrome kept me thinking that I shouldn’t be where I was, regardless of allnof my effort. I just worked really hard to accomplish my goal. Some peoplenexpressed that concern to me, but, fortunately, they are too few to bencounted among all the successes of my hard work.n
nnHow did you overcome that feeling of imposter syndrome?
nIt’s a constant journey, but I think one of the biggest things Inhad to look at is the way that I was talking to myself, the way that I wasntreating myself. Self-talk is very powerful. I think I gained more awarenessnof how it was actually my own internal struggle of me talking to myself, andnsaying, “you’re not smart enough to do that, you’re not qualified to do thatnyet”.n
nnI had to really start paying attention to that internal-dialogue, andninstead of bringing myself down, start to hype myself up, and encouragenmyself. This may sound somewhat basic, but it’s truly what I started tonfocus on. I no longer allow myself to talk down to myself at all, ever. Thatnmakes such a huge difference, because now, if anybody does come to me andnsays that I’m unqualified or whatever the case may be, it doesn’t bother me.nI don’t pay attention to it, because inside, I already know who I am, andnthat’s what matters.n
nnWhat achievement or contribution are you most proud of?
nI would say earning my Ph.D. because I didn’t realize the impact that itnwould have and it really shifted things for me. When I graduated, I becamenthe youngest student and the first African-American woman to earn a Ph.D. innsecurity engineering. I just remember sharing the journey, and the storyngoing viral, getting millions of views. I had people from over 35 countriesnwith thousands of messages just reaching out to me, saying things liken“because of you, I’m going to pursue my dream” or “because of you, I’m goingnto go and pursue my degree in cybersecurity” or “because of you, I want tonget my CISSP”. All of these are just overwhelming in a positive way; thenoutreach of people who were impacted. For me, that’s one of my favoritenaccomplishments. The idea that just by going after my own dream and sharingnthe journey, and that having a positive impact as a result. I didn’t donanything else.n
nnHow do you ensure your skills continue to grow?
nI think that I’m an eternal student, of course, which is why Indecided to become a professor right away. I’m really big on I’m really bignon continuous growth and evolution. That’s in addition to doing things likenteaching, which helps me learn a lot. I’m continuously plugged intondifferent conferences and speaking engagements, things like that. I alsonfeel like having certifications, such as the CISSP, is like having that kindnof reminder of how I have to make sure that I continue to complete a certainnamount of learning hours to keep the certification. That extranaccountability for me is important as a professional.n
nnnWhat do you think the biggest challenge is for cybersecurity right now?
nThe biggest challenge, and of course I might be biased because thisnis what I care the most about, but maybe it’s also why I care the most aboutnit, is the talent shortage. We’re just out outnumbered, outworked, andnoutpaced, when it comes to people who are fighting the good fight, versusnpeople who are fighting the bad fight.n
nnWhen I hear some of the numbers and the statistics around the projection ofnneeded cybersecurity professionals versus what we have today, that is one ofnthe most concerning things. We can try to invest in automation andntechnology and all of these things to help fill some of the gaps, and somenof that works and contributes value. That’s important, but you can’t replacenthe human element of security at all. Being able to build talent pipelinesnand help people get the credentials and the experience that they need tonthrive in the industry is one of the biggest challenges today.n
nnWhat solutions do you think could address this?
nIt takes a multi-layered approach. Two of the biggest topics for menare focusing on building talent pipelines, and having a flow of people beingnable to get the right development and the right training, regardless ofnwhether you’re a student, or whether you’re an existing professional. Again,nacquiring the right hands-on experience, whether that’s through being ablento work within companies, possibly through rotation programs where you cannget exposure to different areas.n
nnIn my career, I realized what I basically did was build my own rotationnprogram. Having rotation programs and similar initiatives to help build morenwell-rounded professionals more quickly is going to be an important part ofna solution.n
nnOn that same note, partnering with universities, non-profits, and differentnentities that can allow us to train people who are interested in thenindustry and get them some experience is another approach. Additionally,ntalent could originate from tangential industries where we havenprofessionals who could very easily transition into cybersecurity and donwell. Unfortunately, they either just don’t know how, or they don’t evennhave the awareness or the exposure. I wrote a book,nnUltimate Guide to Building a Career in Cybersecuritynn, and I talk about this a little bit. If you’re able to take somebody whonis has been a network engineer for 15 years, and help them prepare for thenCISSP, or the Associate version if they don’t have all of the requirednexperience, that will benefit the entire profession. If you’re able to takenpeople who have deep experience and deep expertise in some of these relatednareas and just layer on the cybersecurity piece, and then transition themninto the industry, that would make a huge difference in the talent shortage.n
nnWho inspires you in the world of cybersecurity?
nI would say one of my biggest inspirations to date has been my oldnboss, Emily Heath. Shenhelped me realize what I wanted to accomplish. Emily is the chief securitynofficer at DocuSign now. She’s amazing.n
nnnWhat do you think people considering a career in cybersecurity shouldnknow?
nThe biggest piece for me is still what I learned a long time ago.nIt’s the experience. Experience is king. I say this because it’s muchnbetter to realize that you need experience on the front end, and startnworking towards it than to go through school or go through trying to justnget certain certifications, only to start looking for a job and thennrealizing that the entry-level positions are so limited. Even if you don’tnhave a full-time cybersecurity job, you can begin to get creative, and donwhatever you need to do to gain the experience. For example, as in my case,nI was working full-time, but I also was doing pro bono projects fornnon-profits and for small companies just to get whatever experience I could.n
nnI’ve had so many conversations with students who are trying to get into thenindustry without any experience, and are having a very hard time getting anjob. It’s frustrating for them because people are talking about this hugentalent shortage and all of these jobs, but they are out there trying to getna job and there are no jobs. My best advice is to make sure that you do whatnyou can to get some hands-on experience.n
nnThe last closing point that I’ll add, and this is more personal,ncybersecurity or not. I feel like life became so much easier for me when Indiscovered what my passion was and followed that. It takes so muchncontinuous learning and growth, not only in the cybersecurity industry, butnin any industry. If you don’t stay attuned to the latest cybersecurityntrends, you’ll fall behind very quickly because things evolve so fast. Incare about it so much because I’m so passionate about it. It’s very easy fornme to read a new book, or listen to a podcast, or read an article, or teachnclasses or get my continuing professional education credits. It sounds likena lot when I’m talking about all of the things that I’ve done, and continuento do, but it doesn’t feel like too much because I’m so passionate about it.nThe biggest thing, whether it’s cybersecurity, or anything, is just to makensure that you’re following your passion and everything else hopefully willnfall into place and it’ll be a little bit easier.n
nnTo discover more about CISSP download ournnUltimate Guidenn. Or read our whitepaper,nn9 Traits You Need to Succeed as a Cybersecurity Leadernn.n
nnOr, check out more interviews with CISSPs as a part of this. CISSP interview series.
]]>