nThe Certified Information Systems Security Professional (CISSP)ncertification is considered to be the gold standard in information security.nThis is so because of all the doors that certification opens to a CISSPnprofessional. Those doors lead to many different types of positions andnopportunities, thus making the information security community dynamic andnmultifaceted.n
nnIn support of this diversity, ISC2 has launched a series of interviews tonexplore where CISSP certification has led security professionals. Last timennAngus Macraennshared his CISSP experience. This installment featuresnnMelissa Parsonsnn, Senior Consultant in Cyber Security for KPMG Canada. She has notablensuccess driving and managing increasingly complex IT, security and privacynrelated projects.n
nnWhat job do you do today?n
nnCurrently, I work as a Senior Cybersecurity Consultant within the RisknConsulting and Advisory practice at a “Big 4” firm.n
nnWhat problems does your company solve?n
nnMy team and I help organizations in the private and public sectors navigatenand minimize the world of cyber risk. Key areas of focus include strategynand governance, transformation, cyber defense and cyber response. Recently,nI’ve worked on a number of Treat Risk Assessments (or TRAs) as well as ISOn27001 engagements which pertain to a client’s Information SecuritynManagement System (or ISMS.)n
nnWhy did you first decide to get into cybersecurity?n
nnI wanted to continue to help my company to innovate safely and securely in anway that was informed and that considered threats, risks and vulnerabilitiesnalong the way.n
nnnWhat was life like when you started out in your career in cybersecurity?nn
nnI transitioned into a cybersecurity career from a former DevOps role withinna company internally. I was intimately familiar with this organization’sntechnology and architecture at the time when I moved over to a SecuritynAnalyst role. Because of this historical knowledge within the company, I wasnable to clearly identify areas of strength and areas that requirednadditional focus and care in relation to security.n
nnWhat was your first cybersecurity job?n
nnSecurity Analyst. I was responsible for internal security program managementnincluding technical aspects of enterprise risk, incident response, lawfulnaccess requests (acted as privacy lead), disaster recovery planning andntesting, as well as audit and regulatory obligations.n
nnWhy did you decide to undertake CISSP?n
nnTaking the CISSP was a “no-brainer” for me once I had some experience undernmy belt. I had already taken and passed the SSCP from ISC2. This was thennext logical step in my professional development. I knew it was the mostnsought after cert in my field, and I knew it would be required for morensenior positions/contracts and that it would open a lot of doors (and itnhas!). Obtaining the CISSP demonstrates that you have practical employmentnexperience, a deep understanding of security across the eight testedndomains, and a familiarity with pretty much all aspects of the cybersecuritynlandscape.n
nnWhat prompted you to do that?n
nnI started consulting around the time I obtained my CISSP. I was working onnRFP proposals with my team, which mainly indicated that the CISSP was anprerequisite qualification in the requirements. In addition to beingnqualified to work on some incredible projects with large private and publicnsector clients, the CISSP is highly valued, recognized and respected amongstnpeers and colleagues across the globe.n
nnHow long did it take to achieve CISSP?n
nnI started and stopped studying for a year, and I then buckled down in thenfinal month before taking the exam.n
nnWhat resources did you use?n
nnI purchased the official ISC2 study guide and practice tests.nIn addition to these resources, I watched online tutorials, took a lot ofnhandwritten notes and used my whiteboard to track my progress.n
nnDid you enrol in any training?n
nnI did not, but in hindsight, that may have been very helpful and lessnstressful. It could of been a more dynamic way of learning with a betternstructure than the self-study route.n
nnWhat most surprised you about CISSP?n
nnI don’t think I was too surprised by much. I have many friends andncolleagues who successfully passed the exam and offered me great advice andntips. I would recommend reaching out to your network and ask a few differentnCISSP holders about their experiences. Everyone has a slightly differentnexperience and perspective.n
nnnWhat were the first changes you noticed after becoming a CISSP?nn
nnI was in a new, slightly intimidating phase of my career in which I wasnconsulting for Fortune 500 companies and large government entities inncybersecurity. I was eager, scared, and excited all at once! Achieving mynCISSP was a cause to celebrate yet another milestone. It made me feel morenconfident in my abilities and gave me validation to quiet the “imposturensyndrome monster” lurking in the far corners of my mind and to “get on withnthe show” to produce some valuable deliverables for my clients.n
nnWhat steps brought you to the job you do today?n
nnWhen I decided to give consulting a go, my aim was to widen my experiencesnand previous knowledge base in cybersecurity across multiple industries andnsectors in order to gain a more holistic view of organizations’ challenges.nIt has been an incredible journey and learning experience. It’s acceleratednmy understanding and appreciation for how businesses and organizationsnstrategize and operate in relation to cybersecurity, IT, informationnmanagement, privacy and enterprise risk. I’ve been very lucky to worknalongside C-suite and board members from some very innovative and talentednorganizations. In short, the work has been both inspiring and rewarding. (Inmade the right move!)n
nnWhat achievement or contribution are you most proud of?n
nnEarlier this year, I was asked to return to my college to present as annalumni at a global event for women in cybersecurity. I was honoured and feltnthis truly was one of those “full circle” moments in life. There were guestnspeakers from all over the world, media coverage and so many impressivenbusiness and government leaders. I was so nervous but felt a tremendousnamount of necessity to “nail it.” I practiced that speech for weeks, and innthose 7 minutes at the podium, I saw my favourite instructor smiling up atnme from the audience. I had to refrain from tearing up on a number ofnoccasions. After the event, I gave him a hug and thanked him for believingnin me when I was at a point in my life where I wasn’t believing much innmyself. A lot of my presentation that night echoed that theme of believingnin yourself, finding mentorship and then paying that forward when you can.n
nnWhat is it about your job that you love?n
nnI love helping organizations develop road maps and mature their securitynposture. I’m a very strategic and analytical thinker and get way too muchnjoy out of research and planning. I don’t believe in the “one size fits all”nmodel. I like to customize plans that are realistic and achievable to makenthe world a little bit safer for us all. I love getting feedback fromnclients during a closing meeting. I really pour my heart and soul into whatnI do, and it means the world to me that other people and organizations cannbenefit from that.n
nnnWhat is the biggest challenge you have faced in your career?nn
nnThe biggest challenge? Having a career at all! I was a young, single parentnreally struggling early on, and I was a “late bloomer” when it came tonfinding a path I felt passionate about (and could pay the bills!). I nevernwould have imagined 10-15 years ago that it would be in cybersecurity! Mynyounger self would have thought I wasn’t “enough” (smart enough, talentednenough, driven enough, etc.). And yet, I always had a keen “investigativenstreak” in all my prior places of employment during those years of customernsupport and IT work. I was dubbed “P.I. Parsnips” by a former manager, andnthat has stuck with me all these years later! I’m really proud that I didn’tngive up taking on new challenges and trying new things. You never know whatnyou are capable of until you try! It sounds so cliché, but it was all thosenleaps of faith that led me here today.n
nnWhat ambitions do you have for your career ahead?n
nnI am still trying to figure that one out! Truth be told, I have momentsn(like these, doing this interview) where I am in total shock! I do seenmyself continuing to hone in on my strategy and advisory skills just maybenin a more senior role.n
nnHow do you ensure your skills continue to grow?n
nnI belong to a number of professional associations and chapters such asnISC2, and I continue to participate in seminars, conferences, webinars andntrainings to keep my skillset sharp and gain new perspectives and insightsnfrom others in the community. Networking is key in any career path. I find Inget the best takeaways from environments where I’m meeting and mingling withnother professionals and hear them share their stories. It’s a great way tonmeet new mentors and provide mentorship to others, as well.n
nnnWhat do you think the biggest challenge is for cybersecurity right now?nn
nnI feel the biggest challenge right now is the rapid expansion of the threatnlandscape. We are struggling to keep up. Adversaries are no longer justnhuman in nature; they also consist of the very technology that we havencreated out of demand for automation, speed, agility and efficiency. Thinknbots, for example. They have the capability to be used for good or, quitenfrankly, evil. There is no doubt that the digital revolution has led tonmiracle-like advances in areas like healthcare and all sorts of wonderousnaccessibility to information like never before, but there is always thosenthoughts in the back of my head around “Ok, but how is this configured?nWhere is my data going? Who/what has access? What are the potential threatsnand risks?” anytime a new product or solution is adopted.n
nnWhat solutions do you think could address this?n
nnGood oversight/governance coupled with security by design could help, butnfirst comes education on the importance of embedding security throughout thenSDLC. Part of what has drawn me to this “world” is protecting people.nCybersecurity awareness and education is a personal mission of mine, but itnis not one I engage in through “fear mongering” or criticism. We have to usenempathy and compassion in this field to get ahead and work together insteadnof pointing fingers and passing around the “hot potatoes”.n
nnWho inspires you in the world of cybersecurity?n
nnYouth! It’s the teens and 20-somethings. I see them all revved up, informednand so hyperaware. They inspire me every day. They are going to change tonworld, I have no doubt about that, so we have an incredible duty to “servenand protect” them in whatever capacity we can. For myself personally, thatnwill be through my small, daily acts as a parent, volunteer, andncybersecurity professional.n
nnnWhat do you think people considering a career in cybersecurity shouldnknow?nn
nnThere is such a large range of cybersecurity roles and options out therentoday in this new and ever-expanding career line. If you are consideringnone, consider them all. Try a lot of different things. Have fun with it,ntoo! Play with different programming languages and scripts as well as testnand review different tools and products. There are so many ways toncontribute to this community that compliments so many different types ofnpeople, skillsets, personalities and curiosities from AppSec, networking,nOpSec, threat hunting to governance, risk and compliance and everything innbetween! Also, don’t be afraid to reach out to people in a cybersecuritynrole and ask them questions about their experiences.n
nnTo discover more about CISSP download ournnUltimate Guidenn. Or read our whitepaper,nn9 Traits You Need to Succeed as a Cybersecurity Leadernn.n
nnOr, check out more interviews with CISSPs as a part of this CISSP interview series.
]]>