CISSPs from Around the Globe: An Interview with Jason Lau

nThe Certified Information Systems Security Professional (CISSP)ncertification is considered to be the gold standard in information security.nThis is so because of all the doors that certification opens to a CISSPnprofessional. Those doors lead to many different types of positions andnopportunities, thus making the information security community dynamic andnmultifaceted.n

n

nIn support of this diversity, ISC2 has launched a series of interviews tonexplore where CISSP certification has led security professionals. Last timenwe heard from Mari Aoba and her experiences with CISSP. This installmentnfeatures Jason Lau, CISOnfor Crypto.com and an official member and contributor on the ForbesnTechnology Council. He is also an adjunct professor and industry advisorynboard member (cybersecurity and data privacy) at the HKBU School ofnBusiness.n

n

nWhat job do you do today?n

n

nI am currently the Chief Information Security Officer (CISO) at Crypto.com,nwhere I drive the company’s global cybersecurity and data privacy strategy.nOn the side, I sit on various industry advisory boards on cybersecurity asnwell as serve as an adjunct professor at one of the premier business schoolsnin Asia. I have been in the education industry for many years now, and Inoften give back to the community by conducting cybersecurity/privacyntraining for organizations both large and small. I do this to help promotenand improve the ecosystem both locally and globally.n

n

nWhat problems does your company solve?n

n

nCrypto.com is a FinTech company with a mission to accelerate the globalnadoption of cryptocurrency. One way our company helps to solve this problemnis by making cryptocurrency easy to access through our user-friendlynapplication. The problem I personally am trying to solve is to help buildntrust with the everyday cryptocurrency user in the industry. This is still angrowing industry that is still evolving every day. This is especiallynchallenging because there are many regions where cryptocurrency is stillnunregulated. With a lack of regulation we are seeing many companiesnforgetting the need for, or lacking focus into, cybersecurity and datanprivacy. My goal is to help Crypto.com become an industry leader in thisnfield and lead the way. An example of this is that we were the firstncryptocurrency company to be ISO27001:2013, PCI:DSS 3.2.1 and alsonISO27701:2019 certified, showing our commitment to continuously improvingnour overall processes.n

n

nWhy did you first decide to get into cybersecurity?n

n

nThere were no courses at that time to further my interest in cybersecurity,nso I joined a company focusing on enterprise systems management andnmonitoring, which allowed me to travel around the world and work closely asna management consultant to many CTO’s on critical infrastructure security. Anlot of the security was for physical server systems, and over time, itnevolved more into digital security and cybersecurity as we know it today.n

n

nnWhat was life like when you started out in your career in cybersecurity?nn

n

nIn the position I mentioned above, I soon learned and realized what I wasnworking on was a key component of an overall cybersecurity strategy – whichnwas incident response and detection and the monitoring of unusual activitiesnin a network environment.n

n

nLife was interesting as it was the days before cloud computing and whennproactive monitoring and alerting was the first line of defence againstnpotential issues in your network, issues which could have resulted fromnmalicious activities from an internal or external attacker.n

n

nMy work covered almost all sectors you can imagine across five continents,nand it allowed me the opportunity to see how different industries andndifferent cultures approach security. I would not really call it a detournbut more of an evolution of my interest in IT, and I had to adapt to thenchanging environment and skill up to go deeper into cybersecurity.n

n

nWhat was your first cybersecurity job?n

n

nI had my first experience with “hacking” as part of my electricalnengineering degree at university. We had to experiment with integratedncircuit chips and program them to do a variety of different things. It justnso happens it was around that time when the first ever PlayStation wasnreleased. In my spare time, I researched and “hacked” the boot sequence ofnthe machine with a “ModChip” I programmed, and I was able to play games fromndifferent regions around the world.n

n

nI was one of the first with these ModChips at that time, and my friend and Instarted to help others as a freelance job. It was quite thrilling andnexciting! This was my first experience with hacking and reverse engineering,nwhich I would find later on that a similar approach was needed in some waysnin the cybersecurity world.n

n

nnWhat first attracted you to consider getting a cybersecuritynqualification?nn

n

nEarly on in my cybersecurity career, I wanted to stand out from the crowd,nand this was the hottest certification in this space.n

n

nn

n

nWhy did you decide to undertake CISSP?n

n

nCISSP is more than just a certification. It is proof to peers that you havena passion to be in this field and to get a broader understanding of thencybersecurity issues.n

n

nWhat prompted you to do that?n

n

nData breaches were happening all the time (and still are!), and thisnprompted me to further develop my skills in the field.n

n

nHow long did it take to achieve CISSP?n

n

nI would say the whole process took me around 2-3 months. It varies forndifferent people, as it depends on the experience they have. Practical,nhands-on experience would definitely help with understanding the conceptsnrather than just purely reading books.n

n

nHow did you prepare for the exam?n

n

nI think 2-3 years of practical experience is a good time to start to thinknabout doing a CISSP. Back in the day, there were some (ISC) ²nseminars that you could attend to learn more about the certification and thencore body of knowledge that you would be assessed on.n

n

nWhat resources did you use?n

n

nI used the official ISC2 text as well as the questions inside the book.n

n

nWhat most surprised you about CISSP?n

n

nI was initially surprised that it was a 6-hour exam. This has changed now tona computer-based adaptive assessment process, a format which has reduced thenexam duration. But back in the day when I did it, the 6-hour exam was angruelling process both mentally and physically. Looking back, I believe thenreason for this is that computers and the digital world don’t sleep as wellnas that security issues can happen at any time. As a result, the CISSP was antest of endurance to make sure you were prepared for the real world wherenyou might be tired from a full day of work until you’re suddenly jolted intona state of alert so that you can address security issues that have just comenup.n

n

nnWhat were the first changes you noticed after becoming a CISSP?nn

n

nThe first change I noticed was the increased numbers of recruiters who werenreaching out to me for potential roles. At that stage, I realized that thenCISSP certification and credibility of ISC2 was indeed well-recognized innthe industry. n

n

nnHow do you think you have personally benefited from becoming a CISSP?nn

n

nI think early on in your career, a CISSP is an important step in helping younget a broad understanding of cybersecurity. This way, you can then go deeperninto other areas of say SDLC or application development, pen testing,ncompliance, etc. The CISSP is still considered the “gold standard” inninformation security around the world, and it will allow peers and employeesnknow that you understand the fundamental knowledge for cybersecurity. Inbenefitted early on in my career by gaining access to a strong network ofnindustry professionals as well as by attending industry conferences to learnnmore about how peers are dealing with cybersecurity challenges. The (ISC)n² community and local chapters often have engaging presentationsnand workshops where you can hone in on your skills and gain access to globalnwebinars and online training material and resources.n

n

nWhat steps brought you to the job you do today?n

n

nBeing involved early on in cybersecurity and in this field for over 20nyears, I have had the benefit of seeing many different aspects ofncybersecurity. After working for several different companies and being anmanagement consulting for many years to Fortune 200 companies, I gained anninterest in the rapidly growing FinTech / Blockchain space, and with thenmassive number of attacks on cryptocurrency companies, I saw an opportunitynto build a team to help Crypto.com. It has been a challenging ride, and itnrequires ongoing commitment and dedication to the field.n

n

nWhat achievement or contribution are you most proud of?n

n

nI have won numerous industry awards, but it was a team achievement ofnobtaining a patent in the cryptocurrency space. As the industry was rapidlynevolving, the traditional cloud providers were not able to support the waysnin which we needed to perform some of our key processes on a day-to-daynbasis in a secure way with the cryptocurrency tokens we were using likenBitcoin, Ethereum and others. The team contributed in different ways, all ofnwhich helped us to obtain the patent registration. Individually, beingninvited to the Forbes Technology Council for my contributions andnachievements in cybersecurity has been something I have been proud of, asnwell.n

n

nnWhat is the biggest challenge you have faced in your career?nn

n

nOverconfidence. After travelling around the world and consulting for some ofnthe biggest companies, the consistent issue is with how organizations stillnoften have an overconfident mindset that they have not been hacked and thusncan put less focus into resources in cybersecurity. Top management andnboards need to understand that cybersecurity risks are business risks andncan impact a business in many ways. It will always be a challenge to changenthe mind-set of C-Levels and the board, but with the growing trend towardsndigital transformation, cybersecurity and data privacy needs to be corenpillars for any organisation’s business strategy.n

n

nWhat ambitions do you have for your career ahead?n

n

nMy ambition is to contribute back to the ecosystem to build morencybersecurity and data privacy awareness for companies large and small. Inalready have been doing this on the side throughout my career, but more cannbe done, and the cybersecurity challenges continue to change over time.nSecurity awareness training will always be something that I will be involvednwith for the rest of my career.n

n

nn

n

nHow do you ensure your skills continue to grow?n

n

nSimple. Keep hiring people (or surrounding myself with people) who arensmarter than me. Cybersecurity is a unique industry in where many have comenfrom completely different backgrounds and led interesting journeys to get tonwhere they are today. I have embraced this diversity in the team I havenbuilt, which consists of people from more than seven countries. All of themnhave a CISSP and more, but all have very different ways of looking at thensame problem. This is not just a great way for me to continue to grow, butnit also allows the team as a whole to grow, and this helps to foster anstrong culture of knowledge-experience sharing.n

n

nnWhat do you think the biggest challenge is for cybersecurity right now?nn

n

nThere is definitely a global cybersecurity shortage, and because technologynadoption and digital transformation are accelerating faster than the rate atnwhich we can supply cybersecurity professionals, organisations will often benplaying a catch-up game in trying to fill roles. As mentioned above, generalnoverconfidence in the industry around cybersecurity risks is a big challengenthat needs to be overcome. Finally, I would also say machine learning and AInwill evolve over the next years to give rise to AI-powered threats likenmalware. This trend will be very scary indeed.n

n

nWhat solutions do you think could address this?n

n

nMore user awareness training is needed to address the human element ofncybersecurity. An overall cybersecurity strategy should encompass more thannjust buying tools. More C-Level awareness of cybersecurity is needed.nCompanies need to continue to invest in talent and keep abreast of newntechnologies that can also introduce new business risks. Specifically to thenabove question on AI-powered threats, companies will need to invest andnadopt their own AI cybersecurity strategy and tools such as User-EntitynBevavior Analytics (UEBA) to help early detection of anomalies in thennetwork environment.n

n

nn

n

nWho inspires you in the world of cybersecurity?n

n

nMy father has always been the most inspiring person to me. As the youngestnof a family of five siblings, I grew up watching, learning and following himnwhile everyone else was at school. To me, he could do everything and alwaysnhad some way to “fix things.” Dad was into everything. Engineering,ntraditional medicine, mechanics, hydroponics, electronics, mathematics,nfarming, cooking and more!n

n

nThe lesson for me here was that you should not just focus on one field. Youncan learn a lot from different fields, and you should have a growth mindsetnso that you can explore multiple ways to find a solution to a problem. Thisnstill true for cybersecurity. You often need to think outside the box andnthink like a hacker to build up your organizational defence.n

n

nnWhat do you think people considering a career in cybersecurity shouldnknow?nn

n

nYou need to have a growth mindset. A career in cybersecurity is extremelyndynamic. Just as technology continues to change at a rapid pace, thenbusiness risks are getting broader and deeper, and you will need to keep upnwith technological changes that are happening around you. For example, withnCOVID-19 we are seeing that traditional industries like healthcare have hadnto rapidly evolve to cater for changes from telemedicine to remotelynaccessing and managing medical clinics and hospital operations that containnhighly sensitive personal identifiable information and protected healthninformation. As cybersecurity professionals, you will need to consider thenimpact of this, from the business perspective all the way through to thenrisks with employees working from home. The key thing people should know isnthat a career in cybersecurity is extremely challenging but at the same timenvery rewarding as you get to work on many interesting projects and oftennwith emerging technologies to help organizations safeguard their systems.n

n

nTo discover more about CISSP download ournnUltimate Guidenn. Or read our whitepaper,nn9 Traits You Need to Succeed as a Cybersecurity Leadernn.n

n

nOr, check out more interviews with CISSPs as a part of thisnnCISSP interview seriesnn.n

]]>