CISSPs from Around the Globe: An Interview with Chris Clinton

nThe Certified Information Systems Security Professional (CISSP)ncertification is considered to be the gold standard in information security.nThis is so because of all the doors that certification opens to a CISSPnprofessional. Those doors lead to many different types of positions andnopportunities, thus making the information security community dynamic andnmultifaceted.n

n

nIn support of this, ISC2 has launched a series of interviews to explorenwhere CISSP certification has led security professionals. Last time we heardnfrom Melissa Parsons. This installment featuresnnChris Clintonnn. He is co-CEO and co-founder ofnnNaq Cybernn, he is an advocate of helping small business owners protect themselvesnagainst digital threats.n

n

nn

n

nWhat job do you do today?n

n

nI am the co-founder of a start-up called Naq Cyber. We are on a mission tonprotect small businesses from cyberattacks.n

n

nWhat problems does your job/company solve?n

n

nWe work exclusively with small- and medium-size businesses (typicallynconsisting of 10-50 employees) that are offering professional services suchnas law firms and accounting practices. We offer a broad range of services tonprotect our clients. Our services consist of scanning, training,ndocumentation and instant response.n

n

nWe started because we didn’t really see anything out there taking care ofnsmall businesses in a holistic way. We want to be the last vendor ourncustomers ever speak to in their quest for security.n

n

nInitially, we get them to a good baseline. Many SME’s don’t have anyonenspecialising in cybersecurity due to their size. They don’t realise thingsnlike the logon page for the admin section of their WordPress site isnaccessible to everybody on the internet. Or they allow users to log on tontheir email from any device without being aware of the risks. Once we worknwith our customers to get them to a base level, we can then look atnadditional services, but only if they really need it. We believe in having antotally ethical approach. We are not there to upsell for the sake of it.nThis is really important to why we started the business at all. We want tongenuinely help people.n

n

nWhy did you first decide to get into cybersecurity?n

n

nLike most people in cybersecurity, it was a pure accident. I leftnuniversity, and I didn’t know anything really about cybersecurity, but Inknew I wanted to work in IT somehow. I was due to start at QinetiQ the yearnI graduated, but a month before I was due to start, I had a phone call fromnthem to say they were deferring all graduate jobs for a year. Originally,nthe job I was going to do with them was on PCB design but when theynrestarted the program a year later, they had closed that department. Theynoffered me a place in the cybersecurity department instead, so I thought,n“OK fine. I’ll give that a go.” Literally, that phone call has now led to menrunning my own cybersecurity company.n

n

nnWhat was life like when you started out in your career in cybersecurity?nn

n

nI graduated in 2010 from the University of Liverpool with a degree inncomputer science and electronic engineering. But I don’t really use anythingnI learned at University because the IT and cybersecurity world changes sonfast. For example, cloud computing wasn’t even a thing yet 10 years ago, andnnow it is everything!n

n

nWhat was your first cybersecurity job?n

n

nMy first job was working for a venture capital firm. Each year, theynemployed 10 engineers and 10 fashion designers graduates because that wasnwhat their portfolio consisted of. As you can imagine, the induction wasnquite interesting with a group of engineering grads and a group of fashionndesigners.n

n

nFrom there, I got a job offer from QinetiQ in their cybersecurity team, andnI was employed as an information assurance consultant.n

n

nMy first project there was working on the accreditation of the Galileonsystem, which is the European version of GPS. My job was to ensure that allnaspects of the system, including the satellites themselves, were protected.nIt was a pretty cool job. It was really interesting. It was really goodnwork.n

n

nnWhat first attracted you to consider getting a cybersecuritynqualification?nnWhy did you decide to undertake CISSP?n

n

nIt was actually when I was working for BAE Systems. They wanted (and thusnpaid for me) to take this qualification.n

n

nI was 25 or 26, and I was working with large corporations and governmentndepartments. I needed CISSP to give reassurance and credibility to ournclients. CISSP showed them that even though I was a relatively young guy, Inhad the experience and skills they could be confident about. Also, Inrealized that when I was talking to a CISO, having the CISSP letters afternmy name could show real credibility.n

n

nHow long did it take to achieve CISSP?n

n

nFor me, it was a relatively short period of time. I crammed it in anbootcamp, which I wouldn’t recommend!n

n

nHow did you prepare for the exam?n

n

nI undertook a week course. It was a 5 day bootcamp, lectures all day,nstudying all evening followed by revision on the Saturday and then thensix-hour exam on the Sunday. It was hell on earth doing it that way!n

n

nWhat most surprised you about CISSP?n

n

nIt’s incredibly broad. In the exam, you can have a question saying, “Whatndoes Layer 3 represent in the OSI model?” And then the next question mightnbe how high a fence should be around a building! This is what is good aboutnCISSP. It is so broad, and that in particular makes is so useful to what Inam doing today. This is also why it is such a respected qualification. Itndemonstrates that you know something about everything.n

n

nDid it change how you approach your work?n

n

nYes, a lot! I remember this explicitly. CISSP expects you to be able to talknwith a reasonable level of confidence about everything. It takes techiesnlike me and makes us more able to act as a management consultant, and itntakes a management consultant generalist and gives them a much morentechnological understanding. It brings us to the same level and helps us allntalk the same language.n

n

nnWhat were the first changes you noticed after becoming a CISSP?nn

n

nI was in a Pre-Sales (or Technical Sales) role, so I had to talk about thenactual product and the solution, CISSP enabled me to ask the right questionsnto clients about their network, why they needed certain pieces of technologynand how their team could use it. I knew to ask them about their risknappetite and their business continuity plans. What I learned in CISSP reallynhelped me make the connections between the technology and the businessnneeds. I was able to better understand business risk and how cybersecuritynplayed into that.n

n

nWhat steps brought you to the job you do today?n

n

nCISSP really helped me get to where I am today. Holding this qualificationnis very important in the start-up world where you find a lot of peoplenlearning on the job. Being able to say I hold this certification and have anthird-party verification gives a lot of credibility. As I mentioned earlier,nthe business we have set up gives a broad cybersecurity offering, and thatnis exactly the content covered in CISSP.n

n

nWhat is it about your job that you love?n

n

nI love being able to help protect people. Many in cybersecurity talk innmilitaristic terms. I think we need less of the war analogies and moventowards the language of protecting and helping. This is what reallynmotivates me, and what I really enjoy doing in our business. We arenprotecting people and livelihoods.n

n

nWhat achievement or contribution are you most proud of?n

n

nI am most proud of helping one of Naq’s customers resolve an issue withntheir architecture which, if exploited, could have potentially led to thencompany going out of business and many good people losing their jobs.n

n

nn

n

nHow do you ensure your skills continue to grow?n

n

nThe CPE requirement in CISSP is quite high. This helps to ensure that younengage in your ongoing learning. You earn CPE credits in many ways such asnreading journals, taking part in webinars and going on courses or tonconferences. In cybersecurity, it’s really important that you keep learningnbecause it changes all the time.n

n

nnWhat do you think the biggest challenge is for cybersecurity right now?nn

n

nThe lack of people in the industry. There’s just not enough coming throughnright now to fill the jobs that exist.n

n

nIn terms of challenges within cybersecurity, ransomware is the big one. It’snsimple and cheap for a criminal to deploy, and it can have a devastatingneffect. The problem is that big businesses and insurance companies often paynthe ransom, which makes it so lucrative. I’m seeing an interesting move nowninto a sort of “pre-ransomware.” These emails say that unless you pay thisnrelatively small amount, we are going to deploy ransomware to you. As annSME, it’s scary stuff, and if I weren’t in this business, I might be temptednto pay it. We protected a client from exactly this threat recently.n

n

nWho inspires you in the world of cybersecurity?n

n

nThe people I work with. We all have a very ethical approach to how wenoperate and how we do business. Outside of the industry, someone like ElonnMusk inspires me. He looks at what problem needs to be solved and then comesnat it from a different angle. He looks at what is really the best solutionnfor the problem. I admire that creative approach to problem solving andntrying to find the best solution to address it.n

n

nnWhat do you think people considering a career in cybersecurity shouldnknow?nn

n

nOne of the biggest problems in attracting people to work in cybersecurity isnthe imagery attached to it. You see 1111000’s and young white kids innhoodies. That is all nonsense. This can really put people off. There is anwide variety of jobs in cybersecurity, and they can suit a large variety ofnskills. Yes, there are those that love nothing more than sitting there forn10 hours analysing a log file. Those people make great pentesters ornsecurity analysts. But there are many other roles, too. Take our co-founder,nNadia, who is a legal expert specialising in GDPR. There are a variety ofnskills and personality types needed in cybersecurity that sometimes getsnlost behind the imagery you see.n

n

nTo discover more about CISSP download ournnUltimate Guidenn. Or read our whitepaper,nn9 Traits You Need to Succeed as a Cybersecurity Leadernn.n

n

nOr, check out more interviews with CISSPs as a part of thisnnCISSP interview seriesnn.n

]]>