CISSPs from Around the Globe: An Interview with Angus Macrae

nThe Certified Information Systems Security Professional (CISSP)ncertification is considered to be the gold standard in information security.nThis is so because of all the doors that certification opens to a CISSPnprofessional. Those doors lead to many different types of positions andnopportunities, thus making the information security community dynamic andnmultifaceted.n

n

nIn support of this, ISC2 has launched a series of interviews to explorenwhere CISSP certification has led security professionals. Last time we metnJerome Leach nand discovered his experience with the CISSP certification. This installmentnfeaturesnnAngus Macraenn. He is Head of Cyber Security at King’s Service Centre, a forward-thinkingntechnology firm that supports the services at King’s College London.n

n

nWhat job do you do today?n

n

nI am Head of Cyber Security at King’s Service Centre.n

n

nWhat problems does your organisation solve?n

n

nKing’s Service Centre hosts award-winning innovative and forward thinkingnteams who support the services of King’s College London, one of the worlds’ntop universities. We provide first-line IT support to the 35,000 strongnKing’s College London community of students, academics, researchers andnprofessional staff. We do this 24 hours a day, 7 days a week, 365 days anyear.n

n

nWhy did you first decide to get into cybersecurity?n

n

nMy first dedicated cybersecurity role came about just because I was reallyninterested in that area of things. I thought that would be really great tonactually think about and do security full-time. It wasn’t perhaps anconscious decision that I wanted to become a security professional, but annopportunity became available, and I was encouraged to apply for it. Inrealised I had all the attributes to make it work, but it was one of thosenthings that as soon as I started doing, I thought, “Wow okay, now I knownwhat my niche is in life. This is what I always should have been doing.” AndnI thrived off of it really.n

n

nnWhat was life like when you started out in your career in cybersecurity?nn

n

nI’m showing my age here. I started my career in as more of an IT generalistnin the 1990s when the field of cybersecurity wasn’t so recognised as annentity in its own right. It was there, but it wasn’t really called that. Thenbig changes happened as we approach the year 2000. I’ve always had thatnsecurity mindset, and the more I got involved in it, the more interested Inbecame.n

n

nWhat was your first cybersecurity job?n

n

nIt wasn’t until 2009 that I became a full-time security person. Even then,npeople didn’t really call it “cyber-security.” They called it “InformationnSecurity” or “Information Assurance.” It’s a lot more recently that thatnterm “cybersecurity” has come into common parlance. A lot’s changed sincenthen.n

n

nnWhat first attracted you to consider getting a cybersecuritynqualification?nn

n

nI had already attained a number of technical certifications, and had evennattended one of the earliest ethical hacking courses. But when I moved intonthat dedicated security role, I realised that this was the right time tonfind a qualification that was focused on security. I wanted to have thendiscipline, attitude and mindset to do this properly and professionally.n

n

nWhy did you decide to undertake CISSP?n

n

nCISSP has world-wide recognition. This was 2010 when I decided to take thenexam, and even then, it was the gold standard and something that seemed tonhave longevity to it. The whole premise of it was not just passing the examnbut also demonstrating that I had the verifiable experience to perform atnthat level. The Code of Ethics was also really important to me; the ongoingnCPE requirement is tough, but it helps to make sure that your skills stay upnto date. This all adds up to a very credible certification.n

n

nHow long did it take to achieve CISSP?n

n

nIt took me about eight or nine months ofnself-study,nand it concluded with me enrolling in a bootcamp before taking the exam onnthe final day.n

n

nHow did you prepare for the exam?n

n

nDuring the self study, I took a domain a month, going over it, researching,nlooking at papers on the subject and making use of lots of differentnresources. This was a much more natural and useful way for me to understandnall the content. I could think about how I could apply it to my work as Inwent through each domain.n

n

nThe bootcamp was a real luxury. I was conscious that my company was payingnand wished to maximise that investment, so I chose a six day face-to-facenbootcamp with Firebrand. They had a real reputation for success, couplednwith an opportunity to train again for free if you failed. The other bonusnof enrolling in a boot camp is that you were able to have a distraction-freenenvironment. It meant I had no other obligations that week, and I was alsonable to meet and get into some great discussions with other people on thencourse. It was a unique opportunity.n

n

nThe exam was paper-based at the time, which meant you had to wait 4-6 weeksnto find out if you had passed or failed. So you had a nervous wait. I wasnfortunate enough to pass first time.n

n

nWhat most surprised you about CISSP?n

n

nThe content initially surprised me in terms of its breadth. It’s oftenndisingenuously described as an inch deep and a mile wide, but I think it’s angood few feet deep in places. I had imagined it would be very technical—younknow, IPSes, firewalls, that kind of thing. But I wasn’t expecting all thentopics around legal jurisdiction and the policies around that. It’s such anbroad range of policies and areas of knowledge which I found very, veryninteresting. Even though I was never really brilliant at maths in school, Infound the encryption side of things absolutely fascinating. Security is onlynas good as its weakest link, so you can have great technical controls. Butnif you haven’t got the policies to secure things, it can pull apart quitenquickly. This was the only qualification that covered it all.n

n

nHow did it change how you approached your work?n

n

nI don’t think there was a magic kind of change. Because of the paper-basednexam, I went back to work, and people asked me how I did. I was just saying,n“I think it’s okay,” as it didn’t know until several weeks later. But Infound it quite humbling to have that intense degree of knowledge and tonrealize how much there is still to know about security. So I went back quitenhumble and also quite invigorated about how I could start approachingnthings. It gave me a quiet confidence and opened my eyes to a lot morenthings.n

n

nnHow do you think you have personally benefited from becoming a CISSP?nn

n

nI have found the Code of Ethics extremely valuable. It’s quite a good one tongo back to because it gives you a certain line in the sand. You can feelnconfident in saying that you aren’t comfortable with something because younhave this professional code of ethics. It’s a great thing to go back tonbecause as a security professional, I would be negligent to say “yes” tonsomething even if I come under quite a bit of pressure. It allows you tonthink more calmly about a situation and to really think about the rightnsolutions for an organisation that also are in line with best practice. WhennI started CISSP, I learnt about how I should approach such things in a morenprofessional, considered manner rather than feel pressure to respondnimmediately to the request to jump 10 feet in the air.n

n

nWhat ambitions do you have for your career ahead?n

n

nI just want to keep getting better and better at what I am doing. I want tonkeep making a difference and make a positive change on how other people donthings. Also, continual learning is important to me. I’ve just put myselfnthrough CCSP (Certified Cloud Security Professional). It was a really goodncourse. To be an effective cybersecurity professional, you have to keep upnwith change and keep challenging yourself with new ideas and ways of doingnthings. For me, at the moment, that means continually developing andnmentoring others. I want to try and inspire other people to come into thenprofession.n

n

nHow do you ensure you skills continue to grow?n

n

nAs well as it being integral to CISSP, this is something I really enjoy.nReading books, blogs and papers, going to conferences, podcasts, videos,nlearning from others…it’s so important you always keep learning in thisnindustry.n

n

nnWhat do you think the biggest challenge is for cybersecurity right now?nn

n

nIf you had asked me this a year ago, I would have said some of the obviousnthings like IoT and the amount of connected devices or cloud or the rise ofnfileless malware. But now, I’m really thinking about the pandemic situationnand what will come after. There is going to be a whole new spate of cyberncrime and malicious cyber activity. We are also going to have the danger ofna lot of talented people who are not necessarily going to find positivenprofitable work and who may end up in the darker parts of cyber. I think theneconomic downturn that is coming is going to be very challenging in terms ofnthe threats we are going to get. For many, budgets will be cut, so they maynnot be there to support organisation through that riskier period. As anprofessional, I think cyber really needs to reach out to the hacking mindsetnand get them on the right side to do things like white hat penetrationntesting before they get absorbed into whatever comes out of the next fewnyears.n

n

nWho inspires you in the world of cybersecurity?n

n

nA lot of people have inspired me. Here are just a few:n

n

n
• n Davy Winder, a great journalist whose articles have inspired me sincen his ‘PC Pro’ security columns, twenty plus years ago;n
n
• n Bruce Schneier , whom I saw speak at Infosec a few years back, and leftn so inspired I wrote a blog -which I was honoured that he then n republished it on his own ‘Schneier on Security’ site;n n
n
• n Amar Singh for his great talks and work with the Cyber Alliance; andn
n
• n Jane Frankland, a fantastic speaker at all levels who has done so muchn for the industry in terms of inclusivity. Inclusivity and diversity aren such important topics. When you look around at many securityn conferences, everyone looks like me – white, male and middle aged. Muchn more can be done to increase the diversity in cybersecurity, and then whole industry will benefit from that.n
n

n

nnWhat do you think people considering a career in cybersecurity shouldnknow?nn

n

nI think they should know that it’s going to be challenging and verynrewarding. They should be prepared to put in long hours and be prepared fornsome pretty tough days (and nights).n

n

nIt really suits those with an inquisitive nature and those who like to looknbeyond the surface of things. To be good at cybersecurity, you need to notnaccept things as they are. You need to almost have a detective mentality andnchallenge everything. The other important aspect is that security doesn’tnexist in a vacuum. It’s there to support the core objectives of thenorganisation. You need to understand what the business is trying to achievenand help them to do that in ways that are safe. Those ways need to not bentoo slow or obstructive however, or employees will find ways around them.nYou need to think about it through the eyes of the users and see whatnchallenges they face. They may be thinking, “what is the most successful waynI can do my job to hit my objectives or targets.” They aren’t necessarilynthinking about what the most secure way is. Your job, as much as anything,nis to help that business user to be both successful and secure.n

n

nTo discover more about CISSP download ournnUltimate Guidenn. Or read our whitepaper,nn9 Traits You Need to Succeed as a Cybersecurity Leadernn.n

n

nOr, check out more interviews with CISSPs as a part of thisnCISSP interview seriesn.n

]]>