The Certified Information Systems Security Professional (CISSP)ncertification is considered to be the gold standard in information security.nThis is so because of all the doors that certification opens to a CISSPnprofessional. Those doors lead to many different types of positions andnopportunities, thus making the information security community dynamic andnmultifaceted.
nIn support of this, ISC2 has launched a series of interviews to explorenwhere CISSP certification has led security professionals. Our firstninstallment features Javvad Malik,na security awareness advocate at KnowBe4, as well as blogger and YouTuber atnJavvadMalik.com. He’s also contributes on two podcasts, The State SponsorednPodcast and Host Unknown, a company he founded.
nWhat job do you do today?
nI’m a security awareness advocate at KnowBe4.
nWhat problems does your company solve?
nKnowBe4 is the leading provider of security awareness and training in thenworld. Its focus is on the human layer and empowering them to make betternrisk decisions.
nMy role as an advocate is to raise awareness about awareness (no punnintended) as well as to help inform and educate on security issues based onnmy experience and research.
nWhy did you first decide to get into cybersecurity?
nMy university degree had a one-year work placement option. I applied for annumber of roles and got a placement within the IT Security team at a bank. Inhad no idea what IT security did or what to expect, but I found the worknincredibly interesting. The bank seemed to like me, too, and it offered me anpermanent job once I finished my degree, and the rest was history.
nWhat was life like when you started out in your career in cybersecurity?
nIt was a very different world. I worked for a bank where the IT Securitynteam consisted of five people. Not many people in the organisation knew whatnwe did or were too concerned with what we did. We would administer thenvarious systems, manage privilege credentials, and even do some monitoring.nPretty much the same as what many do today, just at a very small scale andnlimited in reach.
nWhat was your first cybersecurity job?
nMy first job was as a security administrator in the IT security team of anlarge global bank.
nWhat first attracted you to consider getting a cybersecuritynqualification? Why did you decide to undertake CISSP?
nI’d been in my first job for a few years ,and while I enjoyed it, I feltnlike I’d hit a glass ceiling and there was nowhere to go. I wasn’t sure whatnmy options were, and I began to consider doing a part-time Master’s tonbolster my education and qualifications in the hope that it would open somendoors for me.
nIn doing my research as to which security courses there were, I discoverednCISSP. It wasn’t as well-known in the UK at the time, but it seemed to be anfar better option than a Master’s.
nHow long did it take to achieve CISSP?
nFrom the moment I decided to take the exam, I’d say about 9 months.
nHow did you prepare for the exam?
nI purchased the official guide, and I downloaded whatever resources were onnthe ISC2 website. After reading the official guide, I supplemented it withnanother guide (possibly the late Shon Harris one), and I then enrolled in anweek-long exam prep boot camp.
nThe training really helped. The instructors helped put a lot of things intoncontext and identify which parts of the course I needed to focus on for thenexam and why.
nAfter that, I spent a couple of months repeating practice exam questions onncccure.org. I believe it still has practice exams. It was the best resourcenof all because it got me used to how the questions were structured, that is,nhow to read and understand them quickly as well as how to sort through thenmultiple choice options.
nWhat most surprised you about the CISSP?
nPerhaps the breadth of the syllabus was the thing that surprised me thenmost. I certainly didn’t expect to be learning about things like physicalnsecurity or which fire suppression systems are best in which scenario, butnthere we were.
nHow do you think you have personally benefited from becoming a CISSP?
nInitially, the CISSP opened many doors for me in terms of getting interviewsnand placing me in front of the right people. Later in my career, it helpednme meet and connect with a large number of peers, many of whom have becomengood friends.
nHow did it change how you approached your work?
nIt did open my eyes to how much more there was to security than what I hadnbeen involved in. So, I became more aware of othe departments andnpriorities, and it helped me to understand driving factors behind decisions.
nWhat steps brought you to the job you do today?
nHaving started as an IT Security administrator and having done a lot ofnhands-on work, I wanted to move up in my career. I saw that consultantsnseemed to be doing better, and so I followed the money into a non-tech role.
nI stayed as an independent consultant for a few years, while on the side Instarted to blog and video blog on security topics. This helped boost mynpersonal profile in the industry, and as a result, I managed to find myselfnlanding a role as an industry analyst at 451 Research. This was a completenchange from being a practitioner, and it exposed me to a whole other side ofnthe industry which included investors and vendors.
nAfter a few years there, I was approached by a vendor to join them as annevangelist, and having worked as a practitioner and an industry analyst, Inthought I should complete the loop and work at a vendor.
nWhat achievement or contribution are you most proud of?
nBack in 2010, we had the first BSides London, and two speakers StephennBonner and Steve Lord stuck in my mind. Their presentations wereneducational, engaging, and informative. In my mind, they had set the bar asnto what I needed to aim for. But I had never spoken at an event before. Inhad nothing to talk about, and they didn’t even know I existed.
nFast forward a few years, and not only had I become friends with them both,nbut I had presented at occasions where they were in attendance. Separately,nboth complimented me afterwards.
nIt may seem like a small thing, but I think about where I was,and where Ingot to. It really made me believe that I could achieve things if I put mynmind to it.
nWhat is it about your job that you love?
nSecurity has always been a rewarding career because no two days are thensame. But now it’s also very high profile. One of the things I love about itnis being able to interact with people who have been exposed to security fornthe first time and help them understand and navigate the potential minefieldnthat there is.
nWhat is the biggest challenge you have faced in your career?
nHmm that’s a tough one. I think the biggest challenges have been aroundncorporate cultures and abrasive personalities. There’s nothing morenchallenging than to have an unsupportive manager or to work in a toxicnculture regardless of the role.
nWhat ambitions do you have for your career ahead?
nI am very content with how my career has panned out. If you’d told me 15nyears ago the things I’d achieve by now in my career, I would have callednyou a liar. That being said, one of my biggest ambitions is to breaknsecurity out of the tech silo we’re in and expose it in an understandablenand relatable way to the masses.
nHow do you ensure that your skills continue to grow?
nAs part of my job, I need to stay on top of all the latest developments,nnews, and trends. So I spend about 2 hours a day reading and staying up tondate with the latest developments. But perhaps more than that, I stay inntouch with a broad range of security experts and colleagues who are farnsmarter than me and who are generous enough to share their knowledge withnme.
nWhat do you think the biggest challenge is for cybersecurity right now?
nCommunication, communication, communication. We have the technicalnknowledge, and in most cases we know how to fix security issues that occur.nThe challenge is explaining the challenges and the resolutions in a way thatnis aligned to the organisational objectives.
nWe often see a breach and can pinpoint a set of controls that could havenprevented it. Usually, these are relatively well-established controls likenimplementing MFA, or patching software. The fact that we didn’t communicatenthe need or the risk up front clearly enough is our failing.
nWhat solutions do you think could address this?
nEducating security professionals to better understand the business side ofnorganisations. How to understand financial reporting, what is relevant tonshareholders, and how to budget.
nWho inspires you in the world of cybersecurity?
nToo many to count!
nWhat do you think people considering a career in cybersecurity shouldnknow?
nIt’s a vast vast field that extends far beyond pen testing or coding.nWhatever background you have or whatever skillset you have, you can bring itnto cybersecurity and make a positive difference.
nTo discover more about CISSP download our Ultimate Guide . Or read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader
nOr, check out more interviews with CISSPs as a part of this CISSP interview series.
]]>