The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted.
In support of this, ISC2 has launched a series of interviews to explore where CISSP certification has led security professionals. Last time we met Jerome Leach and discovered his experience with the CISSP certification. This installment features Angus Macrae . He is Head of Cyber Security at King’s Service Centre, a forward-thinking technology firm that supports the services at King’s College London.
What job do you do today?
I am Head of Cyber Security at King’s Service Centre.
What problems does your organisation solve?
King's Service Centre hosts award-winning innovative and forward thinking teams who support the services of King's College London, one of the worlds' top universities. We provide first-line IT support to the 35,000 strong King’s College London community of students, academics, researchers and professional staff. We do this 24 hours a day, 7 days a week, 365 days a year.
Why did you first decide to get into cybersecurity?
My first dedicated cybersecurity role came about just because I was really interested in that area of things. I thought that would be really great to actually think about and do security full-time. It wasn't perhaps a conscious decision that I wanted to become a security professional, but an opportunity became available, and I was encouraged to apply for it. I realised I had all the attributes to make it work, but it was one of those things that as soon as I started doing, I thought, “Wow okay, now I know what my niche is in life. This is what I always should have been doing.” And I thrived off of it really.
What was life like when you started out in your career in cybersecurity?
I'm showing my age here. I started my career in as more of an IT generalist in the 1990s when the field of cybersecurity wasn't so recognised as an entity in its own right. It was there, but it wasn't really called that. The big changes happened as we approach the year 2000. I’ve always had that security mindset, and the more I got involved in it, the more interested I became.
What was your first cybersecurity job?
It wasn't until 2009 that I became a full-time security person. Even then, people didn't really call it “cyber-security.” They called it “Information Security” or “Information Assurance.” It's a lot more recently that that term “cybersecurity” has come into common parlance. A lot's changed since then.
What first attracted you to consider getting a cybersecurity qualification?
I had already attained a number of technical certifications, and had even attended one of the earliest ethical hacking courses. But when I moved into that dedicated security role, I realised that this was the right time to find a qualification that was focused on security. I wanted to have the discipline, attitude and mindset to do this properly and professionally.
Why did you decide to undertake CISSP?
CISSP has world-wide recognition. This was 2010 when I decided to take the exam, and even then, it was the gold standard and something that seemed to have longevity to it. The whole premise of it was not just passing the exam but also demonstrating that I had the verifiable experience to perform at that level. The Code of Ethics was also really important to me; the ongoing CPE requirement is tough, but it helps to make sure that your skills stay up to date. This all adds up to a very credible certification.
How long did it take to achieve CISSP?
It took me about eight or nine months of self-study, and it concluded with me enrolling in a bootcamp before taking the exam on the final day.
How did you prepare for the exam?
During the self study, I took a domain a month, going over it, researching, looking at papers on the subject and making use of lots of different resources. This was a much more natural and useful way for me to understand all the content. I could think about how I could apply it to my work as I went through each domain.
The bootcamp was a real luxury. I was conscious that my company was paying and wished to maximise that investment, so I chose a six day face-to-face bootcamp with Firebrand. They had a real reputation for success, coupled with an opportunity to train again for free if you failed. The other bonus of enrolling in a boot camp is that you were able to have a distraction-free environment. It meant I had no other obligations that week, and I was also able to meet and get into some great discussions with other people on the course. It was a unique opportunity.
The exam was paper-based at the time, which meant you had to wait 4-6 weeks to find out if you had passed or failed. So you had a nervous wait. I was fortunate enough to pass first time.
What most surprised you about CISSP?
The content initially surprised me in terms of its breadth. It’s often disingenuously described as an inch deep and a mile wide, but I think it’s a good few feet deep in places. I had imagined it would be very technical—you know, IPSes, firewalls, that kind of thing. But I wasn’t expecting all the topics around legal jurisdiction and the policies around that. It’s such a broad range of policies and areas of knowledge which I found very, very interesting. Even though I was never really brilliant at maths in school, I found the encryption side of things absolutely fascinating. Security is only as good as its weakest link, so you can have great technical controls. But if you haven’t got the policies to secure things, it can pull apart quite quickly. This was the only qualification that covered it all.
How did it change how you approached your work?
I don’t think there was a magic kind of change. Because of the paper-based exam, I went back to work, and people asked me how I did. I was just saying, “I think it’s okay,” as it didn’t know until several weeks later. But I found it quite humbling to have that intense degree of knowledge and to realize how much there is still to know about security. So I went back quite humble and also quite invigorated about how I could start approaching things. It gave me a quiet confidence and opened my eyes to a lot more things.
How do you think you have personally benefited from becoming a CISSP?
I have found the Code of Ethics extremely valuable. It’s quite a good one to go back to because it gives you a certain line in the sand. You can feel confident in saying that you aren’t comfortable with something because you have this professional code of ethics. It’s a great thing to go back to because as a security professional, I would be negligent to say “yes” to something even if I come under quite a bit of pressure. It allows you to think more calmly about a situation and to really think about the right solutions for an organisation that also are in line with best practice. When I started CISSP, I learnt about how I should approach such things in a more professional, considered manner rather than feel pressure to respond immediately to the request to jump 10 feet in the air.
What ambitions do you have for your career ahead?
I just want to keep getting better and better at what I am doing. I want to keep making a difference and make a positive change on how other people do things. Also, continual learning is important to me. I’ve just put myself through CCSP (Certified Cloud Security Professional). It was a really good course. To be an effective cybersecurity professional, you have to keep up with change and keep challenging yourself with new ideas and ways of doing things. For me, at the moment, that means continually developing and mentoring others. I want to try and inspire other people to come into the profession.
How do you ensure you skills continue to grow?
As well as it being integral to CISSP, this is something I really enjoy. Reading books, blogs and papers, going to conferences, podcasts, videos, learning from others…it’s so important you always keep learning in this industry.
What do you think the biggest challenge is for cybersecurity right now?
If you had asked me this a year ago, I would have said some of the obvious things like IoT and the amount of connected devices or cloud or the rise of fileless malware. But now, I’m really thinking about the pandemic situation and what will come after. There is going to be a whole new spate of cyber crime and malicious cyber activity. We are also going to have the danger of a lot of talented people who are not necessarily going to find positive profitable work and who may end up in the darker parts of cyber. I think the economic downturn that is coming is going to be very challenging in terms of the threats we are going to get. For many, budgets will be cut, so they may not be there to support organisation through that riskier period. As a professional, I think cyber really needs to reach out to the hacking mindset and get them on the right side to do things like white hat penetration testing before they get absorbed into whatever comes out of the next few years.
Who inspires you in the world of cybersecurity?
A lot of people have inspired me. Here are just a few:
- Davy Winder, a great journalist whose articles have inspired me since his ‘PC Pro’ security columns, twenty plus years ago;
- Bruce Schneier , whom I saw speak at Infosec a few years back, and left so inspired I wrote a blog -which I was honoured that he the republished it on his own ‘Schneier on Security’ site;
- Amar Singh for his great talks and work with the Cyber Alliance; and
- Jane Frankland, a fantastic speaker at all levels who has done so much for the industry in terms of inclusivity. Inclusivity and diversity are such important topics. When you look around at many security conferences, everyone looks like me – white, male and middle aged. Much more can be done to increase the diversity in cybersecurity, and the whole industry will benefit from that.
What do you think people considering a career in cybersecurity should know?
I think they should know that it’s going to be challenging and very rewarding. They should be prepared to put in long hours and be prepared for some pretty tough days (and nights).
It really suits those with an inquisitive nature and those who like to look beyond the surface of things. To be good at cybersecurity, you need to not accept things as they are. You need to almost have a detective mentality and challenge everything. The other important aspect is that security doesn’t exist in a vacuum. It’s there to support the core objectives of the organisation. You need to understand what the business is trying to achieve and help them to do that in ways that are safe. Those ways need to not be too slow or obstructive however, or employees will find ways around them. You need to think about it through the eyes of the users and see what challenges they face. They may be thinking, “what is the most successful way I can do my job to hit my objectives or targets.” They aren’t necessarily thinking about what the most secure way is. Your job, as much as anything, is to help that business user to be both successful and secure.
To discover more about CISSP download our Ultimate Guide . Or read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader .
Or, check out more interviews with CISSPs as a part of this CISSP interview series .