The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted.
In this installment, we talk to influential trailblazer Dr. Christine Izuakor . Christine shares with us her incredible story as the youngest student and first African-American woman to achieve a P.hD in Security Engineering, how she planned her journey to achieve her dream job and how her passion for cybersecurity had fueled her every step of the way.
What job do you do today?
I am the founder and CEO of Cyber Pop-up , which is an on-demand cybersecurity service platform for small and medium sized businesses. It's completely powered by vetted and highly skilled freelancers.
What problems does your business solve?
The issue is that there's this huge cybersecurity talent shortage, and there's not a lot of experts available yet. Everyone needs help. We fill that gap by bringing expertise to the small and medium sized businesses that can't afford to hire a full cybersecurity team or even a single cybersecurity expert. We're bridging that gap and allowing organizations to get access to our experts, on-demand, whether it's for a few hours, or for a single project so that they're not left exposed without any cybersecurity resources at all. It can be anything from a Virtual CISO, to creating a cybersecurity strategy or policy, reviewing infrastructure to find security gaps, doing assessments – it’s a broad range of services for clients all over the US.
What was life like when you started your career in cybersecurity?
It was a little hectic because I was doing so many different things at once, but I loved the industry so much because I loved everything that I was learning and doing. It never felt overwhelming or like it was too much. It was just fun to me. It's always been fun.
What was your first cybersecurity job?
I wanted to make sure that while I was in school I was still getting experience, so I ended up working full time through my masters and through my Ph.D. I got a two-month internship with Continental Airlines in Houston and they kept extending my internship until I was there as an intern for a year. At the end of my internship, there were different openings because the cybersecurity team was growing there. I recall at least three offers to choose from, which was a really nice position to be in, so I accepted one, and never looked back.
Why did you first decide to get into cybersecurity?
Initially, I was trying to be a medical doctor in school, and failed. So I started thinking that I was not meant to work in the medical field at all. I started taking different electives, trying to figure out what I wanted to do, what I wanted to pursue as my career. I was trying just random electives in school. I took finance, I was doing marketing, I was doing accounting. I just wanted to get as much exposure to different areas to see what I liked. I found a cybersecurity class, not really knowing what it was about, but it sounded kind of cool.
I absolutely fell in love with with the cybersecurity class I took. There was an encryption assignment and it just felt like a game. The assignment was to decipher an encrypted message. I was up until probably two or three o'clock in the morning trying to figure it out, and didn't even realize that I was up that late, because again, it just felt really fun. I had so much fun in that encryption class, that I decided to switch my major and started studying security management. I followed that path all the way from undergrad, to master's, to Ph.D.
During that same time, I knew that in order for me to grow into the role that I wanted to be in, I needed experience. You can do everything you want from an education standpoint and all of that, but a lot of people value having the hands-on experience.
I also started doing a ton of research to figure out what a career in cybersecurity looked like, how much money can a person make, and what are the future opportunities in that field in the next five years. This was 10 years ago, the industry was just starting to grow and the projection rates were just crazy in a positive way. It looked really good and it still rings true today. Not only is it such a high demand area, but it remains a fun profession. I didn't want to miss out on this career.
You earned your undergraduate degree, a Master’s, and were working towards a PhD in Cybersecurity. What made you decide to undertake the CISSP credential?
Throughout my entire career, my goal was to become a Chief Information Security Officer, and I would go to different job sites very early in my career and look at what the qualifications were for that role, and what people were asking and looking for when they were hiring. I saw “CISSP” on almost every job posting, so I knew that it was something that was highly sought after then, as it is now. But also, just for me, I wanted to make sure that I had checked every box, so there would be no reason why somebody would come to me and say “you're not qualified”, or “you can't do this”.
I knew that especially as a woman of color in cybersecurity 10 years ago, that I needed to go above and beyond in order to get into that position because I didn't see a lot of women who were CISOs. I didn't see a lot of people of color who are CISOs either. So I wanted to make sure that I went above and beyond to meet every requirement so that I would have that opportunity. That was the logic behind me going for almost every credential that I could think of that would provide value.
Increasing the visibility of underrepresented groups of people has always been important to me. When people see “CISSP” next to my name, and knowing that they can also succeed as I did, I think is a great motivator for a student. It’s always been important to me and as soon as I finished my Ph.D. program, I became a part-time professor. I intentionally taught at classes or at schools where there's underrepresented groups, and people who tend to get overlooked in the industry. When I would walk in the classroom, and they would see me and then see my credentials, it was mind-blowing to many of them. I was asked so many questions about how to get a CISSP and I loved sharing that information with them. That's something that I didn't expect because I wasn't doing it to be an example, but the fact that it ended up being that way has become very important to me. I love that I can have that impact now.
How do you think you have personally benefited from becoming a CISSP?
It helped me get a broader view of cybersecurity, and the timing might give some context to those too. I sat for the CISSP exam towards the tail end of my Ph.D. program. I did both of those things while I was working. I feel like the CISSP course of study allowed me to grow so quickly because it is such a broad and standardized framework where you learn a little bit of everything.
In a Ph.D. program, you find one super, super-focused area, and then you dig really deep into that. My Ph.D. program was focused more on security engineering, and how to solve very specific problems. So I learned how to focus really well on that topic. But then, with the CISSP, having those two things occurring simultaneously, while also being in a true work environment and applying everything in my day-to-day work, just allowed me to digest and retain the information so much more. It allowed me to grow so much more quickly as a security professional.
How did you prepare for the exam?
I attended a “boot camp” for a week and then I took the exam a week later. It was cool to meet other people in the class. It was cool to just like get a deeper insight into areas that I didn't have as much experience in. One of the most beneficial things about the boot camp is before I went in, I had five or six years of experience. I went through the CISSP framework and looked at the areas where I already had experience where I already had done a lot of research and insight. Not to say that I didn't focus on those, but I knew that I had a better grasp in those areas. Then, I specifically highlighted the areas where I didn't have as much expertise, where I had only studied them in a school setting.
In the boot camp, during those topics that were being covered, I would be able to ask the instructor very specific questions, be able to dive deeper into it more, be able to meet other people in that boot camp who had expertise in the areas I was not as familiar with, and be able to soak up as much as I could, and learn from them in that short amount time.
What most surprised you about CISSP?
The one thing that surprised me was realizing that as I was taking the practice exams if I was to answer the questions the way that I would in my real workday, I would fail. I really needed to stick to the true standard and framework. I think that that's important in a positive way because it's a learning process. It taught me that everything that I was learning working in one company was not going to work everywhere. It made me a stronger professional to know what the standard is, and to know what the best framework is, or the way to approach things so that when I'm put in different and unfamiliar positions, I still have a solid foundation that I can work from.
Did it change how you approached your work?
I'm all about constant evolution and constant self-improvement. With everything that I was doing around that time again, I was growing so quickly, and applying so many new things, that it definitely helped me broaden my perspective and my approach. For example, shortly after I finished my Ph.D. program, I got promoted into a global strategy role where, instead of focusing on just one area of cybersecurity, I was undertaking vulnerability management and some social engineering. I also became responsible for global security strategy across all of the different security domains reporting directly to the CISO. Gaining that broad range of understanding of all of the different CISSP domains, I was able to immediately apply everything that I was learning into that new role. I went from being a regular analyst all the way to reporting to a C-Level executive. A huge part of that leap and that transition came from the broad knowledge that I had just gained about the industry in addition to the experience in such a short amount of time.
What steps brought you to the job you do today?
There was a pivotal moment maybe two years ago. Even though my supervisor was such an amazing mentor and leader, I realized after being so closely exposed to the day-to-day responsibilities of a CISO, that I didn't want to be a CISO! I had spent the last nine years preparing for that role. To get so close and then realize that my heart and my passion was in another place was a huge epiphany. That's also where the stars align very perfectly, because, around that same time, I had realized that my biggest passions lie within the human elements of cybersecurity, such as training and educating and developing people.
This goes along with not only understanding the talent shortage problem, but also in a greater scheme of things beyond cybersecurity. I'm very passionate about helping people reach their full potential, so this idea that started to brew for years, and these shifts started happening, it was almost like the stars were aligning. The business model that my company has today just perfectly meets with all of those passions. I realized in that moment that I wanted to be the CEO of the cybersecurity company. So I did it, I made that leap of faith.
What ambitions do you have for your career ahead?
I've done so much in the last 10 years, and I love my company and I feel like it's my baby now. My ambitions are no longer necessarily tied to my personal career. I want to build Cyber Pop-up to reach its full potential and to be everything that I know it can be. In the process, it can truly impact the people in cybersecurity, and genuinely help people through our freelancer model, as well as through build this army of super-creative freelancers. I want to help people who don't typically get exposure or access to this industry, not just from a company or a small business standpoint, but through professional development. By giving them the opportunity to have that impact in jobs now, they can gain more experience, they can contribute value, and they can go on to work at the companies that they want to work for in the future. My aspirations and my focus at this point are more so on that side, and I'm now just really focusing on impactful contributions.
What is it about your job that you love?
I love that my job centers on everything that I care about because I care about helping people reach their full potential. I care about helping people get secure. I care about helping people just understand their cybersecurity risks, and I feel like just every single thing that I care about is baked into one place. I couldn't imagine being anywhere else at this point. It's the best position.
What is the biggest challenge you have faced in your career?
I would categorize that into two buckets. The biggest challenge that I faced in my career from a technical standpoint is knowing that experience is king in cybersecurity, and trying to do everything that I could to make sure that in addition to having credentials that I had experience in many different areas. I'm a very framework-heavy person. I literally have a spreadsheet just like I had when I was preparing to be a CISO. I created a spreadsheet with all the different domains that a CISO should understand and have experience in. I did this through research on different job postings and things like that. And then I would try to document, like my experience in those areas.
The biggest challenge was trying to get as much experience as I could in those areas in the timeframe that I wanted, which meant that I couldn't just go to work and do my job and go home. That wouldn't be enough for me to get the experience that I wanted towards becoming a CISO. I would do my job. I would do volunteer pro bono projects for non-profits, so that if there was an area that I couldn't learn through my current cybersecurity job, I could still acquire those skills through the pro bono work and get the experience that I needed.
On the opposite side, I felt a lot of imposter syndrome. As a woman of color in the cybersecurity space, not seeing a lot of people like me. Progressing so quickly and getting to the point that I did I thought that people only saw how young I was and how fast I got there. That's why the imposter syndrome kept me thinking that I shouldn't be where I was, regardless of all of my effort. I just worked really hard to accomplish my goal. Some people expressed that concern to me, but, fortunately, they are too few to be counted among all the successes of my hard work.
How did you overcome that feeling of imposter syndrome?
It's a constant journey, but I think one of the biggest things I had to look at is the way that I was talking to myself, the way that I was treating myself. Self-talk is very powerful. I think I gained more awareness of how it was actually my own internal struggle of me talking to myself, and saying, “you're not smart enough to do that, you're not qualified to do that yet”.
I had to really start paying attention to that internal-dialogue, and instead of bringing myself down, start to hype myself up, and encourage myself. This may sound somewhat basic, but it's truly what I started to focus on. I no longer allow myself to talk down to myself at all, ever. That makes such a huge difference, because now, if anybody does come to me and says that I'm unqualified or whatever the case may be, it doesn't bother me. I don't pay attention to it, because inside, I already know who I am, and that's what matters.
What achievement or contribution are you most proud of?
I would say earning my Ph.D. because I didn't realize the impact that it would have and it really shifted things for me. When I graduated, I became the youngest student and the first African-American woman to earn a Ph.D. in security engineering. I just remember sharing the journey, and the story going viral, getting millions of views. I had people from over 35 countries with thousands of messages just reaching out to me, saying things like “because of you, I'm going to pursue my dream” or “because of you, I'm going to go and pursue my degree in cybersecurity” or “because of you, I want to get my CISSP”. All of these are just overwhelming in a positive way; the outreach of people who were impacted. For me, that's one of my favorite accomplishments. The idea that just by going after my own dream and sharing the journey, and that having a positive impact as a result. I didn't do anything else.
How do you ensure your skills continue to grow?
I think that I'm an eternal student, of course, which is why I decided to become a professor right away. I'm really big on I'm really big on continuous growth and evolution. That's in addition to doing things like teaching, which helps me learn a lot. I'm continuously plugged into different conferences and speaking engagements, things like that. I also feel like having certifications, such as the CISSP, is like having that kind of reminder of how I have to make sure that I continue to complete a certain amount of learning hours to keep the certification. That extra accountability for me is important as a professional.
What do you think the biggest challenge is for cybersecurity right now?
The biggest challenge, and of course I might be biased because this is what I care the most about, but maybe it's also why I care the most about it, is the talent shortage. We're just out outnumbered, outworked, and outpaced, when it comes to people who are fighting the good fight, versus people who are fighting the bad fight.
When I hear some of the numbers and the statistics around the projection of needed cybersecurity professionals versus what we have today, that is one of the most concerning things. We can try to invest in automation and technology and all of these things to help fill some of the gaps, and some of that works and contributes value. That’s important, but you can't replace the human element of security at all. Being able to build talent pipelines and help people get the credentials and the experience that they need to thrive in the industry is one of the biggest challenges today.
What solutions do you think could address this?
It takes a multi-layered approach. Two of the biggest topics for me are focusing on building talent pipelines, and having a flow of people being able to get the right development and the right training, regardless of whether you're a student, or whether you're an existing professional. Again, acquiring the right hands-on experience, whether that's through being able to work within companies, possibly through rotation programs where you can get exposure to different areas.
In my career, I realized what I basically did was build my own rotation program. Having rotation programs and similar initiatives to help build more well-rounded professionals more quickly is going to be an important part of a solution.
On that same note, partnering with universities, non-profits, and different entities that can allow us to train people who are interested in the industry and get them some experience is another approach. Additionally, talent could originate from tangential industries where we have professionals who could very easily transition into cybersecurity and do well. Unfortunately, they either just don't know how, or they don't even have the awareness or the exposure. I wrote a book, Ultimate Guide to Building a Career in Cybersecurity , and I talk about this a little bit. If you're able to take somebody who is has been a network engineer for 15 years, and help them prepare for the CISSP, or the Associate version if they don't have all of the required experience, that will benefit the entire profession. If you're able to take people who have deep experience and deep expertise in some of these related areas and just layer on the cybersecurity piece, and then transition them into the industry, that would make a huge difference in the talent shortage.
Who inspires you in the world of cybersecurity?
I would say one of my biggest inspirations to date has been my old boss, Emily Heath. She helped me realize what I wanted to accomplish. Emily is the chief security officer at DocuSign now. She's amazing.
What do you think people considering a career in cybersecurity should know?
The biggest piece for me is still what I learned a long time ago. It's the experience. Experience is king. I say this because it's much better to realize that you need experience on the front end, and start working towards it than to go through school or go through trying to just get certain certifications, only to start looking for a job and then realizing that the entry-level positions are so limited. Even if you don't have a full-time cybersecurity job, you can begin to get creative, and do whatever you need to do to gain the experience. For example, as in my case, I was working full-time, but I also was doing pro bono projects for non-profits and for small companies just to get whatever experience I could.
I've had so many conversations with students who are trying to get into the industry without any experience, and are having a very hard time getting a job. It's frustrating for them because people are talking about this huge talent shortage and all of these jobs, but they are out there trying to get a job and there are no jobs. My best advice is to make sure that you do what you can to get some hands-on experience.
The last closing point that I'll add, and this is more personal, cybersecurity or not. I feel like life became so much easier for me when I discovered what my passion was and followed that. It takes so much continuous learning and growth, not only in the cybersecurity industry, but in any industry. If you don't stay attuned to the latest cybersecurity trends, you'll fall behind very quickly because things evolve so fast. I care about it so much because I'm so passionate about it. It's very easy for me to read a new book, or listen to a podcast, or read an article, or teach classes or get my continuing professional education credits. It sounds like a lot when I'm talking about all of the things that I've done, and continue to do, but it doesn't feel like too much because I'm so passionate about it. The biggest thing, whether it's cybersecurity, or anything, is just to make sure that you're following your passion and everything else hopefully will fall into place and it'll be a little bit easier.
To discover more about CISSP download our Ultimate Guide . Or read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader .
Or, check out more interviews with CISSPs as a part of this. CISSP interview series.