The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted.
In support of this diversity, ISC2 has launched a series of interviews to explore where CISSP certification has led security professionals. Last time Angus Macrae shared his CISSP experience. This installment features Melissa Parsons , Senior Consultant in Cyber Security for KPMG Canada. She has notable success driving and managing increasingly complex IT, security and privacy related projects.
What job do you do today?
Currently, I work as a Senior Cybersecurity Consultant within the Risk Consulting and Advisory practice at a “Big 4” firm.
What problems does your company solve?
My team and I help organizations in the private and public sectors navigate and minimize the world of cyber risk. Key areas of focus include strategy and governance, transformation, cyber defense and cyber response. Recently, I’ve worked on a number of Treat Risk Assessments (or TRAs) as well as ISO 27001 engagements which pertain to a client’s Information Security Management System (or ISMS.)
Why did you first decide to get into cybersecurity?
I wanted to continue to help my company to innovate safely and securely in a way that was informed and that considered threats, risks and vulnerabilities along the way.
What was life like when you started out in your career in cybersecurity?
I transitioned into a cybersecurity career from a former DevOps role within a company internally. I was intimately familiar with this organization’s technology and architecture at the time when I moved over to a Security Analyst role. Because of this historical knowledge within the company, I was able to clearly identify areas of strength and areas that required additional focus and care in relation to security.
What was your first cybersecurity job?
Security Analyst. I was responsible for internal security program management including technical aspects of enterprise risk, incident response, lawful access requests (acted as privacy lead), disaster recovery planning and testing, as well as audit and regulatory obligations.
Why did you decide to undertake CISSP?
Taking the CISSP was a “no-brainer” for me once I had some experience under my belt. I had already taken and passed the SSCP from ISC2. This was the next logical step in my professional development. I knew it was the most sought after cert in my field, and I knew it would be required for more senior positions/contracts and that it would open a lot of doors (and it has!). Obtaining the CISSP demonstrates that you have practical employment experience, a deep understanding of security across the eight tested domains, and a familiarity with pretty much all aspects of the cybersecurity landscape.
What prompted you to do that?
I started consulting around the time I obtained my CISSP. I was working on RFP proposals with my team, which mainly indicated that the CISSP was a prerequisite qualification in the requirements. In addition to being qualified to work on some incredible projects with large private and public sector clients, the CISSP is highly valued, recognized and respected amongst peers and colleagues across the globe.
How long did it take to achieve CISSP?
I started and stopped studying for a year, and I then buckled down in the final month before taking the exam.
What resources did you use?
I purchased the official ISC2 study guide and practice tests. In addition to these resources, I watched online tutorials, took a lot of handwritten notes and used my whiteboard to track my progress.
Did you enrol in any training?
I did not, but in hindsight, that may have been very helpful and less stressful. It could of been a more dynamic way of learning with a better structure than the self-study route.
What most surprised you about CISSP?
I don’t think I was too surprised by much. I have many friends and colleagues who successfully passed the exam and offered me great advice and tips. I would recommend reaching out to your network and ask a few different CISSP holders about their experiences. Everyone has a slightly different experience and perspective.
What were the first changes you noticed after becoming a CISSP?
I was in a new, slightly intimidating phase of my career in which I was consulting for Fortune 500 companies and large government entities in cybersecurity. I was eager, scared, and excited all at once! Achieving my CISSP was a cause to celebrate yet another milestone. It made me feel more confident in my abilities and gave me validation to quiet the “imposture syndrome monster” lurking in the far corners of my mind and to “get on with the show” to produce some valuable deliverables for my clients.
What steps brought you to the job you do today?
When I decided to give consulting a go, my aim was to widen my experiences and previous knowledge base in cybersecurity across multiple industries and sectors in order to gain a more holistic view of organizations’ challenges. It has been an incredible journey and learning experience. It’s accelerated my understanding and appreciation for how businesses and organizations strategize and operate in relation to cybersecurity, IT, information management, privacy and enterprise risk. I've been very lucky to work alongside C-suite and board members from some very innovative and talented organizations. In short, the work has been both inspiring and rewarding. (I made the right move!)
What achievement or contribution are you most proud of?
Earlier this year, I was asked to return to my college to present as an alumni at a global event for women in cybersecurity. I was honoured and felt this truly was one of those “full circle” moments in life. There were guest speakers from all over the world, media coverage and so many impressive business and government leaders. I was so nervous but felt a tremendous amount of necessity to “nail it.” I practiced that speech for weeks, and in those 7 minutes at the podium, I saw my favourite instructor smiling up at me from the audience. I had to refrain from tearing up on a number of occasions. After the event, I gave him a hug and thanked him for believing in me when I was at a point in my life where I wasn’t believing much in myself. A lot of my presentation that night echoed that theme of believing in yourself, finding mentorship and then paying that forward when you can.
What is it about your job that you love?
I love helping organizations develop road maps and mature their security posture. I’m a very strategic and analytical thinker and get way too much joy out of research and planning. I don’t believe in the “one size fits all” model. I like to customize plans that are realistic and achievable to make the world a little bit safer for us all. I love getting feedback from clients during a closing meeting. I really pour my heart and soul into what I do, and it means the world to me that other people and organizations can benefit from that.
What is the biggest challenge you have faced in your career?
The biggest challenge? Having a career at all! I was a young, single parent really struggling early on, and I was a “late bloomer” when it came to finding a path I felt passionate about (and could pay the bills!). I never would have imagined 10-15 years ago that it would be in cybersecurity! My younger self would have thought I wasn’t “enough” (smart enough, talented enough, driven enough, etc.). And yet, I always had a keen “investigative streak” in all my prior places of employment during those years of customer support and IT work. I was dubbed “P.I. Parsnips” by a former manager, and that has stuck with me all these years later! I’m really proud that I didn’t give up taking on new challenges and trying new things. You never know what you are capable of until you try! It sounds so cliché, but it was all those leaps of faith that led me here today.
What ambitions do you have for your career ahead?
I am still trying to figure that one out! Truth be told, I have moments (like these, doing this interview) where I am in total shock! I do see myself continuing to hone in on my strategy and advisory skills just maybe in a more senior role.
How do you ensure your skills continue to grow?
I belong to a number of professional associations and chapters such as ISC2, and I continue to participate in seminars, conferences, webinars and trainings to keep my skillset sharp and gain new perspectives and insights from others in the community. Networking is key in any career path. I find I get the best takeaways from environments where I’m meeting and mingling with other professionals and hear them share their stories. It’s a great way to meet new mentors and provide mentorship to others, as well.
What do you think the biggest challenge is for cybersecurity right now?
I feel the biggest challenge right now is the rapid expansion of the threat landscape. We are struggling to keep up. Adversaries are no longer just human in nature; they also consist of the very technology that we have created out of demand for automation, speed, agility and efficiency. Think bots, for example. They have the capability to be used for good or, quite frankly, evil. There is no doubt that the digital revolution has led to miracle-like advances in areas like healthcare and all sorts of wonderous accessibility to information like never before, but there is always those thoughts in the back of my head around “Ok, but how is this configured? Where is my data going? Who/what has access? What are the potential threats and risks?” anytime a new product or solution is adopted.
What solutions do you think could address this?
Good oversight/governance coupled with security by design could help, but first comes education on the importance of embedding security throughout the SDLC. Part of what has drawn me to this “world” is protecting people. Cybersecurity awareness and education is a personal mission of mine, but it is not one I engage in through “fear mongering” or criticism. We have to use empathy and compassion in this field to get ahead and work together instead of pointing fingers and passing around the “hot potatoes”.
Who inspires you in the world of cybersecurity?
Youth! It’s the teens and 20-somethings. I see them all revved up, informed and so hyperaware. They inspire me every day. They are going to change to world, I have no doubt about that, so we have an incredible duty to “serve and protect” them in whatever capacity we can. For myself personally, that will be through my small, daily acts as a parent, volunteer, and cybersecurity professional.
What do you think people considering a career in cybersecurity should know?
There is such a large range of cybersecurity roles and options out there today in this new and ever-expanding career line. If you are considering one, consider them all. Try a lot of different things. Have fun with it, too! Play with different programming languages and scripts as well as test and review different tools and products. There are so many ways to contribute to this community that compliments so many different types of people, skillsets, personalities and curiosities from AppSec, networking, OpSec, threat hunting to governance, risk and compliance and everything in between! Also, don’t be afraid to reach out to people in a cybersecurity role and ask them questions about their experiences.
To discover more about CISSP download our Ultimate Guide . Or read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader .
Or, check out more interviews with CISSPs as a part of this CISSP interview series.