Often in cybersecurity, we encounter professionals who never intended or expected to pursue security at all. In fact, when we spoke with Shubhra Deo , she revealed that her introduction to cybersecurity started as a mere curiosity. It eventually led to her gaining the experience, and sitting for two exams that earned her the CISSP, and the CCSP credentials. Her story shows how important curiosity can be in accelerating one’s career.Interview with Shubhra Deo, CCSP

Q: Could you tell us a little about your current job, and what attracted you to cybersecurity?

A: I am currently working as a Head, Data Security & Privacy. Back when I was doing my engineering studies in Biotechnology, I was reading some books about cybersecurity, and that triggered my interest. At the Indian Institute of Information Technology, they offered a postgraduate program on Cyber Law and Information Security, which I quickly grabbed. I developed a lot of interest during that two-year program. That's where I learned the foundational elements of cybersecurity, and I was so interested that during that tenure of my education, I actually read the CISSP Common Body of Knowledge. When I satisfied the experience requirements, I immediately took the exam, and earned the CISSP credential. Then, I never looked back.

Q: Prior to gaining the required experience, did you become an Associate of ISC2 ?

A: Yes, I was an ISC2 Associate, and then I attained CISSP designation. Similar to my introduction to the CISSP, I just read the CCSP book out of interest, and not to sit for the examination. But then, when I got into the job, I understood the value of it. The credential can certainly give a person’s career a boost. When I realized that, I registered for the exam, and because my foundations were good, I was able to pass.

Q: More recently, you undertook the CCSP course of study. What encouraged you to do that?

A: Actually, I was planning for the cloud security certification for quite a long time. Seven or eight years ago there was a lot of adoption of the cloud by many industries. Part of my job was to review and audit on organization security practices which are operating in cloud. I felt the need to strengthen my foundational knowledge about cloud security. Similar to how I studied for the CISSP, without even thinking about exam, I started reading the official ISC2 book just to understand cloud security. I realized that if I got the CCSP credential, it will also help.

Q: How long did you study, and did you use any other resources did you use to help you prepare for the exam?

A: I relied on the material that was being designed by ISC2. I used the official Common Book of Knowledge (CBK), and I also used the self-paced training. Those were sufficient for me to pass the exam. One misconception I would like to clear up is that some people think that the questions are repeated in the exams, but nothing like that happens. The questions are very fresh and very much in line with the industry guidelines. If you have actually worked in cloud security or with cloud technology, it will really help, but the training program and books will make your foundations of cloud security even stronger. I studied intensely for around one month, during December when my office workload was minimal.

Q: Did anything surprise you about the content?

A: The content is fine. But the questions are not easy. You cannot just learn some terms and expect to do well. You cannot just memorize the book. You have to think for a moment, you have to understand the question very well before you even start looking at options, because it is actually like a real-world scenario which is being asked. What surprised me was that I was able to finish my exam earlier.

Q: Did the knowledge that you gained change how you approached your work?

A: Definitely – a lot. Prior to studying for the exam, I had cloud security knowledge, but it was very specific to one operating system & platform. But, when I studied the CCSP book and learned the foundations, it showed me how to put these concepts to work. The beauty of the CCSP content is that it strikes a very good balance between the technical and legal aspects of cloud security. That is what actually helped me. I can view a particular situation or view a particular problem, bringing the balance of both legal and technical aspects, and obviously the foundations of cybersecurity to cloud security.

Q: You mentioned that you worked with vendor-specific platforms. Have you taken any of the vendor certifications as well?

A: I have done some of the foundational training on the Google Cloud platform, and AWS. The combinations of these two trainings with the CCSP helped me to advance my skill and knowledge needed to design the data security and privacy implementation strategy.

Q: How have you benefited from the CCSP?

A: One thing you definitely gain is recognition. I had the basic knowledge of security before, but once I achieved the certifications, I received better recognition within the industry. Also, the global acceptability of the CCSP is very good. The certification can definitely boost your career. It’s like your skills which are being stamped to validate that you are well versed in cloud security.

Q: What ambitions do you have for your future? Are there any job roles you'd like to hold?

A: As I look ahead to maybe the next five years, I would like to have a leadership role. I want to move more towards a strategic role. The technical aspects and auditing are fine, but now I think with all the experience I have, I want to move more into a pivotal role to define org-wide strategies on data privacy.

Q: How do you make sure that your skills stay sharp? What kind of resources do you use to make sure that you are staying current?

A: There are multiple resources I use. The first thing is that I try to always try to link up with some certification study, because once you set up a goal for yourself, you would want to achieve that goal. Also, as part of my certifications, I have to maintain my Continuing Professional Education (CPE) credits. For that, I rely on ISC2 Insights, which I don't only read for the credits, but it has really good content. Apart from that, I attend a lot of vendor-specific trainings that are offered to me through multiple learning platform.

Q: What do you think some of the biggest challenges are for cloud security at the moment?

A: Cloud security controls are evolving, and there are a lot of vendors coming up with solutions to complement cloud security. One of the main challenges for the end-user, or the customer, is not being able to fully understand the shared responsibility of them and the cloud provider. This is extremely important. One of the beautiful things in the CCSP CBK which I actually implemented in my day-to-day work is to define the responsibilities. It is necessary that both yourself and the teams actually working on the cloud platforms understand what our collective responsibility regarding data security and privacy.

Sometimes, people come up with a notion that they are using the cloud, so everything is secured by default, which is not the case at all. We have to understand contractual agreement, and we have to understand the shared responsibility matrix. This is what I see as the biggest challenge. That is what all the people who are working in this particular industry should try to focus on; defining the clear responsibility matrix in which security tasks are handled by the cloud provider and which tasks are handled by you

Q: Who inspires you then in this industry?

A: My immediate boss, Anuradha Lipare, who leads the Data Security and Privacy Team. She was named as one of the Top 20 Women in Cybersecurity in Singapore in 2020 . She is one of the strongest women I know, and she inspires me a lot on how to manage security and privacy in an organization. Sometimes, security controls are viewed as blockers to progress, especially on the business side. What I've learned from her, and what inspires me, is how to convert security & privacy into a business value, and how to make people aware that security is not a blocker, but an enabler. Above all how to align security and privacy requirements with business objectives.

Q: What advice would you give to people who are considering a career in cloud security that might encourage them to get involved?

A: One thing is that lot of people have misconception that cloud security is something different altogether. For example, I have been contacted by many colleagues who are really hesitant to pursue Cloud Security training and certifications because they do not have enough technical background. I believe that the very foundational element for being a cloud security professional is that you should know the basics of information security, and not necessarily the technical aspects, because they will keep on evolving. New technologies and platforms are maturing very fast. So, when the time or situation permits, you can learn about that, but for cloud security I can say that CCSP CBK is platform agnostic security which will help you in long term.

Cloud security is an excellent industry to get involved in, because down the line, everybody is going to move into the cloud. Earlier, there was a bit of apprehensiveness in the banking and financial industries, but now, what we are seeing in industries across the world, is that even bank and financial companies are slowly moving to cloud platforms.

Q:Is there anything else that you would like to share about either your experience, or the industry, or ISC2?

A: One personal experience that I would like to share, is about some of the challenges which I faced back when I started my career. I did face gender bias. Being a woman, some people really question your technical capabilities, so when you get these certifications, you can actually prove your skills and remove that from the thoughts of other people. The credentials really speak for themselves, and silences the doubts. There is still gender bias in some organizations, and there are still some people that think that women are not technically good. That's where I feel that as a woman we should support each other. We have to remove this mindset. I want to play a role in making that a reality. I am glad that ISC2 has given me the opportunity to share this story.

Whether your end goal is just one of curiosity, or if you are on the path to earn a certification, ISC2 has a variety of methods for you to succeed. Find out more .