The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted.
In this installment, we talk to
AJ Yawn
. AJ tells us about his motivation for setting it up his own business, his
passion for mentoring and opening up pathways into cybersecurity, and why he
thinks ISC2 Chapters are a great place for networking and accelerating your
career.
What job do you do today?
I am the co-founder and CEO at ByteChek , a cybersecurity Software as a Service (SaaS) company.
What sorts of problems do you solve at your company?
We are focused on cybersecurity compliance assessments, most specifically, System and Organization Controls (SOC2). We help business-to-business organizations, that is, any business that provides a service. We help them achieve their compliance goals. If that company has to earn a SOC2, our platform helps take away all of the manual and time-consuming processes associated with those assessments. We automatically collect evidence, gathering the required assessment documents. The tool we use is accessible to the auditors, to facilitate the completion of the engagement. So it's all about cybersecurity compliance, and automation.
It sounds like it is all about helping your clients, making life easier for them.
Exactly. Our tagline is “Make Compliance Suck Less,” and what you just described is literally the whole goal. The compliance process can be complicated for everyone involved. I imagine that not too many people wake up and say, “I want to do compliance.” However, it's a necessary process that you have to go through and, we want to make it just a little bit less wearisome while adding security value back into it.
Can you tell me what life was like when you first started your career in cybersecurity?
If anyone would have told me when I first started that I'd be here, I would have said that they were crazy. I was a 23-year-old, fresh out of college, where I had played basketball at a university here in Florida, and I joined the military. I was in the Army and was responsible for about 20 soldiers, one of whom was 37 years old at the time. It was a masterclass in leadership, for sure. I was an information security officer, and we weren't using the latest and greatest technology. We were using some of the older stuff, so it was less about technology at that point for my career in cybersecurity, and more about the people, which I think has helped. Cybersecurity is about people, processes, and technology, not just technology.
Why did you choose cybersecurity?
My dad served in the Marine Corps and ended up retiring from there after 20 years. He encouraged me to join the Army, which is surprising because he's a Marine, and you would think a Marine wouldn’t tell his son to join the Army, but he reasoned that if I wanted to be an officer, the Army would be the best place for me to do that. For me, it was an excellent opportunity.
Before all this, I had broken both ankles playing basketball at Florida State College, preventing me from continuing to play. I wanted to finish college, doing exactly what I set out to do, so I joined the military to pay for school. My dad pointed out that I should pick something in the military that would allow me to continue that as a profession after my service ended. I thought that I, like my dad, would serve for 20 years. I wasn’t thinking that far ahead. He understood that I would still be young and ready to continue working as a civilian, so it didn’t make sense to drive tanks because there are no tanks in the civilian world.
I picked information security, specifically communication, because I knew technology would play a huge role in what we were doing in the world moving forward. It was the best decision that could have happened because it allowed me to get into an industry that I think is the best industry to be in right now.
Had you studied cybersecurity at college, or did that area of study come later?
It definitely came later, as I was focusing on being an athlete in school. I had no IT study in my university days, but afterward, I got a master's degree from Georgetown University. I gained most of my training on-the-job, just breaking things. When you are going to deploy troops, the communications department’s job is to figure out how everyone can communicate and communicate effectively at the organization or the new location. Sometimes, that requires you to break a lot of things to learn how everything works.
What attracted you then to get a qualification, and why did you decide to undertake CISSP?
The cool thing about technology and cybersecurity is that there are no
limits to what you can learn. There are also so many different ways that you
can prove that knowledge as well. When I was getting out of the military, I
knew that certifications were going to be huge for me as a military member
because it's tough to translate what you did in the military to civilian
life. I knew that a certification, especially the CISSP, was how I could
show that I had experience and knowledge. It speaks a common language with
everybody where I was going to apply for employment.
I got a whole bunch of other certifications ahead of the CISSP because I
knew that was going to be my crowning achievement of the year. I knew what
the CISSP would do for my career when I was applying for jobs. I knew that
it would be what people would want to see on a job application. The CISSP
is so impactful because of the experience requirements. It forces you to
have real-world experience to do well on that job.
Did you take the exam while you were still in the military, or after you finished your term of service?
I took it while I was still in the military, about three or four months before leaving. I was fortunate to take it in the military; the military provides a lot of training and resources for service members.
What resources did you use to study?
My whole methodology when I study for a certification is to get a diverse group of resources. I went to a bookstore, and I would sit there and read as many CISSP books as I could, just trying to get different information from different sources, because I knew that the CISSP is such an extensive exam. There is so much information that you have to make sure that you have a bunch of different inputs because you can' miss something. I found this book by a gentleman named Eric Conrad helpful. The Army had some training I attended as well, a whole week of dedicated training. We focused on learning about what the CISSP is and all that good stuff. That was really beneficial.
What surprised you most about CISSP?
The enormous amount of information! As I was going through it, I kept
thinking how it was unlike any other certification. Every other
certification is all about a targeted set of information, but the CISSP is a
broad certification to make sure that you understand governance. Do you
understand the technology? Do you understand people? Do you understand
management? I think that's the surprising part for most people who take the
exam. That's the reason why it’s a tough certification, but also why it's
respected. The other surprising part is answering questions from a
management perspective. For me, that was pretty different because you have
to switch your mindset away from a pure cybersecurity “just solve the
problem” perspective.
You have to think about things and answer from the perspective of “how will
a manager solve this?” It's a little bit of a mindset shift, but I think it
helps put you in the right mindset when it comes to just being a security
professional to being a security leader. You have to understand more than
just the ones and zeros. You have to go beyond that, and the CISSP is an
excellent certification for that.
What impact did achieving CISSP certification have?
I think it impacted my work when I first got to my new job because if I didn't take the CISSP, I wouldn’t have understood many of the concepts that I ran into in the civilian world. For military members with the experience requirements, the certification is the perfect way to help you to speak the language of security outside of the military. It helped me understand the “why” behind everything at my new company, which would have been very difficult without the CISSP. It changed my approach to solving problems because I saw them differently after getting the CISSP.
Were there any kind of unexpected benefits that the CISSP brought you?
I think so! When I first got out of the military, I went to work at a compliance firm that focused on SOC2 examinations, and one of the CISSP domains explores SOC2. My only experience with SOC2 before I got that job was in the CISSP. I understood what SOC2 was solely because I studied it in the Common Body of Knowledge (CBK), and it gave me a lot of credibility because I was able to recall my studies. I literally leveraged my study guide about SOC2 to do my job better. That's the cool thing about the CISSP itself, somewhat real-world examples that you can use to go out and do things.
How do you personally ensure that your skills and turn continue to grow?
It's all about constant tinkering, and it's also about reading. I read the
ISC2 blog often, and I read a bunch of blogs, and different resources. I
also constantly train. Just this week, I attended a three-day course, which
is just crazy to think that the CEO of a company would attend a three-day
course, but it is all about continuous learning. I constantly want to find
more information. I'm always doing labs, trying to learn as much as possible
because this field is changing so fast.
You have to learn to grow constantly. The best thing you can do as a
cybersecurity professional is always learn something new; even if you're not
going to run into it in your day-to-day job, you will eventually. Just the
act of learning a new skill is critical. Most cybersecurity professionals
will confirm that the thing that we do most throughout the day is research
information to keep learning. We're not necessarily doing a whole lot of
cybersecurity stuff. It's more of the action of problem-solving, so
constantly learning new skills is something that you're going to have to do
as a cybersecurity professional. Just make that a regular part of your
journey each week.
Can you tell me about what steps brought you then to the job that you're doing today?
It was the experience as a consultant. You see so many different companies, you see so many various organizations, and you start to see the same type of security problems people are solving. Being a consultant allowed me the opportunity to digest a lot of information in a short timeframe. The difference between working at one job is that, as a consultant, you have to become an expert on other systems within a very short period of time; usually within a few hours. You have to know everything about that organization and figure out ways to solve all that. At a steady job, you tend to be exposed to the same specimen, so being a consultant helped me get to the point where I was comfortable starting a company in this space because I've seen a lot.
I've seen many challenges, both from a start-up perspective, but also from a Fortune 500 perspective. It's only because I got very lucky when I left the military and was able to join a consulting firm, see some really cool things, meet some cool people, and get the confidence I needed to start a company.
What would you say was the biggest challenge you have faced in your career?
It's the lack of representation of folks that look like me in this field. I'm an African American man, and I wish there were more people who look like me to talk to about being in the field as a black man. To have more mentors, you know, more people to look up to and talk to. That's been a challenge because it forces you to figure everything out on your own when you don't have that mentor that you're looking for. I wish there is more attention on cybersecurity leaders that are diverse in this space, because it would encourage more kids from underrepresented communities to get into security.
When I was younger, I thought cybersecurity was this big, weird thing that I knew nothing about. All I knew about was sports. I thought that the only way I could get out of my neighborhood was by playing sports. However, because there's such a vast job shortage in the cybersecurity industry, it's the perfect way to get more diverse people into this field. So I think that the biggest challenge is just getting more representation into the field so that it's more diverse. I think that the challenge in this industry is that the industry all looks the same; and everyone needs to look a little bit different.
What ambitions do you have for your career ahead?
As an entrepreneur, I'm at the level that I want to be in my career: a co-founder and CEO. Now, it's all about growing ByteChek as big as we can, getting it to the next level, whatever that may be. I also want to help get more people into this field. I want to inspire other companies to take a chance on people that may not have all the qualifications, you know, may not have that college degree, or may not have five years of experience at this moment, but they're really interested in cybersecurity, and maybe companies can train them and get them there. I also want to impact the next generation of cybersecurity professionals. I want to help them become the best that they can be.
That's something that we've been big on at ByteChek. We brought on people that had little experience. We brought them on as interns and let them grow and see how things go, and it's worked out well. In cybersecurity, there's such a push for an experience requirement. Sometimes, we have to give people a chance. A lot of the CISSPs I know just got a good chance. They weren't cybersecurity professionals, but when they started on their journey, someone took a chance on them, and now they have their CISSP, and they're doing all these great things. So for me, my biggest ambition is that I'm able to continue to hire people into this field.
ByteChek has non-traditional routes here, and hopefully, our approach will inspire other companies, other CEOs, to take a different hiring approach. Go out, and find those candidates with those non-traditional backgrounds who are interested in cybersecurity because it's still hard for people to get started in this field. There's a lot of transferable skills that people don't realize they could apply to cybersecurity as well. It represents a great opportunity for careers for people.
And then, last but not least, definitely, the most important thing is my people, the people that I'm leading. I enjoy leadership. I enjoy being a part of helping them develop and just helping them grow. That's beyond work. You know, it's in life in general, and your experiences.
Being a leader in the military was the most rewarding thing. Just having people who depend on you is very humbling, but it's also a lot of pressure and responsibility and I don't take it lightly. It's something that I genuinely love. Spending that time, developing people, and especially folks that are on non-traditional routes. Seeing someone progress from just trying to get into this field to becoming a cloud expert doing some incredible things in the cloud and getting podcasts interviews. That personal development focus is my most significant achievement, seeing people working with me grow and become the best version of themselves.
Of what contribution are you most proud?
Right now, for me, it's the fact that we've been able to hire people at ByteChek. Last year, when I started this, it was just my co-founder and me. The biggest contribution I think, is being able to take people from other fields, or other jobs in other industries, giving them a chance, watching them grow, and actually being able to pay them. That's a very surreal thing that I don't take lightly. It's one of the most important things that I've done in my career.
The other thing that I think I'm just really proud of over the past year is being a mentor. I spend a ton of time mentoring, even to this day. I spend four hours a week mentoring people, although I may have to pull that back a little bit soon because my time is very limited nowadays. I enjoy giving back to those trying to get into the security community, whether it's answering a question about what certifications to pursue, or telling them about my journey so that they can get inspired. It's being able to mentor the way that I've been able to mentor over the past year, something that I really wanted to do when I set out to become an entrepreneur, and I've been able to do it.
I've been able to touch a lot of people's lives from a mentorship perspective and I think this is incredibly important. When I leave this earth, people will not remember me for ByteChe, they will not remember me for things I did in the Army. However, people will remember someone if they impacted their lives, and mentoring has been able to allow me to impact lives on a large scale.
What do you think the biggest challenge is for cybersecurity right now?
I think it’s people. There are many people who want to get in the field but are having trouble getting hired. Part of it is because the way that people are being hired in the cybersecurity field is broken. The biggest challenge is that the threat landscape is changing so fast. We see that from all these breaches and hacks. We need more people in cybersecurity for us to have a more secure world, a more secure economy and ecosystem, just in this interconnected world. To do that, we have to change the way we're hiring because it's clearly not working. There are plenty of qualified people that want to get into this field, and they can't find jobs.
It's also the priorities of organizations. Cybersecurity is becoming more and more important, but it's still not the top priority for most organizations. There's still so many other things that they're focused on, but we need cybersecurity to become more important because you can't run a business without proper cybersecurity. Your business is not going to survive if you are constantly under attack and you're not able to recover effectively. So, I think the biggest challenge is people. We have to get more people in this field, and the only way we do that is by hiring more diverse people.
Who would you say inspires you in the world of cybersecurity?
Two individuals. One is a gentleman by the name of Frederick Lee . He's the chief security officer at Gusto. Just a really great guy who I admired from afar for a very long time, and then I was fortunate enough to get to know him last year. He's someone that practices what he preaches as a black leader that I looked up to in the security space that has grown in the field non-traditionally. Frederick is not a guy with a bunch of certifications, or all of the Ivy League degrees, but he's done some amazing things. The biggest thing that he's done that inspires me, is the impact he's had on others. If you talk to anybody in the field, a lot of them know who “Flee” is, which is his nickname, and it's because of his impact on the community. That's something that I hope that I'm able to do as I grow in the field.
The other person is a gentleman who is at my organization right now named Nick McLaren . He is somebody that I was mentoring last year when he was trying to get into the field. He has a college degree, a bunch of certifications, and is also working on his Master's degree, but he could not get into the field. So we talked, and one day he said he wanted to get into cloud security. I asked him, why not just come intern here at ByteChek? That internship changed and turned into him being a cloud security engineer, and he is doing great work for us. Just recently, he single-handedly achieved something in our cloud environment that other organizations needed an entire security team to accomplish. Nick is a perfect example of what happens when you give someone a chance who is not otherwise getting that opportunity. He inspires me because I see the passion he has for the field. I like his youthful energy, just like when you're playing with the kids, and you get inspired. It's the same way with Nick but he's not a kid by any stretch of the imagination. He's a grown man, but his excitement about cybersecurity inspires me to keep going every single day. Nick and “Flee” are definitely two people that inspire me.
Fantastic. What do you think people should know who are considering a career in cybersecurity? What would you like to say to people who are considering entering the industry?
My first piece of advice is to get comfortable being uncomfortable. This field is hard. There's a lot of information out there. There's a lot of things that change. There are so many different career paths that you can follow, but you can't get overwhelmed. You can't say there are so many things I have to do but I don't know what to do and I don’t know where to start. If you do that then you get bogged down, so make peace with being uncomfortable.
My second piece of advice is that once you're in cybersecurity…the more you know about cybersecurity, the less you know. Cybersecurity professionals don't say, “if I get hacked.” It's a matter of operating from a mentality that it's going to happen, it's going to happen to everybody. So if you know that, then you'll be very comfortable being in that constant state of uncomfortableness I talked about before. It is ok to have the feeling that you don't know things. Use that feeling to drive you to learn more.
My last piece of advice is, find a mentor. Find someone who has been where you're at and where you're trying to go. because this field is difficult without knowing some of the “ins” and “outs” of things and how to how to maneuver through that space. Find someone to help you.
Any final thoughts?
I encourage people as they're trying to get into the field to join professional organizations. Join local (ISC) 2 chapters. It's one of the best things you can do for your career because you're going to meet people. You're going to get to know people in the industry, and it's going to be based on a local region. Being a part of a chapter is going to accelerate your career. It's going to help you out when it comes to understanding what to do in this career.
To discover more about CISSP download our Ultimate Guide . Or read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader .
Or, check out more interviews with CISSPs as a part of this CISSP interview series.