The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted.
In support of this, ISC2 has launched a series of interviews to explore
where CISSP certification has led security professionals. In our last
interview, we met Jason Lau. In this installment, we meet
James Wright
. He is a cybersecurity technologist with The Walt Disney Company. He is
also a U.S. Air Force veteran and graduate of the University of Denver
holding a Master of Science degree in Information Systems Security and a
Bachelor of Arts degree in Information Technology.
What job do you do today?
I work at a Fortune 100 Media and Entertainment company operating within the Information Security Architecture and Engineering group on the Cloud Security Services team. I'm responsible for the service management of the Cloud Access Security Broker (CASB) system, which protects hundreds of thousands of employees across the globe. It encompasses shadow IT usage monitoring and service discovery as well as sanctioned IT data loss prevention in the cloud. This system enforces security, compliance, and governance policies within our cloud applications. The mission of the service is to provide our risk management program with a robust dataset for policy-making and incident handling. I also work with my team on leading risk assessments, authoring position papers, security architecture evaluations, and associated risk discovery activities.
What problems does your job/company solve? Can you give an example?
Securing the technology and creation platforms at our company is rewarding. It provides our artists and engineers the safety to create innovative and thoughtful stories that touch our guests in motion pictures and physically immersive experiences.
Why did you first decide to get into cybersecurity?
Early in my childhood, I remember seeing my first computer in my elementary school's computer lab. The room was filled with the early Apple models from the 1980s and with all those square floppy disks. It fascinated me how a disk could contain the information to display dots on a screen.
Years later, I was elated to get my very own Apple Macintosh machine at age 9. This marvel of an invention inspired me to learn everything I could about how they operate. I was obsessed with encryption. I was fascinated by the fact that nothing in the world could reverse an operation of encryption without the needed key to decrypt the item.
What was life like when you started out in your career in cybersecurity?
Besides my love for computers, I always imagined myself serving in the Air Force. I, therefore, enlisted at the age of 18 and began my career as a Communications Computer Systems Controller, which was converted to Cyber Transport Systems in 2009. My service began with a five-month stay in Biloxi, Mississippi for technical training. There, I learned all sorts of things about computers and electronics that I didn't even know existed.
One of the functions I held was the alternate communications security responsibly officer (alt CRO). In this role, I learned to handle complex requirements to meet mission objectives for communications security. This included managing cryptographic keying material, ensuring the availability of communication systems, and upholding general security operations designed to safeguard the United States' military secrets.
What was your first cybersecurity job?
The Air Force was an excellent outlet for my curiosity. I truly believe I got a jump-start in life due to my service. I received a strong foundation of knowledge and a great work ethic. After my service, I joined the private sector performing various functions in systems architecture, cybersecurity, and business process improvement.
What first attracted you to consider getting a cybersecurity qualification?
Certifications within the IT field have always been popular. I remember the early days of Microsoft’s “MCSE” and the value that credential held. When the DoD formalized its information assurance program in DoD 8570, the value of a cybersecurity qualification when interacting with information systems became clear to me. After reading about DoD 8570, I mapped out several certifications I planned to complete. I completed the ISC2 SSCP and CISSP.
Why did you decide to undertake CISSP?
The CISSP is considered the gold standard when it comes to information security. Obtaining the credential demonstrates an understanding of the Common Body of Knowledge (CBK) for the information security domains. Its approach allows the exploration of each of the domains, which is paired with the person's technical foundation for each of the topics. I put off taking the exam for a long time, but when I finally challenged the test, I learned a lot about myself and how the pieces I've picked up as experience fit into the broader security management puzzle.
What prompted you to do that?
IT lacks formal licensing by the government. Information assurance is vital in today's technological world. As more systems come online that affect the life and safety of humans, it is more important than ever to ensure those who are entrusted with running IT operations are skilled and knowledgeable to carry out their tasks.
How long did it take to achieve CISSP?
I tried to get myself to prepare for over two years. The CISSP is a massive test, so I wanted to make sure I was successful.
How did you prepare for the exam?
I turned mainly to flashcards, training, reading. For about two years’ worth of evenings, I read all the CISSP books I could get my hands on. When it got closer to the exam, I ended up using quizzes to focus my time to research domain topics that I was still weaker in. I took a week off before the test to spend all day in a last push. I was so happy when I passed.
What resources did you use?
I used (ISC) 2 CBK, SANS training, and lots of books.
Did you enroll in any training?
I did attend a SANS Course as a volunteer facilitator for MGT414: “SANS Training Program for CISSP Certification” at the Rocky Mountain SANS 2016 cybersecurity conference. I helped the instructor run the class (work-study program).
What most surprised you about CISSP?
The depth of coverage with the information security domains in the CBK. The amount of information to understand and tie to experience was quite a task.
How did it change how you approached your work?
It helped me to understand information security as a business driver in terms of balancing cost and operational impact. The CISSP has improved my risk management approach to business problems. It’s helped me to ensure that I analyze a situation while designing a solution that is both cost-effective and reasonable for the situation.
What were the first changes you noticed after becoming a CISSP?
CISSP is one element of a successful skills portfolio. Having it demonstrates my ethical commitment to the profession and creates a shared lexicon and understanding of the CBK with my peers. This is key to solving today’s complex business challenges with others across the globe.
How do you think you have personally benefited from becoming a CISSP?
It’s created a better opportunity for senior roles. I have found that the CISSP establishes yourself as an expert in cybersecurity. Getting and maintaining the CISSP increases the credibility of a security practitioner, and it’s achieved for me a security baseline from which I can interact with my peers. It helps that those driving decisions are speaking the same "security language."
What steps brought you to the job you do today?
My background and experience have added up over the years. Air Force, engineering, and consulting have brought me to the role I have now.
What achievement or contribution are you most proud of?
During my service in the Air Force, I was key in a satellite launch when I was attached to Air Force Space Command in Colorado. I was awarded a Bronze Oak Leaf Cluster Air Force Achievement Medal with distinction for meritorious service.
I also discovered several security vulnerabilities in LastPass Password Manager. With the introduction of Apple's iOS 8, new system-level security abilities emerged, including the ability to use TouchID for several authentication scenarios. I discovered a handful of security vulnerabilities that allowed an attacker with physical access to the iOS device to gain unauthorized access to a victim’s account even if they had logged out of LastPass. This action was not related to work, but it was a general curiosity for my off-duty persona.
What is it about the job that you love?
I love solving problems. If the problem is a computer one, even better; if it's a computer security problem, that's the best type. I love the topics of security, privacy, and futurism. Knowing that each day will bring something different to solve ensures I'm never bored and always intellectually challenged.
What is the biggest challenge you have faced in your career?
I was on active duty during the September 11 th terrorist attacks. This event set the remaining tempo of my Air Force career. From that moment, I felt as if I was contributing to something much more significant than myself. My fellow service members and I worked tirelessly for months protecting our homeland and allies while deterring new aggression. It was one of the most stressful periods of my life.
What ambitions do you have for your career ahead?
In the next 10 years, I see myself becoming a security director or senior leader in a large organization's cybersecurity program. I see myself guiding the organizational security apparatus to meet business goals and objectives. Eventually, I would like to assume a Chief Information Security Officer position at a large and reputable company.
Those aren’t my only plans. I would love to get more involved in advancing privacy and security through the use of strong encryption and other safeguards. I am also planning to work on a CISSP concertation in the next year or so.
How do you ensure your skills continue to grow?
After the CISSP, I focused on taking my educational credentials to the next level by completing a Master's degree. I attend industry conferences, write blog posts, and spend time with others in my field to help further the profession. Further developing my security background is key to continued success. I am a member of the FBI's InfraGard group, an association that brings industry subject matter experts to the table in order to solve problems that affect public and private sector critical infrastructure. I'm also a member of the Information Systems Security Association, which provides strong peer networks. Here, I solicit feedback and question my approach to the way I apply our corporate security program. I'm always looking to improve myself.
What do you think the biggest challenge is for cybersecurity right now?
I think many organizations are struggling to find and hire the right people to handle cybersecurity problems. It can take a long time. Simultaneously, data processing, storage, and other critical functions are heading to cloud services across the globe. This shift to the cloud with its outsourcing network and compute workloads has increased the complexity and velocity of architecture decisions. One wrong config can expose a database with all your customer’s private data.
In various positions in my career, I've had the opportunity to screen, interview, and hire talented individuals for information technology roles from junior to senior level. A gap I see time and time again is a strong technical foundation knowledge. Having education and experience is important in IT because there is no licensing model for our profession. Education comes in many forms from college degrees to technical training and certification courses.
What solutions do you think could address this?
The CISSP, NSA/CSS college degree programs, and other training programs give practitioners a range of options to gain the skills needed for tomorrow's workforce. When it comes to the cloud, data protection and the Zero Trust Model are front runners. Since network boundaries are being blurred with outsourcing workloads to the cloud, it is increasingly important to focus on protecting data elements to ensure confidentiality.
Who inspires you in the world of cybersecurity?
Philip Zimmermann. As I said earlier, the topic of encryption has fascinated me from an early age. I learned everything I could about encryption and how it worked. I would get disks from others at Macintosh User Group meetings I started attending at 12. Philip Zimmermann was at the center of attention in the 1990s with his security software known as PGP. I used to love to encrypt email messages and exchange keys with dial-up internet friends I had at the time. Philip Zimmermann’s stance on human rights and privacy closely aligns with my core belief that technology should enhance one's life and enable private channels to exchange and develop ideas without surveillance and censorship.
What do you think people considering a career in cybersecurity should know?
Cybersecurity exists in all facets of the information technology field. Gaining foundational knowledge in data circuits, network routing, systems engineering, programming, and common scripting languages are all key to building a robust professional skillset. I have found that security is a dimension for many technical topics, and having a good understanding of the basics can unlock a person's ability to understand the security implications of the problem at hand. Successful people in cybersecurity tend to have a passion for technology with a security focus. They bring several "security hats" to share with their new co-workers. Putting on a security hat involves thinking about a situation in IT using the perspective of how it could impact the security, integrity, and availability of technology systems. In today's advanced threat environment, user awareness around security is paramount. They tend to bring this perspective with peers as well as end-users.
And finally, what do you like to do in your spare time?
I love endurance running. Finding that perfect trail and running for hours is an ideal way to clear your mind when you’re worried about cybersecurity. I run about 150 miles a month with other athletes from my running group, the Seattle Frontrunners, where I also serve on the Board of Directors. Seattle Frontrunners is a non-profit organization that facilitates the safe meetup of LGBTQ members and their friends for walking, running and other social events. We also facilitate the annual "Seattle Run Walk with Pride," an event that celebrates its 38 th year this June. To date, our organization has donated over $170,000 to LGBTQ causes and charities.
As a Unitarian Universalist or U.U., I work directly on social justice programs such as immigration reform, sexual orientation equality, and women's reproductive rights. I was a delegate to Unitarian Universalist General Assembly, the church's international leadership body, in 2012. Standing on the Side of Love, I joined several thousand U.U.'s from around the world in protest of the inhumane conditions in which immigration detainees are held in Arizona. Currently, I belong to the U.U. Church of the Larger Fellowship, an organization that is connected with others who share my view of the "inherent worth and dignity of every person" (U.U. Principle 1).
To discover more about CISSP download our Ultimate Guide . Or read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader .
Or, check out more interviews with CISSPs as a part of this CISSP interview series.