The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted.
In support of this diversity, ISC2 has launched a series of interviews to
explore where CISSP certification has led security professionals. Last time
we heard from Mari Aoba and her experiences with CISSP. This installment
features Jason Lau, CISO
for Crypto.com and an official member and contributor on the Forbes
Technology Council. He is also an adjunct professor and industry advisory
board member (cybersecurity and data privacy) at the HKBU School of
Business.
What job do you do today?
I am currently the Chief Information Security Officer (CISO) at Crypto.com, where I drive the company’s global cybersecurity and data privacy strategy. On the side, I sit on various industry advisory boards on cybersecurity as well as serve as an adjunct professor at one of the premier business schools in Asia. I have been in the education industry for many years now, and I often give back to the community by conducting cybersecurity/privacy training for organizations both large and small. I do this to help promote and improve the ecosystem both locally and globally.
What problems does your company solve?
Crypto.com is a FinTech company with a mission to accelerate the global adoption of cryptocurrency. One way our company helps to solve this problem is by making cryptocurrency easy to access through our user-friendly application. The problem I personally am trying to solve is to help build trust with the everyday cryptocurrency user in the industry. This is still a growing industry that is still evolving every day. This is especially challenging because there are many regions where cryptocurrency is still unregulated. With a lack of regulation we are seeing many companies forgetting the need for, or lacking focus into, cybersecurity and data privacy. My goal is to help Crypto.com become an industry leader in this field and lead the way. An example of this is that we were the first cryptocurrency company to be ISO27001:2013, PCI:DSS 3.2.1 and also ISO27701:2019 certified, showing our commitment to continuously improving our overall processes.
Why did you first decide to get into cybersecurity?
There were no courses at that time to further my interest in cybersecurity, so I joined a company focusing on enterprise systems management and monitoring, which allowed me to travel around the world and work closely as a management consultant to many CTO's on critical infrastructure security. A lot of the security was for physical server systems, and over time, it evolved more into digital security and cybersecurity as we know it today.
What was life like when you started out in your career in cybersecurity?
In the position I mentioned above, I soon learned and realized what I was working on was a key component of an overall cybersecurity strategy – which was incident response and detection and the monitoring of unusual activities in a network environment.
Life was interesting as it was the days before cloud computing and when proactive monitoring and alerting was the first line of defence against potential issues in your network, issues which could have resulted from malicious activities from an internal or external attacker.
My work covered almost all sectors you can imagine across five continents, and it allowed me the opportunity to see how different industries and different cultures approach security. I would not really call it a detour but more of an evolution of my interest in IT, and I had to adapt to the changing environment and skill up to go deeper into cybersecurity.
What was your first cybersecurity job?
I had my first experience with "hacking" as part of my electrical engineering degree at university. We had to experiment with integrated circuit chips and program them to do a variety of different things. It just so happens it was around that time when the first ever PlayStation was released. In my spare time, I researched and "hacked" the boot sequence of the machine with a "ModChip" I programmed, and I was able to play games from different regions around the world.
I was one of the first with these ModChips at that time, and my friend and I started to help others as a freelance job. It was quite thrilling and exciting! This was my first experience with hacking and reverse engineering, which I would find later on that a similar approach was needed in some ways in the cybersecurity world.
What first attracted you to consider getting a cybersecurity qualification?
Early on in my cybersecurity career, I wanted to stand out from the crowd, and this was the hottest certification in this space.
Why did you decide to undertake CISSP?
CISSP is more than just a certification. It is proof to peers that you have a passion to be in this field and to get a broader understanding of the cybersecurity issues.
What prompted you to do that?
Data breaches were happening all the time (and still are!), and this prompted me to further develop my skills in the field.
How long did it take to achieve CISSP?
I would say the whole process took me around 2-3 months. It varies for different people, as it depends on the experience they have. Practical, hands-on experience would definitely help with understanding the concepts rather than just purely reading books.
How did you prepare for the exam?
I think 2-3 years of practical experience is a good time to start to think about doing a CISSP. Back in the day, there were some (ISC) 2 seminars that you could attend to learn more about the certification and the core body of knowledge that you would be assessed on.
What resources did you use?
I used the official ISC2 text as well as the questions inside the book.
What most surprised you about CISSP?
I was initially surprised that it was a 6-hour exam. This has changed now to a computer-based adaptive assessment process, a format which has reduced the exam duration. But back in the day when I did it, the 6-hour exam was a gruelling process both mentally and physically. Looking back, I believe the reason for this is that computers and the digital world don’t sleep as well as that security issues can happen at any time. As a result, the CISSP was a test of endurance to make sure you were prepared for the real world where you might be tired from a full day of work until you’re suddenly jolted into a state of alert so that you can address security issues that have just come up.
What were the first changes you noticed after becoming a CISSP?
The first change I noticed was the increased numbers of recruiters who were reaching out to me for potential roles. At that stage, I realized that the CISSP certification and credibility of ISC2 was indeed well-recognized in the industry.
How do you think you have personally benefited from becoming a CISSP?
I think early on in your career, a CISSP is an important step in helping you get a broad understanding of cybersecurity. This way, you can then go deeper into other areas of say SDLC or application development, pen testing, compliance, etc. The CISSP is still considered the “gold standard” in information security around the world, and it will allow peers and employees know that you understand the fundamental knowledge for cybersecurity. I benefitted early on in my career by gaining access to a strong network of industry professionals as well as by attending industry conferences to learn more about how peers are dealing with cybersecurity challenges. The (ISC) 2 community and local chapters often have engaging presentations and workshops where you can hone in on your skills and gain access to global webinars and online training material and resources.
What steps brought you to the job you do today?
Being involved early on in cybersecurity and in this field for over 20 years, I have had the benefit of seeing many different aspects of cybersecurity. After working for several different companies and being a management consulting for many years to Fortune 200 companies, I gained an interest in the rapidly growing FinTech / Blockchain space, and with the massive number of attacks on cryptocurrency companies, I saw an opportunity to build a team to help Crypto.com. It has been a challenging ride, and it requires ongoing commitment and dedication to the field.
What achievement or contribution are you most proud of?
I have won numerous industry awards, but it was a team achievement of obtaining a patent in the cryptocurrency space. As the industry was rapidly evolving, the traditional cloud providers were not able to support the ways in which we needed to perform some of our key processes on a day-to-day basis in a secure way with the cryptocurrency tokens we were using like Bitcoin, Ethereum and others. The team contributed in different ways, all of which helped us to obtain the patent registration. Individually, being invited to the Forbes Technology Council for my contributions and achievements in cybersecurity has been something I have been proud of, as well.
What is the biggest challenge you have faced in your career?
Overconfidence. After travelling around the world and consulting for some of the biggest companies, the consistent issue is with how organizations still often have an overconfident mindset that they have not been hacked and thus can put less focus into resources in cybersecurity. Top management and boards need to understand that cybersecurity risks are business risks and can impact a business in many ways. It will always be a challenge to change the mind-set of C-Levels and the board, but with the growing trend towards digital transformation, cybersecurity and data privacy needs to be core pillars for any organisation's business strategy.
What ambitions do you have for your career ahead?
My ambition is to contribute back to the ecosystem to build more cybersecurity and data privacy awareness for companies large and small. I already have been doing this on the side throughout my career, but more can be done, and the cybersecurity challenges continue to change over time. Security awareness training will always be something that I will be involved with for the rest of my career.
How do you ensure your skills continue to grow?
Simple. Keep hiring people (or surrounding myself with people) who are smarter than me. Cybersecurity is a unique industry in where many have come from completely different backgrounds and led interesting journeys to get to where they are today. I have embraced this diversity in the team I have built, which consists of people from more than seven countries. All of them have a CISSP and more, but all have very different ways of looking at the same problem. This is not just a great way for me to continue to grow, but it also allows the team as a whole to grow, and this helps to foster a strong culture of knowledge-experience sharing.
What do you think the biggest challenge is for cybersecurity right now?
There is definitely a global cybersecurity shortage, and because technology adoption and digital transformation are accelerating faster than the rate at which we can supply cybersecurity professionals, organisations will often be playing a catch-up game in trying to fill roles. As mentioned above, general overconfidence in the industry around cybersecurity risks is a big challenge that needs to be overcome. Finally, I would also say machine learning and AI will evolve over the next years to give rise to AI-powered threats like malware. This trend will be very scary indeed.
What solutions do you think could address this?
More user awareness training is needed to address the human element of cybersecurity. An overall cybersecurity strategy should encompass more than just buying tools. More C-Level awareness of cybersecurity is needed. Companies need to continue to invest in talent and keep abreast of new technologies that can also introduce new business risks. Specifically to the above question on AI-powered threats, companies will need to invest and adopt their own AI cybersecurity strategy and tools such as User-Entity Bevavior Analytics (UEBA) to help early detection of anomalies in the network environment.
Who inspires you in the world of cybersecurity?
My father has always been the most inspiring person to me. As the youngest of a family of five siblings, I grew up watching, learning and following him while everyone else was at school. To me, he could do everything and always had some way to "fix things." Dad was into everything. Engineering, traditional medicine, mechanics, hydroponics, electronics, mathematics, farming, cooking and more!
The lesson for me here was that you should not just focus on one field. You can learn a lot from different fields, and you should have a growth mindset so that you can explore multiple ways to find a solution to a problem. This still true for cybersecurity. You often need to think outside the box and think like a hacker to build up your organizational defence.
What do you think people considering a career in cybersecurity should know?
You need to have a growth mindset. A career in cybersecurity is extremely dynamic. Just as technology continues to change at a rapid pace, the business risks are getting broader and deeper, and you will need to keep up with technological changes that are happening around you. For example, with COVID-19 we are seeing that traditional industries like healthcare have had to rapidly evolve to cater for changes from telemedicine to remotely accessing and managing medical clinics and hospital operations that contain highly sensitive personal identifiable information and protected health information. As cybersecurity professionals, you will need to consider the impact of this, from the business perspective all the way through to the risks with employees working from home. The key thing people should know is that a career in cybersecurity is extremely challenging but at the same time very rewarding as you get to work on many interesting projects and often with emerging technologies to help organizations safeguard their systems.
To discover more about CISSP download our Ultimate Guide . Or read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader .
Or, check out more interviews with CISSPs as a part of this CISSP interview series .