The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted.
In support of this, ISC2 has launched a series of interviews to explore
where CISSP certification has led security professionals. Our first
installment features Javvad Malik,
a security awareness advocate at KnowBe4, as well as blogger and YouTuber at
JavvadMalik.com. He’s also contributes on two podcasts, The State Sponsored
Podcast and Host Unknown, a company he founded.
What job do you do today?
I’m a security awareness advocate at KnowBe4.
What problems does your company solve?
KnowBe4 is the leading provider of security awareness and training in the world. Its focus is on the human layer and empowering them to make better risk decisions.
My role as an advocate is to raise awareness about awareness (no pun intended) as well as to help inform and educate on security issues based on my experience and research.
Why did you first decide to get into cybersecurity?
My university degree had a one-year work placement option. I applied for a number of roles and got a placement within the IT Security team at a bank. I had no idea what IT security did or what to expect, but I found the work incredibly interesting. The bank seemed to like me, too, and it offered me a permanent job once I finished my degree, and the rest was history.
What was life like when you started out in your career in cybersecurity?
It was a very different world. I worked for a bank where the IT Security team consisted of five people. Not many people in the organisation knew what we did or were too concerned with what we did. We would administer the various systems, manage privilege credentials, and even do some monitoring. Pretty much the same as what many do today, just at a very small scale and limited in reach.
What was your first cybersecurity job?
My first job was as a security administrator in the IT security team of a large global bank.
What first attracted you to consider getting a cybersecurity qualification? Why did you decide to undertake CISSP?
I’d been in my first job for a few years ,and while I enjoyed it, I felt like I’d hit a glass ceiling and there was nowhere to go. I wasn’t sure what my options were, and I began to consider doing a part-time Master’s to bolster my education and qualifications in the hope that it would open some doors for me.
In doing my research as to which security courses there were, I discovered CISSP. It wasn’t as well-known in the UK at the time, but it seemed to be a far better option than a Master’s.
How long did it take to achieve CISSP?
From the moment I decided to take the exam, I’d say about 9 months.
How did you prepare for the exam?
I purchased the official guide, and I downloaded whatever resources were on the ISC2 website. After reading the official guide, I supplemented it with another guide (possibly the late Shon Harris one), and I then enrolled in a week-long exam prep boot camp.
The training really helped. The instructors helped put a lot of things into context and identify which parts of the course I needed to focus on for the exam and why.
After that, I spent a couple of months repeating practice exam questions on cccure.org. I believe it still has practice exams. It was the best resource of all because it got me used to how the questions were structured, that is, how to read and understand them quickly as well as how to sort through the multiple choice options.
What most surprised you about the CISSP?
Perhaps the breadth of the syllabus was the thing that surprised me the most. I certainly didn’t expect to be learning about things like physical security or which fire suppression systems are best in which scenario, but there we were.
How do you think you have personally benefited from becoming a CISSP?
Initially, the CISSP opened many doors for me in terms of getting interviews and placing me in front of the right people. Later in my career, it helped me meet and connect with a large number of peers, many of whom have become good friends.
How did it change how you approached your work?
It did open my eyes to how much more there was to security than what I had been involved in. So, I became more aware of othe departments and priorities, and it helped me to understand driving factors behind decisions.
What steps brought you to the job you do today?
Having started as an IT Security administrator and having done a lot of hands-on work, I wanted to move up in my career. I saw that consultants seemed to be doing better, and so I followed the money into a non-tech role.
I stayed as an independent consultant for a few years, while on the side I started to blog and video blog on security topics. This helped boost my personal profile in the industry, and as a result, I managed to find myself landing a role as an industry analyst at 451 Research. This was a complete change from being a practitioner, and it exposed me to a whole other side of the industry which included investors and vendors.
After a few years there, I was approached by a vendor to join them as an evangelist, and having worked as a practitioner and an industry analyst, I thought I should complete the loop and work at a vendor.
What achievement or contribution are you most proud of?
Back in 2010, we had the first BSides London, and two speakers Stephen Bonner and Steve Lord stuck in my mind. Their presentations were educational, engaging, and informative. In my mind, they had set the bar as to what I needed to aim for. But I had never spoken at an event before. I had nothing to talk about, and they didn’t even know I existed.
Fast forward a few years, and not only had I become friends with them both, but I had presented at occasions where they were in attendance. Separately, both complimented me afterwards.
It may seem like a small thing, but I think about where I was,and where I got to. It really made me believe that I could achieve things if I put my mind to it.
What is it about your job that you love?
Security has always been a rewarding career because no two days are the same. But now it’s also very high profile. One of the things I love about it is being able to interact with people who have been exposed to security for the first time and help them understand and navigate the potential minefield that there is.
What is the biggest challenge you have faced in your career?
Hmm that’s a tough one. I think the biggest challenges have been around corporate cultures and abrasive personalities. There’s nothing more challenging than to have an unsupportive manager or to work in a toxic culture regardless of the role.
What ambitions do you have for your career ahead?
I am very content with how my career has panned out. If you’d told me 15 years ago the things I’d achieve by now in my career, I would have called you a liar. That being said, one of my biggest ambitions is to break security out of the tech silo we’re in and expose it in an understandable and relatable way to the masses.
How do you ensure that your skills continue to grow?
As part of my job, I need to stay on top of all the latest developments, news, and trends. So I spend about 2 hours a day reading and staying up to date with the latest developments. But perhaps more than that, I stay in touch with a broad range of security experts and colleagues who are far smarter than me and who are generous enough to share their knowledge with me.
What do you think the biggest challenge is for cybersecurity right now?
Communication, communication, communication. We have the technical knowledge, and in most cases we know how to fix security issues that occur. The challenge is explaining the challenges and the resolutions in a way that is aligned to the organisational objectives.
We often see a breach and can pinpoint a set of controls that could have prevented it. Usually, these are relatively well-established controls like implementing MFA, or patching software. The fact that we didn’t communicate the need or the risk up front clearly enough is our failing.
What solutions do you think could address this?
Educating security professionals to better understand the business side of organisations. How to understand financial reporting, what is relevant to shareholders, and how to budget.
Who inspires you in the world of cybersecurity?
Too many to count!
What do you think people considering a career in cybersecurity should know?
It’s a vast vast field that extends far beyond pen testing or coding. Whatever background you have or whatever skillset you have, you can bring it to cybersecurity and make a positive difference.
To discover more about CISSP download our Ultimate Guide . Or read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader
Or, check out more interviews with CISSPs as a part of this CISSP interview series.