Name: Ceri Charlton
Title: Group Information Security Manager
Degree: M.Sc (Distinction) in Information Security and Computer Crime, 1st Class B.Sc., with Honours, in Computer Studies
Years in IT: 14
Years in cybersecurity: 11
Cybersecurity certifications: CCSP, CISSP, Former QSA and PA-QSA, PCIP, Ethical Ninja (Grade 1)
How did you decide upon a career in cybersecurity?
When I first went into computing, I wanted to work on all aspects – and cybersecurity lets me remain involved in all areas. I also love how fast-paced and varied the field is, as you are always learning. I also foresaw, fairly accurately, the rise of social media, web 2.0 and general tendencies to put more of our lives online and hence, the value of the assets to be protected would increase exponentially.
Why did you get your CCSP®?
I saw Cloud as a growing field, and in 5-10 years, it will be the de facto way to host things. I also saw people and organisations claiming expertise in the subject that I didn’t feel they had – but at the same time, if I was not accredited, how could I stop them from feeling the same way about me? The fact that both the Cloud Security Alliance and (ISC)² were involved in the formation of the materials gave credibility to the certification.
What is a typical day like for you?
My days vary – I might be coordinating the management of a security incident in the morning, helping respond to regulatory requests over lunch and then working on security awareness materials for our employees in the afternoon. Once, for a week, I reviewed a day’s meetings, emails and calls and reached the conclusion that there are between 100 and 250 different topics that I provide input to in one way or another. I try to remind myself that you can’t get visibility of, much less address, every last risk to the extent that you might want to – so you have to prioritise the right things.
Can you tell us about a personal career highlight?
I managed to get a SaaS “Mega Vendor” to change their policy to share the results of penetration tests with their clients. Crucially, I was able to convince them to do so before upgrades occurred, so that it could be built into the decision whether or not to upgrade. This, in turn, created much more incentive for the vendor to fix vulnerabilities, as suddenly there was a spotlight on them. I think this level of transparency will become essential as we put more data with third parties.
How has the CCSP certification helped you in your career?
The CCSP has given me credibility to be a trusted advisor. It is also useful ammunition when challenging a vendor’s position - being able to quote the CCSP chapter and verse on best practices for how things should be done. So much so that I think it’s fair to say that possessing it was a factor in my success in changing policy with my SaaS vendor.
What is the most useful advice you have for other cloud security professionals?
As security people, we are naturally cautious about putting data with third parties. We need to be pragmatic and recognise that this is the way the world is going and the old days of everything being under our control are ending. Aside from upskilling in areas like vendor management, the best way to deal with this is to look for ways to improve security by putting things in the cloud.
For information about the Certified Cloud Security Professional certification training seminars, visit https://www.isc2.org/ccsp-training/default.aspx.