Name: Chris Sellards
Title: Senior Security Architect
Employer: Harland Clarke Holdings
Location: San Antonio, Texas
Degree: Master of Science, Information Security. Currently pursuing a Doctor of Science in Cybersecurity at Capitol Technology University
Years in IT: 21
Years in cybersecurity: 17
Cybersecurity certifications: CISSP-ISSAP, CCSP, CAP, CCSK, CEH, CHFI, GCWN, NSA IAM, NSA IEM, Tripwire Enterprise Administration
How did you decide upon a career in cybersecurity?
Even before officially being employed in the IT field, I was fascinated with security. I ran my first blog in the mid-1990s where I covered various security topics. I worked as an engineer for a military organization when RCERT performed a penetration test on our network. When they presented their results, I was hooked. I knew I wanted to move more into the security side of IT and started looking for opportunities to integrate security into my work. I wrote scripts to automate security log review, integrated patch management into change control processes and performed passive reconnaissance of our organization from the internet looking for exposures; it just kind of snowballed from there.
Why did you get your CCSP®?
Cloud security is a passion of mine. Even with the experience I had, there were a lot of gaps that needed to be filled. There are so many aspects to security in the cloud; I felt formal training in the various domains would allow me to round out the areas I didn’t have as much exposure to, and allow me to better serve Harland Clarke Holdings (HCH) and our clients. HCH takes security seriously and is committed to protecting their assets and client data – both in terms of cloud security and more traditional forms of IT security.
What is a typical day like for you?
I’m not sure I’ve ever had a “typical” day. There are so many facets to cloud security and I get pulled in various projects as things develop. Some days, I am in meetings with vendors reviewing contracts to map cloud-vendor security controls to our policy, standard and data sensitivity. Other days I’m working on our Cloud Risk Management program. Recently, several days were spent analyzing technical-architecture designs and documents to integrate onprem systems with cloud-based systems. This process required analyzing the network and application access controls between cloud and onprem systems, data flows between the systems, performing risk assessments and making recommendations to ensure proper controls were implemented. Other projects include working with cloud access security brokers to integrate DLP and malware scanning APIs in our cloud footprint.
Can you tell us about a personal career highlight?
One career highlight was an opportunity to be a part of a panel discussion with Dr. Ron Ross of NIST and Brigadier General Wooten from the Air Force Space Command. We were discussing the DoD’s transition from DIACAP to RMF. Discussing risk management, advanced persistent threats and supporting the warfigher with Dr. Ross and General Wooten was an incredible experience. A second highlight was when the U.S. Army built a new hospital at Fort Benning and had efforts to run both hospitals simultaneously, while ensuring security never lapsed. We had a great team and managed to achieve an authority to operate after a single IV&V. This was an incredible accomplishment that required a great deal of work and collaboration between many organizations.
How has the CCSP certification helped you in your career?
The CCSP has provided me with the tools to grow the maturity of HCH’s cloud security program. I was able to immediately apply what I learned to the numerous cloud projects we were engaged with. It also provided a stepping stone to being part of an (ISC)² working group that worked to revamp the next round of CCSP training, as well as opportunities to be involved in Cloud Security Alliance (CSA) working groups. The CCSP has provided the opportunity to make contacts with cloud security experts from all parts of the world.
What is the most useful advice you have for other cloud security professionals?
I would highly recommend pursuing the CCSP. The quantity of information covered better prepares one to work in this domain. I would not stop with the CCSP. I recommend getting involved with the CSA. The CSA is making great progress in changing the way industry approaches cloud security. Step out of your comfort zone and build relationships with legal, procurement and portfolio management professionals at your organization. In my experience, these departments are thrilled when they have someone they can rely on to provide expert guidance when migrating data and processes to the cloud. They feel more confident moving processes to the cloud, purchasing cloud services and signing contracts when they know someone with cloud knowledge has reviewed the risks and provided valuable feedback.
As Bob Johnson once said, “When entrusted to process, you are obligated to safeguard”. Never has the saying been more applicable in our industry. As the shift to cloud-based computing continues at a staggering pace, security professionals need to understand the cloud ecosystem and the security required to safeguard company and client data. Companies have invested an incredible amount of trust in security professionals. It is our duty to ensure we make every effort to honor that trust by providing the best guidance we can so the business can make informed, educated risk-based decisions.
For information about the Certified Cloud Security Professional certification training seminars, visit https://www.isc2.org/ccsp-training/default.aspx.