Name: Greg Harris
Title: Senior Security Consultant and Adjunct Professor
Employer: Big 4 Firm and Kennesaw State University
Location: Alpharetta, Georgia, U.S.A.
Degree: MBA, MS in Information Systems, BS in Computer Science & Mathematics
Years in IT: 15+
Years in cybersecurity: 13+
Cybersecurity certifications: CISSP, CCSP, CRISC, CISM, CISA, GCFA
How did you decide upon a career in cybersecurity?
McKesson Corporation hired me as a Security Infrastructure Engineer through a campus-recruiting program at Kennesaw State University in 2003. My undergraduate degree was a Bachelor of Science with a double major in Computer Science and Mathematics. With my Navy Electronic Warfare background, I thought I wanted to be an embedded systems developer and work on DoD projects. However, when I interviewed for the security role, and talked with the hiring manager about the responsibilities, I realized that information security was the career for me. Security spans all aspects of information and technology… and it continuously evolves.
Why did you get your CCSP®?
I decided to earn the CCSP credential to have verifiable evidence of my knowledge in the cloud security domains. This shows that my experience goes beyond general information security, auditing and risk management credentials. All of these areas are important, but the additional depth of the CCSP positions me as a trusted advisor for the rapid transition from the traditional on-premises datacenter, to external cloud-hosted offerings.
What is a typical day like for you?
I work as a Security Consultant in the IT Services function of a Big 4 consulting firm. In this role, I support one of the major service lines by evaluating risk, and recommending security controls to protect the data that is stored and processed in our information systems. For some projects, this spans the typical SDLC. With other projects, this includes a technical evaluation of cloud providers with SaaS, PaaS or IaaS hosting models. This requires the ability to think both within and outside the traditional datacenter boundaries.
Can you tell us about a personal career highlight?
A personal career highlight for me is teaching undergraduate courses in the Information Systems and Security department at Kennesaw State University. This program is recognized by the National Security Agency and Department of Homeland Security as a National Center of Excellence in Information Security and Cyber Defense. I have taught Network Security, Systems Security, Crisis Management and Management of Digital Forensics & eDiscovery over the past four years. This gives me the opportunity to interact with future security practitioners at the beginning of their careers, and apply real-world knowledge to academic instruction.
How has the CCSP certification helped you in your career?
Studying for the CCSP helped me to think across the domains, and consider different aspects of cloud security when evaluating a solution. A few of the CCSP domains map directly to the CISSP (e.g. Operations), but there are nuances to cloud security that are not covered by the CISSP. Change Management is a normal part of daily operations with a traditional on-prem datacenter. This looks very different with cloud-hosted solutions, and across IaaS, PaaS and SaaS hosting models. The CCSP and Cloud Security Alliance Cloud Controls help put this in perspective.
What advice can you share about the process of preparing for your exam?
I enjoyed studying for the CCSP exam, and several of my peers have reached out for my perspective on the best way to prepare. My advice has been to have a solid understanding of the CISSP domains, and the Cloud Security Alliance Cloud Controls Matrix. With that knowledge, and practical hands-on experience, a security practitioner is well positioned to earn the CCSP. When I registered for the exam, I scheduled it three months out to give myself time to read the book and other materials without feeling rushed. This was a reasonable amount of time, and helped me stay focused.
What is the most useful advice you have for other cloud security professionals?
The most useful advice I can give a cloud security professional is to learn continuously. We all know that information technology changes rapidly; so it follows that the threat landscape evolves accordingly. Securing data, identities, operations and other elements in the cloud requires deep understanding of security controls, and creative solutions to apply internal policies to an environment that is managed by a third-party provider. Mundane controls such as log review can become much more complex when the centralized log management solution is hosted by the provider, and not immediately accessible by the incident response team.
Interested in CCSP certification? Download the Ultimate Guide to the CCSP.