Name: Richard Carpenter
Title: Information Security Manager
Employer: Global Media and Entertainment
Location: Devon, United Kingdom
Years in IT: 10
Years in cybersecurity: 7
Cybersecurity certifications: CISSP
How did you decide upon a career in cybersecurity?
In my previous role supporting Identity and Access Management, a certain amount of due diligence was required when auditing user accounts, logon usage, permissions and security best practices for Access brokers. This sparked my interest in a cybersecurity practice outside the traditional ‘Security Operations’ role.
Why did you get your CISSP®?
While reviewing the market for training opportunities to upskill in my new chosen career, I came across the (ISC)² CISSP certification in many places from online training, infosec seminars and colleague referrals. The industry as a whole held (ISC)² and the CISSP certification in high regard, so this was an obvious choice.
What is a typical day like for you?
Part of the appeal for this industry is that we don’t really have a typical day. Yes, we do have the repetitive tasks that start our days - reviewing audit and anomaly logs, reviewing and responding to vulnerability reports - but each piece of work that comes across your desk has its own unique elements, such as third-party supplier reviews, system architecture reviews and supporting digital transformation strategies.
Can you tell us about a personal career highlight?
While being a member of (ISC)², during the EMEA Secure Summit I was asked if I could contribute to an IoT Security Training Course. This was a great opportunity for me to be actively involved in an education programme designed to provide the knowledge to securely deploy IoT devices within a business network. My work on this project was recognised by (ISC)² and I have been presented with an (ISC)² 2017 coin.
How has the CISSP certification helped you in your career?
The CISSP CBK® covers such a wide range of subjects and the knowledge learnt has helped in technical disciplines, but more importantly it has helped me to better understand our business. When you take into account subject matter such a Business Continuity Planning, you have to understand your business better which you can only do by talking to stake holders. While getting to know the business better you get a better understanding of systems, infrastructure, processes and people which will help to inform future decisions. We could get too wrapped up in the technical controls and solutions, but the wider range of subject matter helps you to better understand your business and its objectives and goals. This has a huge impact on your appeal to other business leaders who may seek your opinion or input which will raise the overall value of your opinion.
What is the most useful advice you have for other cybersecurity professionals?
Listen to the business. What are its aspirations and goals? How can you help get the business to those goals quicker with a measured level of risk.
To be able to make appropriate decisions or recommendations you need to understand what the business is trying to achieve and what the risk appetite is likely to be. With that level of understanding you will be a better advisor to your board bringing more value. This will give them more confidence in your recommendations and a desire to seek your opinion at a more frequent cadence.
Aspiring to be a CISSP? Download the Ultimate Guide to the CISSP.