Name: Timothy Meryweather
Title: IT Auditor
Location: Greater Los Angeles Area
Degree: Bachelor of Science
Years in information security: 6
Cybersecurity certifications: SSCP (ISACA: CISA, CRISC)
How did you decide upon a career in cybersecurity?
Our Audit Department’s Senior IT Auditor needed help and I was transferred from Background Licensing. Right place, right time. I possess a guardian spirit and have mostly worked in similar areas of employment: U.S. Marine, Deputy Sheriff, Police Officer, Private Security/Life Safety, casino surveillance, background licensing investigator. With my investigative training background, it was a natural migration into auditing the cybersecurity of information technology.
Why did you get your SSCP®?
To properly audit, you need to know the area of your audit. SSCP is a foundational focus on security systems of the information technology enterprise from a practitioner viewpoint. By knowing how enterprise security should be done, I had a good baseline to interview and gather the essential ‘evidence’ to determine assurance that the security practices in place were appropriate and best practice.
What is a typical day like for you?
I start with reviewing news feeds to keep up-to-date with the changing threat landscape and after-hack reports to learn how it was accomplished. This information is then developed into audit questions for the numerous audits we perform each year based upon industry regulations and current IT projects. Audits are a mix of in-field interviews, walk-throughs, sample documentation reviews and report generation.
Can you tell us about a personal career highlight?
I identified vulnerabilities in the vendor remote access process (at the same time hackers were breaching Target in Spring 2013), and the VoIP telephone system that we brought to IT senior management’s attention that resulted in their remediation by process and equipment methods. Also, I just passed the December 2015 ISACA CISA and the March 2017 ISACA CRISC exams.
How has the SSCP certification helped you in your career?
When speaking with infosec professionals and IT directors, the SSCP certification indicates I have the knowledge and understanding to perform the security system functions so my audit questions are real-world based and purposeful, and not just what IT personnel would consider ‘nuisance’ questions that the auditor has no idea what the question pertains to.
What is the most useful advice you have for other information security professionals?
Know your career path and take the foundational certifications that identify your skill sets. Create news feeds to keep up-to-date on cyber issues. Read and learn from others’ misfortunes; learn where they failed and then objectively look at your system or process and ask “Could that happen here?” Regardless of your position, all IT/infosec personnel are Blue Team members and the current game of IT Battleship is on-going. Your opponents are constantly trying to sink your ‘Enterprise’. Regardless of whether your company is large or small, defense is constant vigilance. And the status quo of yesterday was just that – yesterday. Learn that the best defense architecture is just an obstacle for a puzzle-master hacker. Your vendor software is faith-based – your faith that they coded it securely. Patch Tuesday is the known vulnerability – not the Zero Day library. Learn from police burglary reports – the same methodology crooks use to identify weaknesses in physical security systems are used on cyber systems. A locked and bolted door with a large Rottweiler may look good to you – but the thief will simply smash the decorative glass, kill the dog and walk through.
Along with a great mentor, SSCP was the foundation for my new career. SSCP is boots on the ground foundational security for the infosec path.
For more information on the Systems Security Certified Practitioner certification, download our Ultimate Guide to the SSCP.