The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted.
In support of this, (ISC)2 has launched a series of interviews to explore where CISSP certification has led security professionals. Last time we heard from Melissa Parsons. This installment features Chris Clinton. He is CTO and co-founder of Naq Cyber, he is an advocate of helping small business owners protect themselves against digital threats.
What job do you do today?
I am the co-founder of a start-up called Naq Cyber. We are on a mission to protect small businesses from cyberattacks.
What problems does your job/company solve?
We work exclusively with small- and medium-size businesses (typically consisting of 10-50 employees) that are offering professional services such as law firms and accounting practices. We offer a broad range of services to protect our clients. Our services consist of scanning, training, documentation and instant response.
We started because we didn’t really see anything out there taking care of small businesses in a holistic way. We want to be the last vendor our customers ever speak to in their quest for security.
Initially, we get them to a good baseline. Many SME’s don’t have anyone specialising in cybersecurity due to their size. They don’t realise things like the logon page for the admin section of their WordPress site is accessible to everybody on the internet. Or they allow users to log on to their email from any device without being aware of the risks. Once we work with our customers to get them to a base level, we can then look at additional services, but only if they really need it. We believe in having a totally ethical approach. We are not there to upsell for the sake of it. This is really important to why we started the business at all. We want to genuinely help people.
Why did you first decide to get into cybersecurity?
Like most people in cybersecurity, it was a pure accident. I left university, and I didn’t know anything really about cybersecurity, but I knew I wanted to work in IT somehow. I was due to start at QinetiQ the year I graduated, but a month before I was due to start, I had a phone call from them to say they were deferring all graduate jobs for a year. Originally, the job I was going to do with them was on PCB design but when they restarted the program a year later, they had closed that department. They offered me a place in the cybersecurity department instead, so I thought, “OK fine. I’ll give that a go.” Literally, that phone call has now led to me running my own cybersecurity company.
What was life like when you started out in your career in cybersecurity?
I graduated in 2010 from the University of Liverpool with a degree in computer science and electronic engineering. But I don’t really use anything I learned at University because the IT and cybersecurity world changes so fast. For example, cloud computing wasn’t even a thing yet 10 years ago, and now it is everything!
What was your first cybersecurity job?
My first job was working for a venture capital firm. Each year, they employed 10 engineers and 10 fashion designers graduates because that was what their portfolio consisted of. As you can imagine, the induction was quite interesting with a group of engineering grads and a group of fashion designers.
From there, I got a job offer from QinetiQ in their cybersecurity team, and I was employed as an information assurance consultant.
My first project there was working on the accreditation of the Galileo system, which is the European version of GPS. My job was to ensure that all aspects of the system, including the satellites themselves, were protected. It was a pretty cool job. It was really interesting. It was really good work.
What first attracted you to consider getting a cybersecurity qualification? Why did you decide to undertake CISSP?
It was actually when I was working for BAE Systems. They wanted (and thus paid for me) to take this qualification.
I was 25 or 26, and I was working with large corporations and government departments. I needed CISSP to give reassurance and credibility to our clients. CISSP showed them that even though I was a relatively young guy, I had the experience and skills they could be confident about. Also, I realized that when I was talking to a CISO, having the CISSP letters after my name could show real credibility.
How long did it take to achieve CISSP?
For me, it was a relatively short period of time. I crammed it in a bootcamp, which I wouldn’t recommend!
How did you prepare for the exam?
I undertook a week course. It was a 5 day bootcamp, lectures all day, studying all evening followed by revision on the Saturday and then the six-hour exam on the Sunday. It was hell on earth doing it that way!
What most surprised you about CISSP?
It’s incredibly broad. In the exam, you can have a question saying, “What does Layer 3 represent in the OSI model?” And then the next question might be how high a fence should be around a building! This is what is good about CISSP. It is so broad, and that in particular makes is so useful to what I am doing today. This is also why it is such a respected qualification. It demonstrates that you know something about everything.
Did it change how you approach your work?
Yes, a lot! I remember this explicitly. CISSP expects you to be able to talk with a reasonable level of confidence about everything. It takes techies like me and makes us more able to act as a management consultant, and it takes a management consultant generalist and gives them a much more technological understanding. It brings us to the same level and helps us all talk the same language.
What were the first changes you noticed after becoming a CISSP?
I was in a Pre-Sales (or Technical Sales) role, so I had to talk about the actual product and the solution, CISSP enabled me to ask the right questions to clients about their network, why they needed certain pieces of technology and how their team could use it. I knew to ask them about their risk appetite and their business continuity plans. What I learned in CISSP really helped me make the connections between the technology and the business needs. I was able to better understand business risk and how cybersecurity played into that.
What steps brought you to the job you do today?
CISSP really helped me get to where I am today. Holding this qualification is very important in the start-up world where you find a lot of people learning on the job. Being able to say I hold this certification and have a third-party verification gives a lot of credibility. As I mentioned earlier, the business we have set up gives a broad cybersecurity offering, and that is exactly the content covered in CISSP.
What is it about your job that you love?
I love being able to help protect people. Many in cybersecurity talk in militaristic terms. I think we need less of the war analogies and move towards the language of protecting and helping. This is what really motivates me, and what I really enjoy doing in our business. We are protecting people and livelihoods.
What achievement or contribution are you most proud of?
I am most proud of helping one of Naq's customers resolve an issue with their architecture which, if exploited, could have potentially led to the company going out of business and many good people losing their jobs.
How do you ensure your skills continue to grow?
The CPE requirement in CISSP is quite high. This helps to ensure that you engage in your ongoing learning. You earn CPE credits in many ways such as reading journals, taking part in webinars and going on courses or to conferences. In cybersecurity, it's really important that you keep learning because it changes all the time.
What do you think the biggest challenge is for cybersecurity right now?
The lack of people in the industry. There’s just not enough coming through right now to fill the jobs that exist.
In terms of challenges within cybersecurity, ransomware is the big one. It’s simple and cheap for a criminal to deploy, and it can have a devastating effect. The problem is that big businesses and insurance companies often pay the ransom, which makes it so lucrative. I’m seeing an interesting move now into a sort of “pre-ransomware.” These emails say that unless you pay this relatively small amount, we are going to deploy ransomware to you. As an SME, it’s scary stuff, and if I weren’t in this business, I might be tempted to pay it. We protected a client from exactly this threat recently.
Who inspires you in the world of cybersecurity?
The people I work with. We all have a very ethical approach to how we operate and how we do business. Outside of the industry, someone like Elon Musk inspires me. He looks at what problem needs to be solved and then comes at it from a different angle. He looks at what is really the best solution for the problem. I admire that creative approach to problem solving and trying to find the best solution to address it.
What do you think people considering a career in cybersecurity should know?
One of the biggest problems in attracting people to work in cybersecurity is the imagery attached to it. You see 1111000’s and young white kids in hoodies. That is all nonsense. This can really put people off. There is a wide variety of jobs in cybersecurity, and they can suit a large variety of skills. Yes, there are those that love nothing more than sitting there for 10 hours analysing a log file. Those people make great pentesters or security analysts. But there are many other roles, too. Take our co-founder, Nadia, who is a legal expert specialising in GDPR. There are a variety of skills and personality types needed in cybersecurity that sometimes gets lost behind the imagery you see.
To discover more about CISSP download our Ultimate Guide or learn more with our white papers, 9 Traits You Need to Succeed as a Cybersecurity Leader or The Definitive Guide to Cybersecurity and Business Prosperity.
Or, check out more interviews with CISSPs as a part of this CISSP interview series.