Editor’s note: ISACA member Sourya Biswas, CISSP, CCSP, CISA, CISM, CRISC, CGEIT, PMP, is technical director at NCC Group and a seasoned cybersecurity and risk professional based in Chicago. Biswas recently visited with the @ISACA newsletter to share his perspective on how the professions are evolving, the role security can play in advancing digital trust, what challenges the future will present, and more:
What drew you to the risk and security fields?
I started my cybersecurity journey with a role in risk analytics and developed an interest in cloud computing while studying for my MBA (I wrote many articles on the subject) before focusing on the security implications of moving to the cloud (served as technical editor of an authoritative textbook, Cloud Essentials). Starting off in IT strategy consulting in a Big 4 firm post-MBA, the economic downturn led to more cybersecurity work versus strategy until the occasional foray turned into a full-time cybersecurity career. I supplemented my learning through certifications while continuing to learn in a challenging startup environment before returning to consulting.
What drew me to this field, and still keeps me excited, is its dynamic, fluid nature. In cybersecurity jargon, changing attackers’ TTP (tactics, techniques, and procedures) ensure there is never a dull day at work. Also, there is a sense of satisfaction in helping keep organizations safe from bad actors, especially in an environment where we have to be right all the time and they have to be right only once.
How has the profession changed the most in recent years?
A lot of things have changed, but a lot remain the same. Adversaries have gotten smarter, so defense has had to do the same. Every piece of technology has a computer embedded in it nowadays – cars, fridges, thermostats, cameras, speakers, and of course, the ubiquitous mobile phones – resulting in a vastly increased attack surface, and the need for trained professionals to protect this Internet of Things (IoT). The general migration to the cloud has also encouraged the growth of professionals seeking to protect data outside the confines of on-prem systems.
However, some core tenets still hold true – restricting user access, limiting system functionality, backing up critical data, planning for disruptions, and of course, security awareness training. Even the best of security controls can be overcome by a user clicking on the wrong link (phishing), visiting the wrong website (drive-by download), connecting to the wrong network (rogue access point), opening the wrong attachment (malicious macro), letting in the wrong person in a secured area (tailgating), or just simply, disclosing the right information to the wrong person (vishing).
I believe the profession has gotten more specialized, but that is not an excuse to over-specialize. For example, a security professional should seek to gain expertise in a specific area such as asset management or access control or vulnerability management, not in specific tools like ServiceNow, IdentityIQ or Qualys. That is because the best tool does not remain the best forever; over-specialization can result in that knowledge getting outdated and the professional unemployable in this rapidly evolving world of cybersecurity.
What are the most important things security professionals can do to help their organization establish digital trust with customers and other stakeholders?
For a security professional working in an organization and looking to establish digital trust, I would recommend the following:
- Customers: Too much security can render a product or service unusable. Therefore, one should not go overboard with security. At the same time, if customers have entrusted to the organization the safety of their data, it is important to justify that trust. Data is the modern treasure that attracts unwanted attention, and so must be adequately secured. Expert, objective, third-party validation via audits (SOC 2, ISO 27001) and penetration testing can help communicate the efficacy of existing controls. Also, for customers’ benefit, and by extension the organization’s, they should be made aware how to securely use the product or service that they pay for. Finally, in the interest of transparency, any incident that affects the security of customer data should be clearly communicated, along with the steps taken to remediate it and prevent a recurrence.
- Organizational stakeholders: For non-security stakeholders, the security function may seem like a cost function with no measurable benefits. It is important to communicate how security supports the overall organizational strategy by helping expand into new markets, meet compliance requirements, overcome disruptions, and prevent regulatory sanctions. On a tactical basis, demonstrating the effectiveness of existing controls (malware quarantined, suspicious connections blocked, etc.) can help build trust organization-wide.
What guidance might you have for newcomers to these professions?
For newcomers, I have one simple piece of advice – don’t stop learning. While this may sound cliched, it’s especially true for a profession as dynamic as cybersecurity. Secondly, it is important to understand that while professional degrees and certifications can help, nothing can replace real-world experience. Case in point, a colleague named Damon Small who studied music in college started his career in sound editing and then went on to fall in love with computers and then taught himself how to break into them. Today, he has pivoted from the offensive side to the defensive side of things and is a very respected security professional.
While my expertise is in assessing and improving organizations’ security programs or essentially playing defense, the offensive side of cybersecurity is also a very exciting place to be, as long as you use your powers for good – for example, penetration testing where you simulate attackers by attempting to overcome existing protective measures and breach the information ecosystem. Finally, as I mentioned earlier, specialize in a field and not a tool so that you always keep yourself updated with the latest developments.
What are some of the career and industry challenges ahead that you are most looking forward to?
We are living in an age of automation and peering into an age of artificial intelligence (AI). Combining these, with AI-driven automation, many of today’s jobs would be rendered redundant. A major career challenge that I look forward to overcoming is keeping myself and my skills relevant in such an environment.
With respect to the industry, I believe the challenges that will keep us occupied are:
- Insecure cloud – many users misunderstand the “shared responsibility” aspect of the public cloud, where security “of the cloud” is the provider’s responsibility, but security “in the cloud” is the customer’s
- Unsafe remote working – even post-pandemic, remote working will continue to exist, and with it, challenges around phishing (fake remote login pages, impersonating company Helpdesk) and insecure devices (BYOD) and connections (insecure wireless)
- Supply chain attacks – significant risk considering the huge number of vendors a typical organization works with; SolarWinds is the most well-known example
- Ransomware – very large threat, and possibly a bigger threat going forward considering the spread of IoT and expansion of the attack surface
What do you like to do for fun to decompress from the hecticness of work?
I consider my cybersecurity consultant role as my second job that pays the bills to support my first job – being a father to two naughty, adorable munchkins 5 and 4 years old. Playing with them, arguing with them, and answering their questions (sometimes surprisingly quite thought-provoking), is the best stress reliever in my experience. And after tucking them into bed, watching evergreen comedies like The Office and Friends with my wife is how I end my day on a good note.