How do you know if you have a solid cybersecurity program? You may have anti-virus installed and you change your computer password quarterly, but how do you know if your security program is truly effective? When you can’t see your gaps, it’s hard to make improvements and even harder to pick up the pieces after a security breach. That’s why Cybersecurity Consultants, like ProCircular’s Andrew Chipman, collect all the information they can, then measure your active security controls against their library of applicable standards.
Cybersecurity Consultants handle most of the non-technical elements of cybersecurity. They help your organization measure its maturity and implement controls to improve your overall security posture. Most of their assessments consist of interviews with key personnel to investigate all potential risks to the organization. They inspect everything from the fire-suppression system in your server room, to HR’s off-boarding policies, to the executive plan for responding to a tornado or flood!
Andrew is based in Des Moines and has been with ProCircular since February of 2019. He is a father of three, and he spends his spare time delighting family and friends with home-roasted coffee! It was my pleasure to connect with Andrew and discuss his background and role within the cybersecurity industry.
How did you get started in cybersecurity?
I went into college with the idea that I would get into IT, and I didn’t really pay attention to security. I spent my time studying the management of IT systems, sysadmin-type activities, development, etc. However, when I graduated from college, the job market was rough, and I was up for anything. I found a position available as a security analyst. They wanted me to do some sysadmin work, as well as learn the security side of the house. I spent a few years acting as a sort of dual-purpose sysadmin and learned a little about the security field.
Is it common for organizations to combine IT and security roles like that?
Smaller organizations tend to do it. In this case, they just needed a smart set of hands to handle tasks for that whole team. We supported the e-commerce side of the business: roughly 250 websites and their supporting infrastructure. We had a small ecosystem of IT within the larger organization. That’s why I served the dual-purpose role. They needed help with sysadmin work as well as implementing and maintaining security controls. A couple of years in, the organization shifted, and they needed more help with security controls. So, they sent me to training, and I got my GSEC from SANS.
Did you find that training valuable?
Yes! That is one of my top recommendations for gaining experience. If you can’t learn it on the job, the best place to get applicable knowledge is through an organization like SANS. That is where I got my true start in security. Once I was certified, I really started to cut my teeth in the role. I couldn’t recommend SANS highly enough!
How long did that training take, from initial interest to certification?
I think it took me about four months. I did it through prerecorded videos online, so I didn’t actually go to a conference for that one. The instructor-led training was really helpful in determining which topics hold the most weight in the real-life work environment. Different people learn differently, but if you can swing it, I would recommend doing both the conference and the virtual training. Either way, you’ll get access to all the videos, practice quizzes, and other resources.
Were you still working in security at the time?
Yes, I continued working and applying security controls throughout that organization. I learned a lot about the security life cycle, some technical stuff, and some governance and strategy. I got to dip my toe into everything! Later on, they sent me to get my CISSP training. When I added that those letters to my LinkedIn, as is the case with that certification, the job offers started rolling in!
I had one offer that I couldn’t refuse, so I moved from a very large organization to a mid-sized one. I started as the sole security person, rebuilding their security program from the ground up. It was fun, at first, because you can make a big impact. But, I didn’t have much support, so that became a little overwhelming. We ended up adding some positions underneath me, but it was still difficult to make changes. I reported directly to a CIO, so I learned quite a bit about governance and strategy. I also learned a lot from the Director of Internal Audit by supporting his audit team during quality audits.
What is the difference between a quality audit and a security audit?
They are very similar controls: How are you monitoring quality for this particular manufacturing line? What are the artifacts you collect? What is the process you follow to produce the outcome? For example, most manufacturing companies use the ISO 9001 standard to certify the quality of their products. The idea behind any internal audit is to get an objective view of your controls without any influence from the organization. I shadowed an experienced auditor, and he taught me some of the invaluable soft-skills that you can’t get through certifications. It was fun to learn about the internal audit process and good audit principles. Plus, I got to know people from all over the organization!
My next job was with a huge, global finance firm. Gaining experience there felt like drinking from a firehose! Besides the regulations around the financial industry, I was learning about international regulations and the different nuances of operating at such a large scale. Their global head of security was based in Europe, so I managed US operations. I also partnered with the US Head of Compliance to support audits around the world.
Don’t security and compliance go hand-in-hand?
They can be separated, to a degree, but they often live together. When there get to be too many compliance controls to maintain alongside security controls and strategy, you need somebody dedicated solely to compliance. There is a ton of work that goes into gathering that evidence and ensuring that noncompliance is remediated. Although I worked very closely with that Head of Compliance to figure our program and attest to the controls we had in place.
I learned a lot about how mature operations operate and how to use limited resources to meet high demand. Even though we were a large organization, the security team only had five people, and the compliance team only had three. I think that security team has grown to over 40 people now!
Do you think a security team of that size would perform their own penetration tests?
Nope, they still contract out red-team work. There are just so many controls to maintain! Not to mention all the control infrastructure, processes to be built, etc. My “IT security” team was intended to manage endpoint security, development security, network security, and server security. Eventually, each of those sectors required more attention, so we developed smaller teams dedicated to these narrower security tasks.
Considering your experience with small, medium, and large companies, what about ProCircular struck you as unusual?
I’d never worked for a consulting organization before. Also, I’d never worked for a start-up, so everything about this company was new and different. I had gotten used to running every little thing through my supervisor and a committee, just so much red tape! Coming to ProCircular, we were encouraged to take ownership and mature our own space. I had to retrain myself to just put my ideas into action.
Another positive is that Ty, our new CISO, has a very good command of risk and compliance strategy. It’s always nice to have fresh eyes on the program. He has a good vision of what we need to keep and what we can evolve or mature, and that’s refreshing. I think this strong leadership will continue to produce positive change.
***
Cybersecurity auditors ensure your security program is doing what it intends to do. As advisors, they partner with your company and measure your security posture against standard controls, offering recommendations about mitigating risk. Visit our Contact page or click to learn more about ProCircular’s Risk Assessment, Consulting Services, and Virtual CISO programs!