Real Talk with CCSPs An interview with Vanessa Leite, CCSP, CISSP

[ This article was originally published here ]

Real_Talk_Vanessa_LeiteWe often hear that cybersecurity certifications have a global reach. When we spoke with Vanessa Leite we learned how true that actually is. Vanessa holds several certifications, including vendor-specific ones, along with the CISSP and CCSP credentials from (ISC)². She exemplifies the idea of “stepping out of one’s comfort zone”. Vanessa’s joy of sharing her knowledge, as well as her thirst for continual learning, are deeply motivating.

Q: What job do you do today, Vanessa?
A: I am a principal cyber strategy and consulting with a Global Cyber Security company. What that means, is basically it is an executive-level role, with focus on the delivering complex cyber security projects. A large part of my job has to do with cloud security. I currently work at CyberCX, which is a pure play cyber company, but before that I have mostly worked with financial service organizations.

I am based in New Zealand / Oceania right now, but I have also worked in countries around America and Europe. At the moment, I am leading an engagement with a client based out of Switzerland, which is requiring significant travel.

I'm originally from Brazil and the main reason I moved to New Zealand was because I thought that I needed an overseas experience. My English was pretty bad and I wanted to feel more confident with the language in general – but it ended up becoming something more than just that.

Q: Were you offered a job specifically in New Zealand, or did you seek that out as a destination?
A:  I was back in Brazil, working in a contractor cyber role with British America Tobacco, when I was offered a position with Ernst & Young (EY) in New Zealand. EY is one of the big four global consulting firms. They offered me a position in Wellington (New Zealand’s capital), and they facilitated everything for me to move here. That was my first work experience in New Zealand. Since then, my husband and I have gotten a house, two dogs and lots of good friends.

After EY I had a few other roles with a few other companies (mainly financial service organizations) and about a year ago I joined CyberCX. CyberCX is a relatively new company, but they are growing fast. They seek to offer end-to-end cyber security services to organizations that are working to mature their security practices. This end-to-end service approach (being able to assist organizations from strategy and board-level reporting to penetration testing and tooling implementation) is a gap in the current market.

Q: Why did you first decide to get into cybersecurity?
A: Back in Brazil when I was around 16, I decided to pursue a general computer and network technician course, which allowed me to get my first job opportunity in technology. It was then when I met Nina, a technology manager and my boss at the time – she later become my close friend. She was extremely knowledgeable and competent and soon she became a role model for me. Nina was doing at the time a Cyber Security degree at the university, which was very unique as not many universities were offering a cyber security related course. I remember her excitement about the number of different things she was learning such as forensics, penetration testing and all the topics that would be required for cyber security jobs, as well as certifications. Nina’s enthusiasm inspired me to peruse a cyber security degree. By the way, she has not only motivated me to enter university, but she has also supported me in many different ways during the first years of my cyber career journey – If I am where I am today is also because of her.

After a little while I managed to get a job with a startup as a cyber threat intel analyst (my first role in cyber security) and soon after my career started taking off.

Q: What was your route towards your certifications?
A: Certification, such as CISSP and CCSP, provides you with the foundation knowledge and skills required to work with cyber security. Obtaining these certifications was essential for my development as a security professional and gaining the expertise I needed for performing my role.

Additionally, certification from wide recognized bodies such as (ISC)² clarify what is factual information versus what is just opinions. I stress this a lot with my teams; the importance of distinguishing between fact and opinion and providing recommendations based on facts, which must be supported by data. The (ISC)² Common Body of Knowledge is a great source of information in that respect, I often reference to that for definitions and best practices. It is excellent for proving subject matter knowledge without taking a vendor-specific standpoint, which may be too limited. On top my (ISC)² certifications I also hold some vendor specific ones such as the AWS Cloud Practitioner. Combining both is a good strategically for obtaining a more comprehensive knowledge.

Q: How long did it take to achieve the CCSP designation, and what resources did you use?
A: I've done many certifications and I know what works best for me in terms of absolving and assimilating the knowledge I need for the exam. Self-learning is something I am used to and this was pretty much what I did for both certifications (CCSP and CISSP). I started with reading the (ISC)² material, which included Study Guide and Practice Tests official books. This worked very well for me as I like studying on my own time, at my own pace.

Self-learning has worked especially well for me as I had a significant foundation cyber security knowledge due to my years at university, and to already be working in the field. Some people might need more than six months to prepare for the exam. This will depend on their existing knowledge and experience. I would recommend however to a newer professional with limited experience to perhaps enroll in the official training offered by (ISC)². That way, you can have the opportunity to ask questions and gain a better understanding of the material, and how to apply it.

Q: Did anything surprise you about the CCSP exam?
A: I had only positive surprises. In the recent years, (ISC)² has made the exam process way more time efficient in addition to provide more insights on the real challenges professional would face in their day-to-day jobs. In particularly I like that the questions focus on a close to real life problem which needs to be solved in a cost efficient and pragmatic way.

Q: As you were learning the cloud security content, did it have an impact on things that you were doing at work?
A: Yes – 100%! I am a stronger believer that certifications, combined with day-to-day experience is the best way of learning. It provides with you a baseline knowledge and the tools you need to articulate your thoughts and ideas. For me, the learning I’ve got from CCSP was specifically important to understand critical components of efficient cloud security architecture such as the shared responsibility and accountability model between the organization and the cloud service provider, in addition to the security related risks.

Certifications assist you with validating and demonstrating your knowledge in a given subject or area. They also demonstrated you are committed to mastering your skills and knowledge and may give you a competitive edge when applying to jobs. This is especially important when applying to opportunities outside of your local market (an overseas job for example) and there is a need to demonstrate expertise. Widely recognized certifications such as CCSP play a massive role in those situations. Certification also plays a significant role for organizations willing to demonstrate to clients they have what it takes to do the job or project.

Q: What would you say is one of the biggest challenges you've faced in your career?
A: I have been lucky to have had support and so many good people and opportunities in my life. Challenge-wise, if I had more clarity about where I was going (what were the pathways into cyber security), and what kind of training and learning I should I be focusing time on, perhaps I wouldn't have encountered some of the struggles that I had in terms of progressing in my career.

Unfortunately, I see these exactly same issues still today when I talk to young professionals. Technology and Cyber career pathways are not clear enough still, which makes so difficult for people entering the field.

Q: As you look into the future, what ambitions do you have for your career ahead?
A: That is always a difficult question. I'm not someone who plans much, because I believe that planning leads to expectations, and expectations to frustrations. I do however have a vision of what and where I want to be in the future. Cyber security is something that I truly love doing so basically, I want to do my job with excellence and be recognized be my efforts so I can keep providing for my family. I want to do challenging and interesting projects, but I do also want to make sure that I have a good balance and sufficient time to recharge here and there – this is critical for performance and creativity. Ultimately, I also want to give back to the cyber and technology community and help other young and new professionals to succeed in their careers.

Q: It sounds like you really are enjoying what you do. What is it about your current job that you love?
A: I love what I do and the organizations and type of projects I work with – it's interesting and challenging. I also like that fact that what I do may have a significant impact on people’s life, including safety. Having the opportunity to learn new things and be creative, is essential for me. I also enjoy the fact that I work for a good company with good people, and that I have the support I need.

Q: How do you ensure your skills continue to grow?
A: That is another reason I like certifications in general. They challenge me to constantly learn. Certifications, reading a lot, and exchanging knowledge and bouncing ideas with fellow colleagues are the best ways of continuing growing your skills and knowledge.

Q: Are there any other resources that you like to use to increase your knowledge?
A: I find that networking with other professionals is super important, because there is no way that I can know everything so you having a support network with people you trust to bounce ideas and/or seek support with topics and subjects that are not your area of expertise, is essential to succeed in this field.

Q: Can you tell us about an achievement or contribution that you've made that you're really proud of?
A: I can’t remember a specific example right now, but I think that often we get disconnected from the end goal (i.e why we do what we do). Cyber security is a super important job and is very likely that the work you do is having a good impact on someone. Think about what your organization does, who their customers are, and I am sure you can thing about few examples of how the work you do is important for them.

I am particularly proud of few projects I did with health care organizations as I could see how much what I was doing (helping them to mature their cyber security practices) would have a direct impact on patient care and safety. Working with financial organisations is another good example; by improving their security capabilities we are directly helping people from, for example, being scammed by criminals.

Q: What do you think is the biggest challenge for cloud security right now?
A: There are so many new technologies and so many different options and vendors, that it can be confusing for organizations. The shared responsibility model between organizations and cloud providers is also not well understood. There is a danger with not properly understanding that relationship. If organizations are not clear about what controls they are responsible for, in contrast with controls their cloud provider are responsible for, they might end up significantly increasing their risk profile and likelihood and impact of cyber security compromises and breaches.

Q: Would you say that the main solution is getting more people into the industry? Are there other solutions that you think are important?
A: There is only so much we can do in terms of getting more people into technology and security. We need to think about alternative ways of solving the problem as the shortage and demand for cyber security professionals will keep on the rise. Cloud technologies and automation have the potential of assisting with solving this problem, in addition to freeing professionals from working on repetitive tasks so they can focus on more meaningful full work.  

Q: Who inspires you in the world of cyber security?
A: There are so many people out there, but I am mostly inspired by the people that work closely with me or people who have the courage to change their career paths and decide to pursue new journeys in completely different fields. Everyone else that has been here in my career, especially previous managers, and people that have guided and helped me have also deeply inspired.

Q: What advice would you give to people who are considering a career in cloud security?
A: Continuous learning is essential. You will have to spend a considerable amount of time reading news and checking what's out there in terms of new technology, threat landscape, and others. Without it, professionals fall behind and can be less effective when performing their jobs. Ongoing learning is also essential to career success.

Additionally, we need technical people who are able to implement technologies, but we also need people with good non-tech skills such as communication, for example, so problems can be clearly articulated to Senior Executives and Boards. We also need people with different skills from different backgrounds to address cloud security problems. Therefore, don’t underestimate the knowledge that you have, and the value that you can bring to those initiatives or environments. There is a space for everyone, and organisations need this difference in knowledge and perspective.

Q: Can you tell us more about the mentoring that you provide?
A: I’ve been mentoring a young woman who wants to make a career change and enter cyber security. She has extensive business and accounting experience and is seeking to develop her technology skills. It is not a formal mentoring program, but I’ve been assisting her with the journey by sharing my knowledge and connecting her to other people who may also help. It's about leveraging my networking, sharing previous experiences and mistakes to guide her towards reaching her goal.

Q: Is there anything else that you would like to share?
A: I am a firm believer that certifications are such an important qualifier. Certifications can help people to stand out in the job market and obtain the knowledge and skills they need to succeed in their careers. Part of that comes from the trust that the industry has in organisations such as (ISC)². Certifications such as CISSP and CCSP give professionals credibility, in addition to a cost and time-effective option for qualification. Certifications are becoming key in most organisations; in many cases, they are as valued as a formal degree.

Vanessa is a perfect example of someone who has taken an unorthodox approach to continuous knowledge. Whatever your learning style, (ISC)² has an approach that can suit your individual goals and ambitions. Learn more about our training courses here.

Ad

No posts to display