In this interview we talk to Stuart Ritchie-Fagg, senior information security analyst.
Stuart, welcome and thank you for participating in this interview. How did you decide to embark on a career in information security?
Well, security really decided upon me. My background was always fundamentally administration within business operations, and an opportunity arose to break into compliance. That compliance experience, plus the other experience I have obtained over time, provided me with the springboard into the world of information security, and here I am today.
What have been some of the biggest challenges you’ve experienced with improving information security or building an effective information security management system, and how were you able to overcome these?
In my opinion, people are one of the biggest stumbling blocks. It’s a real challenge to articulate policy in user’s terms and it’s challenging to deliver security awareness, as users feel they have heard it all before. To overcome this I have found it’s best to use layman’s terms, and make security easy for users to understand. This can be achieved by articulating the risks at their personal level. So it’s key to deliver awareness at both a personal and corporate level to alleviate the ‘This is the command of the company approach’ and adopt the ‘This could happen to you’ approach.
What do you believe is the biggest and most important element of information security today, and why?
The security industry is too big an industry to pinpoint one specific element. There are the usual things, such as employing good governance, technical controls, managing risk, etc. But, personally, I place the emphasis on and around people. After all, companies, within reason, can deploy limitless technology to control security risks, however it’s the people who click on a link in an email or pick up a phone and release information. I feel the industry appreciates that this is important but hasn’t really got to grips with this element as yet. People still see awareness as a ‘Tick in the box compliance piece’, whereas it should actually be something they would find interesting, thus paying attention to it and remaining vigilant.
What personal attributes do you believe a security analyst should possess?
It’s key to be a ‘people’ person. As an analyst, you need to speak to numerous, different stakeholders across both business and technology. The ability to communicate and interact with people, plus technical knowledge and experience enables a good analyst to articulate security risks or issues in layman’s terms to the different teams that they will encounter. It is also important to focus on getting the results the business requires.
What are some of the obstacles you have experienced in developing your career?
The biggest challenge was gaining the necessary technical experience. I came into the security industry from a business-focused background. As such, I didn’t really have much in the way of technical experience. However, I realised quickly that I needed to position myself as a holistic security professional – someone who could offer both the governance experience but also complement this with the technical experience. So, to achieve this, I started taking an interest in the technical side. Through my various security roles, I have been lucky enough to have the opportunity to become more technically astute. That being said, I’m always open minded that there’s quite a lot more to learn so I have a long way to go yet.
How important is having a formal qualification such as CISMP/ISO27001 Lead Implementer/Lead Auditor, and how has this helped you in the past?
Personally, they have both been very important for me. The qualifications I have gained have given me a much better understanding of the standard security principles (CISMP), which started me on my way, and then the finer points and controls that are contained within the international standard. (ISO27001 Internal and Lead Auditor training.) Training also introduced me into the world of information security, which is what I needed at the time. The training on ISO27001 provided me with a more granular view of the information security landscape, and helped to embellish my expertise. By having knowledge of both these areas (security principles and standards) I have been able to understand and articulate information security risks and elements in a more understandable and practical way.
How do you believe ISO/ IEC 27001 will evolve in the future either in the UK and/or globally?
The standard, like anything within the security industry will need to keep pace with the continued changes going on within the industry, both on a risk and technical level. I see a stronger focus on the specific controls and perhaps a greater need for those controls to be reviewed fairly regularly to ensure they continue to support the risk appetites and operations of businesses.
Do you have advice for other individuals wishing to enter the profession?
I would tell them to think about what they want to achieve from a career in information security. What are their reasons for entering the industry? There are numerous areas and facets within the information security industry, and it would be important for them to consider which area would be best suited to them. Personally, and as previously stated, I have found it best to adopt and position myself as a holistic professional: someone who can not only write a policy but also be in a position to articulate the risks and implications on both a business and technical level. This ability will stand anyone in good stead for a future career within the information security field.
To learn more about how to speed up your information security risk assessment, visit Vigilant Software’s website to find out more about how vsRisk can help. The latest version of vsRisk, 2.4 delivers a host of new advanced features.
To find out more about information security training options, view IT Governance’s range of IT security training courses here.