Q: What is your current position at Intrum?
A: I recently changed positions, moving from Information Security Officer, into leading a new unit that will be help Intrum to manage and control all aspects of their information security compliance. Another colleague will take over my former role. I will be a leader of a team that will manage and create the formal security control framework that we will use in all our markets to identify any gaps, as well as assess the maturity or information security of each market. Let me give you a little of information about Intrum. It has a presence in 24 European countries, plus Brazil. While I'm very excited about it, it's not an easy task as you can imagine. There are many countries and markets to be assessed.
Q: What types of problems does the company solve?
A: Intrum is involved with nonperforming loans; servicing loans from debt, which, most of the time, are owned by investors. We support companies to help improve their cash flows and improve their profitability. We have more than 10,000 employees as a group, and we serve more than 80,000 companies.
Q: Going back to the beginning of your career, what attracted you to cybersecurity?
A: That happened while finishing my bachelor's degree in 2004. I was motivated by another student who was about to take the master's degree for network security in the UK at Royal Holloway. I was also looking to work on my master's degree, and cybersecurity sounded very interesting; to be involved in how to protect information, and to learn more about cyberattacks, as well as to understand the technical skills of how to bypass controls and gain access to systems, but always on the ethical side.
Q: What was your first cyber cybersecurity job?
A: The army was the first time that I got involved with something more related to cybersecurity, but my really intense involvement was in 2015 when I moved into the cybersecurity team in a banking institution here in Greece. That's where I was mainly involved with cybersecurity risk and vulnerability assessments, and then overseeing the information security policy.
Q: What prompted you to decide to focus more on the security aspects?
A: I always want to learn more and make advantages in my career. I was working in a system administrator capacity at the bank, and I wanted to know more about cybersecurity and follow the part of my master’s degree. I decided to apply to move internally to the cybersecurity team, which was not an easy position to get into, but they accepted me, and that was the job that got me into where I am now.
Q: Your first (ISC)² certification was the CISSP. What prompted you to pursue that credential?
A: After completing my master’s degree, I knew that the CISSP designation had a broad reach in cybersecurity, I wanted to further validate my skills.
Q: What then prompted you to undertake the Certified Cloud Security (CCSP) qualifications?
A: Well, as I say, cloud is in the present, and it will be here in the future. It affects everything, every day, both in business and our personal lives. Every company will always have a footprint in the cloud. The CCSP is a credential that – as a cybersecurity professional – you need to invest in. It is an asset that will serve you for years. That's why I started training in cloud security. I think every cybersecurity professional should go in this direction.
Q: Did you have any formal training or other resources that you used to prepare for your examination?
A: Yes. I took the official (ISC)² CCSP online self-paced course. I had that for six months, including the flashcards and preparation exam test of 100 questions. I was working at the same time, and it was challenging to remain devoted to the training. I started slowly. I started in March. Here in Greece, August is one of the months that most of the people go on vacation, so I used all that time and finished up in September and took the exam.
I was making notes; hundreds of notes! That helps me to assimilate the information and the knowledge better. Then, it took me about two months of more intense studying before I took the exam. During my first sessions, I was looking at my notes, and then I was making another set of notes, but more compact this time. Then I took preparation questions. There are the official preparation exam tests I used. I took all those preparation exams. It felt like there were a thousand questions in these exams, and I took them all!
I also used the free material from Cloud Security Alliance (CSA). There are also specific groups within the (ISC)² Community site with other professionals who want to take the CCSP exam. The community site is free to log in. You do not have to be a member of (ISC)² to get access to that. Finally, before taking the exam I had four days off. I made even more notes which were used to study the last day before the exam. It's not an easy exam. I, in the last four days I was studying for 12 to 14 hours. Yeah, that was intense, but I wanted to be well prepared and 100% sure I would pass the exam. The exam that I took was only available at 125 questions because it is changing to a new exam format in August (2022). With that exam, you had three hours to complete it, and once you answered one question, you moved to the next one; you were not able to go back.
Q: Did anything surprise you about the content that you learned, anything that you weren't expecting, or anything that was just different from how you'd expected it to be?
A: I was surprised with the deep knowledge I gained, because I was already involved in cloud assessments and reviewing cloud installations. It is a very well structured course, and what also surprised me is how up to date this information is. All of the information in is relevant today. It also surprised me that it is changing again. This is a very good achievement for (ISC)².
Q: Did the course material change anything you were doing from your work perspective?
A: It changed the way I was reviewing cloud implementations and applications, having better knowledge, how this things work in the background, I was able to ask more relevant questions. It also helped me to get the CCSP certification.
Q: Has the CCSP designation had an impact on your career? Do you see the certification as a way to advance someone’s career?
A: The CCSP credential is one that I recognize as an advanced level. Having this knowledge, and the certification, is a validation of skills. It distinguishes a person from other cybersecurity professionals. It is an asset I will continue to maintain. It opened the right doors and made the difference for me getting to move internally in the group at Intrum.
Q: Is your new job something that you've always wanted to do? What attracted you to this new position?
A: What brought me to the position is that it intrigued me. The challenges involved with multicultural countries and other markets is wonderful. We are involved with diverse populations, and that is very significant and educational as well. This is in the career path I want to have. From the administrative side, the compliance part of cybersecurity, and information security is extremely satisfying. The core of it is that you should be able to know how to audit or to assess a control. You have to know what it is you are able to do, and to know what options are available, what you should do in order to have the assurance that a threat or risk is mitigated correctly, and that a policy is appropriate.
Q: What are your ambitions for the future for your career? What would you like? What would you want your career to be like?
A: I want to advance more, so my goal is to be a Chief Information Security Officer. I want to keep moving up upwards as long as I'm able to do that.
Q: Can you tell us about an achievement or contribution that you're really proud of that you've achieved in your career?
A: I've been involved with many cybersecurity awareness exercises for the general public. When I was first elected as the Secretary of the (ISC)² Hellenic Chapter, I lead the team of 13 cybersecurity professionals in order to translate the Safe and Secure Online materials to Greek. That took us around one year, during which we had physical presentations for the parents. We were the first chapter to present the material online to the parents during the pandemic. We have also collaborated with other non-profit and private educational organizations to promote online security for children, as well as the general public, by creating cybersecurity awareness animation videos. I was also part of an interview as a subject matter expert for a local national television series called The Network, where they presented achievements in technology along with related cybersecurity risks for kids. We were recognized with a bronze award in Public Cybersecurity Awareness at the first Greece Cybersecurity Awards 2022 by Boussias. That is one of my favorite accomplishments.
Creating the materials takes a lot of time and effort, but once I started, it flowed naturally. And I wanted to do more, because I was getting positive feedback, whether I was making presentations to various audiences, or from other colleagues. We also saw what the outcomes were from what we did, and it was very encouraging to move forward.
Q: How do you make sure your skills stay cutting edge? How do you like to keep learning?
A: All (ISC)² members are required to submit a certain number of Continuing Professional Education (CPE) credits each year. You can gain credits from various activities, for instance, delivering presentations, or taking part in, or and attending online or physical conferences, watching webinars, or taking trainings. There are technical assessments for someone who is more technical, like “Hack the Box” that have a collaboration with (ISC)². This all helps a person to keep up with developments in the industry.
Q: What do you think are some of the biggest challenge challenges for cloud security right now?
A: I've been engaged with cloud for more than 10 years, and I have seen many developments in the cloud infrastructure, and the way cloud services work. And I'm sure that we'll see many new developments coming as well. So, we know that new developments and new technologies introduces new threats. When we combine that with the global cybersecurity skills gap, it presents a lot of challenge to anticipate in the coming years.
To combat that, we have to use specific strategies, such as zero trust architectures, and defense in depth solutions. We also need to combine these with best management practices. And, of course, above all, we need to have user awareness embedded in this; from the top level, to the lowest employee in the company. Everyone needs to know and understand the value of cybersecurity. This is also why I participate in public awareness presentations. It is important to inform the general public that security is not something that only happens when we are at work, and not only something that the companies have do to protect their information or company information. It has to carry over to everyone’s personal lives. We all have personal information that we want to protect, and these two concepts are combined. If we understand the value of protecting our own information, then we can understand why this is needed at work too. Cybersecurity is everyone's responsibility.
Q: Who inspires you in the world of cybersecurity?
A: I have many conversations with colleagues and other professionals from the(ISC)² chapter, and friends who are in the same industry. There are so many unsung heroes. Some of the more prominent names include Ramses Gallego, who is a very vivid presenter. I always enjoy hearing him, and I have met him. I enjoy having conversations with Ramses. One other more public professionals is Ira Winkler. His latest book is “You can stop stupid : Stopping Losses from Accidental and Malicious Actions”. And, of course, I'm inspired by the veterans like Kevin Mitnick, and Bruce Schneier.
Q: What advice would you give to those who might be considering cloud security as a career option?
A: They should certainly consider it, because it is the way to move forward. Cloud is the present, and the future, so it's here to stay. Everyone will use it. It is what we're going to see over the next years. So, being prepared in that field is something that will be a career asset. You have to be able to understand how it works, what are the roles, and deployment models. And, of course, the most important is to understand the shared responsibility model. Cybersecurity is everyone's responsibility, and especially in the cloud, when using services from vendors, depending on the model, an amount of responsibility is placed with them. You have to be able to understand this and to know this in order to protect what is at stake.
Panagiotis is a consummate professional, and an altruistic contributor to the cybersecurity profession. His accomplishments, outlook, and his positive spirit are invigorating.
Learn how you can improve your cloud skills, and accelerate your career here.
The post Real Talk with CCSPs: An Interview with Panagiotis Soulos appeared first on Cybersecurity Insiders.
March 31, 2023 at 09:09AM
0 comments:
Post a Comment