Blog
CISSPs from Around the Globe: An Interview with Jerome Leach
The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted.
In support of this, (ISC)² has launched a series of interviews to explore where CISSP certification has led security professionals. In our first interview, we met Javvad Malik and heard about his experiences. This installment features Jerome Leach . He works as Cyber Officer in the Coast Guard Cyber Command for the U.S. Coast Guard. He is a security professional and keen researcher.
What job do you do today?
I am in the United States Coast Guard- Cyber Officer (Battle Watch Captain/Event Detection Team Lead/CGCYBER Command Training Officer).
What problems does your team solve?
When it comes to Cyber, we fulfil a lot of traditional IT roles; however, we are actively engaged with building and deploying our skillsets to assist and respond to Cyber-related incidents that may affect the Maritime industry. We play a huge role in mitigating system outages and ensuring that authorized service interruptions don’t effect overall USCG missions including search and rescue operations and drug interdiction. Our battle bridge host an array of different skill sets and watch positions…that are tasked with network monitoring, Cyber incident investigation, intelligence gathering and sharing amongst other government and DoD counterparts.
Why did you first decide to get into cybersecurity?
After I completed my undergrad, I was hopeful to one day attend some form of a medical program such as physical therapy, physician assistance etc.. I had about a year worth of pre-reqs to complete, and I knew if I completed those courses, I would still need to wait an additional year in order to start the program. I enlisted, as I found that the military would provide me with another skillset along with additional options as I identified and worked through my ambitions. It was easy to serve, as my brother and uncle had both enlisted in the Marines, my step brother and one of my best friends had enlisted in the Army, and some of my college buddies had commissioned in the Air Force. I actually was given a medical job in the Air Force, only to have my recruiter call back the next day and say that that option was off the table. He then went on to say he had Cyber Surety available if I wanted it. Cyber Surety was my third option above Surgical Services as my fourth option, so I took it. Interesting enough, out of 6-8 options, they were all medical except Cyber Surety.
What was life like when you started out in your career in cybersecurity?
I started my cyber career in 2010. As with anything that is new, it was a lot. We were expected to grab a concept and be able to work through a problem in a short time, but that was due to being a part of the military. The military tends to throw as much as they can at you, see what sticks, and then fill in the blanks.
What was your first cybersecurity job?
That’s again 2010, and itis part of my Air Force story. I enlisted as a 3D0X3 (Cyber Surety), and our primary roles were Computer Security (think policy, regulations, IG inspections), Communication Security (think crypto issuance and management),and Emission Security/TEMEPEST (prevention of emanations, data leakage from classified system). At times, you might have even found some of us focusing as Combat Crew Comm or a Local Registration Authority for classified PKI issuance.
What first attracted you to consider getting a cybersecurity qualification?
It was mandatory!! Every enlisted Cyber Surety Professional had to obtain their Security+ prior to graduating Technical School. At the end of your 3-4 month (40hr per week) cyber training, you had to take a 2-week course in preparation to pass S+.
Why did you decide to undertake CISSP?
The CISSP is regarded as the pinnacle of certifications for Cyber Professionals. It is one of the certifications that demands a diverse background and foundational knowledge. The CISSP is held in high regards from practitioners worldwide, and it relays the competence of its holder. Having a CISSP does not mean you know everything about everything, but it shows that you have the ability to work through a problem and make an informed decision.
What prompted you to do that?
I was looking at maximizing my options within my career. Since I enlisted, my plan was to commission in the Air Force if possible. If not, I wanted to commission in the Coast Guard or to ensure a civilian career to support my family. I was meant to serve, and my first options were to be that of a Commissioned Officer.
How long did it take to achieve CISSP?
This is a difficult question because I can respond to this numerous ways. It took me roughly eight years from the time I enlisted until I passed my CISSP. The amount of education I completed was vast. From when I actually studied to pass the exam, maybe six weeks. I had the opportunity to take the exam with less than a week’s notification, and as expected, I did not pass. Afterwards, I studied for 4-6 weeks and passed the exam on that attempt.
How did you prepare for the exam?
Earlier, I stated that the timeline for obtaining my CISSP was difficult to answer. Granted, it took me six weeks to study for the exam. In actuality, it looked a little more like this. I enlisted and did 3-4 months of Cyber training. I attended Air Force trainings for TEMPEST, LRA, and COMSEC. Later, I completed a Master’s degree in IT and attended numerous boot camp style classes for CAP, CEH, CASP, & CISSP. I completed online training on FedVTE, skill port, and Safari, and I utilized other aids ranging from YouTube to various practice tests. The week I passed my CISSP, I was actually enrolled in a Vets2PM, PMP boot camp course, and I would study for my CISSP after hours at home. I was lucky enough to have been in numerous job roles. That allowed me to live what the CISSP tested, proving to be the best study aid.
What resources did you use?
I did take a CISSP boot camp course, but that was a full year prior to passing the exam. I needed to test for my CISSP before the boot camp’s voucher expired in a year. So I studying on average 15 hours a week over the six weeks prior to the exam.
What most surprised you about CISSP?
I had an idea of the style of questions to expect. Still, the CISSP had a way of presenting questions with varying answers that all seemed correct. It was a challenge to determine what the question was asking and picking the best answer that satisfied that question.
How did it change how you approached your work?
I think it reaffirmed my decision-making process and showed me there may be multiple solutions to a problem. It encouraged me to look at different aspects of a situation and to fully assess for solutions.
What were the first changes you noticed after becoming a CISSP?
When I passed my CAP certification, it told me “congrats” on the computer screen prior to picking up my “you passed” printout. When I completed my CISSP test, I didn’t receive a notification, so I assumed I failed. I signed out from testing and proceeded to walk out of the door. It was then the proctor asked if I wanted my score sheet, and I was like “I guess.” Seeing “I passed” was amazing, and the intrinsic joyful reward for that was phenomenal. Aside from the feeling of accomplishment, I would say I started receiving more praise, admiration and respect within the Cyber field.
How do you think you have personally benefited from becoming a CISSP?
It’s a testament to my undying relentlessness to do and be better. It validates what I am capable of and serves as a beacon for others to aspire to.
What steps brought you to the job you do today?
My determination to always move further with my education and skillset. I refuse to find comfort in the “easy way” and the “good enough” type of mind-set. When one door closes, another one opens, and I forge ahead. This has led me towards my commission in the Coast Guard. Prior to that I was – Senior Cyber Security Engineer CTR, Army Reserve HQ (This was a 4-5 month job with the private sector, but I actually worked for the government.) and the before that Air Force ISSM, TEMPEST Manager, LRA, TPC COMSEC team member.
What achievement or contribution are you most proud of?
To this day, one of my most cherished accomplishments I have was when I was an Airmen First Class (E3) in the Air Force (2012). I volunteered for an Afghanistan deployment from Cannon Air Force Base (an Air Force Special Operations Command base). Once deployed, I worked at the Combined Joint Special Operations Task Force-Afghanistan HQ (CJSOTF-A) where I was the Assistant Joint Operations Center Non-Commissioned Officer in charge. We had a platform known as the Command Post of the Future (CPOF), and I was tasked to learn it in a day and operate it in support of Daily Concepts of Operations (CONOPS). These CONOPS could range from perimeter inspection and local tribe visitation to rescue and recovery/Nine lines and troops in contact monitoring and support. It garnered our local commander insight into the environment, enabling timely decision making that supported our service members and allied forces. From my first day in Afghanistan, this system would randomly reboot 1-3 times daily, for maybe a 10-minute window. This was critical, as there were times we had service members in need of air support or resources. I recall a Marine Colonel furious at the untimely outages plaguing this system (rightfully so). So I pretty much worked with the CPOF administration team to test the system, and I ultimately had them reconfigure and connect the server via a different path. This action eliminated our system outages and enabled our service member’s unabated support. This was a great opportunity, and I’m thankful to have spent 6 months working 12-hour shifts, seven days a week in support of our nation and allied forces service members. At Cannon AFB, I recall Chief Caruso explaining that “here in AFSOC we solve for yes,” and that has stuck with me ever since and continues to be one of my guiding principles.
What is it about your job that you love?
The Coast Guard has provided more opportunities for a young officer that is not typical across the other services. Many of our young officers find themselves in positions that are slated for 1-2 ranks above our pay grades. This allows for us the opportunity to contribute and help scope our organization at an earlier timeframe. It allows us to be part of strategic level planning for the organization that we will one day lead, and hones our management ability. From my time in the military, I whole heartedly believe that our Coast Guard enlisted forces accomplish more with less, and that they are some of the most overly tasked, efficient, and hardest workers anywhere!
What is the biggest challenge you have faced in your career?
The biggest challenge in my career had to be through my process to commission as an Officer. I loved the Air Force and was selected from promotion to E6 in 6 years when the average time was that of 10.5yrs. When I had obtained my education and certifications, I was met with the choice to re-enlist and attempt to commission one last time in the Air Force. ( If not selected, I would be over 35 Years of age and lose the ability to become a Cyber Officer). Knowing that my wife told me that “it was my dream to commission,” she supported me to pursue that commission in the Coast Guard, which had a commissioning age of 41. It wasn’t easy to apply to the Coast Guard, as I had to get approval from the office of the secretary of the Air Force prior and I loved the Air Force. That approval from the Air Force included me having to present a compelling argument for consideration. It took six months to get approval (3rd qtr of 2017), and shortly after, the Air Force surprised me again by pushing the commissioning age from 35 to 39. I was already waist deep in the Coast Guard Commissioning process and had the rare opportunity to talk with a then Captain Smith and an Admiral Ray who were ecstatic of my Coast Guard interest and ambitions. The process of trying to time all of my commissioning ambitions was well spent, worth it, and extremely unique.
What ambitions do you have for your career ahead?
I am looking for an Advance Education opportunity in the Coast Guard, preferable with a MS degree in Computer Science Cyber Security, and obtaining all the Itilv4 certifications. Aside from that, obtain a couple of SANS Graduate certificates (Incident Response/Pen Testing) and become a part of our Cyber Protection Team, work with CISA or US CYBER Command in a joint environment. Then in 10-15 years, maybe teaching IT or Business locally or abroad, ensuring my knowledge is passed on to future generations. Maybe even being a C-level executive for a timeframe, as it not only about what I can do for the organization, but what can they do for me…. that would continue to utilize, challenge, and grow my skillset.
How do you ensure your skills continue to grow?
I’m always seeking learning opportunities. Being in the military, I am able to attend some great training whether it’s with DCITA or other organizations. I’m currently enrolled in a Continuing Education course to better develop my skillset in preparation for a MS in Computer Science. The trick is to actively look for and allocate time to learn. It can be 10 minutes a day of researching topics and reading white papers. As long as you stay learning, you keep growing.
What do you think the biggest challenge is for cybersecurity right now?
I think the biggest challenge is with organizations and educational venues that are promising to produce a Cyber professional in only 24 weeks. Individuals need to understand that it’s a demanding career, as you are expected to stay current with new policy regulation and training. Cyber is one of the biggest growing careers, and I hope people are aware that there is no quick shot to the top, if you want to be respected within this profession. That is why I applaud ISC2 for its stringent testing guidelines, requirements, and expectations.
What solutions do you think could address this?
I don’t think it is a problem that really needs to be fixed. Only the realization that becoming a professional in any realm takes time and practice. That any of these boot camp-style courses is a way to possibly get your foot in the door. From there, the individual needs to have the determination to grow their craft, listen, research, and keep challenging themselves with different responsibilities or job roles. Never stop learning!
Who inspires you in the world of cybersecurity?
I’ve met a couple of people who have been the definition of Cyber. Tons of brilliant minds who get it and contribute to the profession because they care. Still, my inspiration has to come from two of my first supervisors in the Air Force, SMSGT Bonilla and retired MSGT Blunt. Both of them fully supported me in my Cyber career and were two of the first to support me in my ambitions to commission in the Coast Guard. I think having a good support system is the first thing you can ask for, and if you have that, then you want to prove them right, and you want to succeed not only for yourself but for the next in line. As stated earlier learning is life long, and you will come across many people who can educate and support your ambitions. My path to become a Cyber Officer took many years and support from various individuals from multiple government departments including, Lt Col Brummit, Kneeland, Col Robinson, Mr. Harlow, General Simerly and others. There may be times where you will have to make yourself and others a believer, and those are the times you need to ensure you represent yourself, the uniform/organization, and your advocates to the best of your ability. If you are going to do it, then do it and be your biggest supporter.
What do you think people considering a career in cybersecurity should know?
It takes time and repetition. The more you see something, the easier it becomes, and the more time you allocate, the more impressive you become. Being a Cyber Professional goes deeper than just the job. You will be the beacon, and my charge to you is to continually strive to be the best version of yourself. You, as with the military will be expected to operate ethically and morally. Your actions define all of us. As a professional and member of our society, know your actions reflect and sculpt our future generations, be stern but fair, foster a culture of integrity, and respect spanning the world and all of it’s habitants. I believe you can do it, so do it!, Don’t stop!
To discover more about CISSP download our Ultimate Guide . Or read our whitepaper, Why it has never been more important to be a qualified cybersecurity professional.