Name: Tom Musgrave
Title: Security Engineer
Employer: Warner Bros.
Location: Burbank, California, U.S.A.
Degree: BA Hons
Years in IT: 17
Years in cybersecurity: 16
Cybersecurity certifications: CISSP, CCSP, GCIH, CCNA, CCNP Security

 

How did you decide upon a career in cybersecurity?

After leaving university, and a false start selling parrots for Harrods in Knightsbridge, I needed a change in direction. I joined a web design company as a junior IT engineer and reveled in the role. I then joined the new Cisco TAC support center in Milton Keynes. I was fortuitously recruited to the security team and thoroughly enjoyed troubleshooting all manner of VPN, Firewall and general networking problems. I love solving problems and implementing the security layer over already difficult network layer was a great challenge. I had no qualms in making cybersecurity my career.

Why did you get your CCSP^®?

For some years, the studio industry has been grappling with the implications of cloud security. In a previous role, within a creative services vendor, we were exploring the creation of a cloud platform to service studios and their content. My task was to educate decision makers in cloud security controls within our and our customer’s business. I found CSA control and auditing documentation to be very helpful in supporting my case. As soon as the CCSP was released I realized it would be a key qualification both for those experienced with cloud and those who are new to the domain. We can now speak the same language.

What is a typical day like for you? 

Meetings. Lots of meetings! We are focusing ever more on data-driven decision making as an industry. We are finding new ways daily to report on the data we have and on creating more data to analyze. I concentrate on breaking data down to something impactful – historical vulnerability counts per host, for example, and then choosing useful asset samples to report on. So, a typical day for me is trying to identify new and existing threats to the business and reporting the risk of those threats up to management.

Can you tell us about a personal career highlight? 

I enjoy the small victories and solving problems keeps me enjoying this industry. Working third line support for Cisco was very rewarding – especially for high priority cases. Designing networks to meet government compliance requirements for multi-national companies was fun. Being interrogated by CESG (U.K. Government Information Assurance Authority) and getting my network designs signed off was very satisfying.

 

How has the CCSP certification helped you in your career?

Certifications such as the CCSP allow us all to speak the same language. Learning the common terminology to describe all aspects of cloud architecture and operations is hugely important in this field. After all, the confidence of an assured understanding of the shared information security responsibilities in cloud computing, is very important.

 

What is the most useful advice you have for other cloud security professionals?

Get a firm understanding of why people want to migrate to cloud from both a business and technical perspective. Empathize with the DevOps approach. Sign up for a free cloud provider account and follow some online labs. This should give you more confidence for configuration management, object storage or code as architecture. Having a firm understanding of the shared responsibility model in SAAS, PAAS and IAAS will be very important. Finally – implementing controls in cloud will always be a journey. The destination will be constantly changing.

Cloud computing can take so many different forms that no one security tool or approach will mitigate all risks. Using vulnerability management as an example, you may need to support traditional appliance scanning, agents and even cloud services such as Amazon Inspect or Tinfoil – or both. The challenge now is correlating all this output to one metricized view. As a profession, it is forcing us to question a lot of convenient assumptions we’ve grown to rely on. This is no bad thing.

Interested in CCSP certification? Download the Ultimate Guide to the CCSP .