Tuesday Transformation - David Gittens
Who is David Gittens?
I am a Barbadian family man and a believer in God. My hobby is information security. Not many persons understand what this is. When people give me a blank stare on hearing what field I am in, I just explain to them that information security professionals are the guys who are supposed to stop hackers. In fact, my wife made me re-write part of this article so that some of the industry-specific terms, which she figured no one would know about, could be removed.
Over the past several years, I have been able to practice my hobby extensively – resulting in helping others (via volunteering), and also making enough money to both provide for my family and reinvest in my hobby. I have worn various hats in the Information security space over the years, including head of The Barbados Bankers Association Anti-fraud Committee, Deputy Business Continuity Coordinator for a bank, and president of the Information Systems Security Association (Barbados Chapter). During that time I gained many international information security professional designations. My primary professional role, at the moment, is that of an information security consultant.
My journey in information security has not always been easy, but I have always loved what I was doing and thus was willing to put in tons of hard work, spend lots of money, and never give up. God has also been good to me throughout, and the journey has not been without divine intervention when I needed it most.
What does a typical day for you entail?
Until recently I worked for a global enterprise as an information security analyst. In that job, I spent my day assessing the information security risk profiles of all sorts of applications and many external companies. A typical day would have seen me analyzing surveys about information security, as well as reviewing various reports which look at the information security status of systems, including those produced by auditors. It would also have seen me planning and attending meetings with business managers, IT vendors, application developers, risk managers and client relationship managers to gather information, provide professional security advice, and reach consensus on the level of risk occasioned by the use of a particular system. Another regular activity was creating and delivering presentations for management, as well as producing technical reports for management and risk managers. A frequent activity was reading articles about information security articles. Studying was also a mainstay.
For many years until recently, I worked with a national committee to reduce fraud in the banking sector. This would have involved helping to develop or modify procedures, disseminating security information for end-users, and lobbying for practices and regulations to be changed.
I also do a lot of volunteer work for different organisations, including the government, with a view of helping to make citizens safer, and to help equip others in my field to be more knowledgeable and effective in information security.
Recently, I transitioned to providing information security services primarily to regional and international organizations which need an experienced security consultant. I am able to help organisations in various ways, such as do security scans of their network to discover security weaknesses which may make it easy for a hacker to attack them, help them to understand if their website or applications are safe enough to use, help them to comply with local or global privacy regulations, set up an Information Security Management Systems (ISMSs) so that they use security best-practices organisation-wide, perform a security assessment of their operation, help them evaluate systems which they are considering deploying, help them to address deficiencies highlighted by an IT audit, help them to develop and implement security policies, or provide security training for their staff.
With my new role my day is now less structured. Apart from baby-sitting some of my children who are attending school from home, many days will see me reviewing security reports, project plans, and project documents. I also spend a lot of time researching developmental opportunities for myself and other security professionals. Reading security articles is a daily task. Writing information security articles, creating security presentations, attending meetings, investigating security products, and making presentations are also regular activities for me. I also spend time doing administrative work for my business, including working on securing business opportunities. And then there is the studying; some people think that I am addicted to studying, but at least it is not illegal. It also does not cause you to gain weight.
What do you love most about what you do?
I fell in love with information security from the time I did my first security course. I found the concepts to be fascinating. The idea that you can help to protect innocent people from various types of predators is all quite appealing. The technical complexity of information security, coupled with the human behavioural aspects, along with the fact that it can help so many people, is what makes it so interesting to me. The fact that the technical aspects of information security are always changing makes it even more exciting.
One part that I really enjoy about working in my field is where I need to do investigations to discover how a crime was committed, resulting in criminals being foiled, or even arrested (I really love when I help justice to be meted out). Another thing that I really enjoy is teaching people about information security – watching people, especially children, take in this knowledge is truly a joy.
It would be remiss of me not to mention what pleasure I get from working with some of the greatest minds in the industry. Working on a project, or delivering on a stage with security geniuses, is truly gratifying. I have been privileged to have worked with many great security persons from all over the world.
How can an aspiring professional pursue a career in this field?
Information security has many possible paths to entry points, and I have not been able to find one right path to enter this career. People entering the field typically come with backgrounds in law, law enforcement, IT Risk, Audit, IT or the military. People who like rules and order, who like to protect people, who like to catch criminals, or who like to solve problems are the sort of people who I think would be attracted to the field.
I would recommend that you take an entry-level, vendor-neutral information security certification course to gain basic knowledge of what information security is all about, as well as to demonstrate to potential employers that you have the basic knowledge. The entry-level course may also give you a good idea if this field is really for you. Once you decide that you really want to go into the information security field, I would recommend that you pursue a course in a particular area of information security which you find interesting, such as penetration testing, digital forensics, disaster recovery, incident management, IT auditing, or application security testing.
With the courses under your belt, you need to look for a security job; either within your organisation or somewhere else. While there are millions of available information security jobs in North America, there are virtually no information security jobs available in the English-speaking Caribbean. You therefore need to consider which countries to look at for your first security job. Relocating should always be a consideration if you are really serious about progressing in the profession. If you do decide to look for a security role in this region, your best bet would be with an international organisation.
While looking for that first job, you can improve your skills, and maybe even your resume, by setting up a lab at home, or subscribing to an online service which provided labs. This would facilitate you learning and practising technical areas of information security. There are several free resources to help with this. You can also consider doing volunteer work for organisations, such as doing security awareness sessions for schools and churches, doing security testing of websites or applications, setting up backup & recovery systems, or doing security scanning of networks. You should of course ensure that you learn how to do the thing first before offering the service. It is also wise to ensure that you have the required agreements in place prior to doing anything which may potentially impact an organisation’s operations or data.
Joining a professional security organisation will also usually help you to get a lot of free information and resources, as well as provide opportunities for you to volunteer and to get a mentor. Professional security associations also will usually bind you to a code of ethics. This is very important, as information security professionals are persons who should be trusted to protect data worth millions of dollars, and data which may be very sensitive. Professional associations may also provide networking opportunities which may help you to land that first security position.
I would also emphasize that entrants to the field should never bluff – don’t pretend to know what you don’t, or take on jobs which you know you can’t do. There is simply too much at stake when protecting data. Besides, real security professionals will find you out.
University degrees are not an absolute necessity for this field, but they are an asset.
What is one common myth about your profession that you would like to clarify?
“Information Security is part of IT, and can be performed by IT persons”. Information Security can be considered to be the art and science of protecting data. While IT deals with getting technology to function correctly, information security is not about the technology but about data, regardless of if that data is related to technology or not. Information security professionals are trained how to protect data, and they are required to have the ethics, experience and up-to-date knowledge to do it well. For this reason, the professional associations for information security focus on ethics, continuing education, and experience. The focus on data protection is also why a significant portion of the information security experts come from non-IT backgrounds, such as Audit, risk management and law enforcement.
I come from an IT background; having spent a number of years in IT management. I gave up my post as a Regional Vice President of IT to perform an entry-level role in my new field. Because of this, I understand well the difference between the two fields.
Tell us about your most memorable achievement to date.
There have been many professional achievements which come to mind, such as achieving my CISSP certification, and blowing audiences away with excellent presentations. The most memorable would probably be succeeding at establishing the first association for information security professionals – the Information Systems Security Association – Barbados Chapter (ISSA Barbados). I was part of a group of like-minded security professionals which worked very hard to make this a reality. Prior to this, the local security professionals were all scattered, with very limited ability to effect change nationally, partner with established organizations, or network and support each other. Thanks to ISSA Barbados, there is now an organisation comprising information security professionals at various levels (including some of the most high-qualified professionals in the world) who are able to support each other, support the government, and work together to help the nation.