Julien Legrand, Operation Security Manager, Société Générale, is an experienced cybersecurity specialist, application security leader, technology writer and international speaker with a strong combination of business leadership and technical background, focused on risk management, security assessment, identity and access management, penetration testing and cryptography.
He started his journey with SFR (Société française du radiotéléphone) as a Lead Information Security Auditor, then moved to Enedis. He also juggled several designations at Société Générale, including principal security architect, (APAC). He is currently the Operation Security Manager at Société Générale. Julien also holds several cybersecurity certifications like Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Security Auditor (CISA), Certified in Risk and Information Systems Control (CRISC) and Certified Ethical Hacker (CEH).
Augustin Kurien of CISO MAG asked Julien Legrand about the cybersecurity certifications that are in demand in the industry. He offers a lot of advice to aspiring cybersecurity professionals.
Here is an abridged version of the interview story that appears in the October 2019 issue of CISO MAG. Read the full interview here.
Tell us a bit about the relevance and importance of certifications in cybersecurity?
Certifications are essential to the career of cybersecurity professionals. There are different certifications which provide skills for different specializations. As such, certifications allow a cyber expert to gain skills required to specialize in a particular discipline. Besides, one must pass various exams before being certified to have completed a specific course.
Certifications, therefore, serve to validate the knowledge and skills acquired when completing a cybersecurity course (Springboard, 2018). This is important since potential employers require applicants to not only demonstrate knowledge of the positions they apply for, but also to provide proof they are certified.
More importantly, obtaining a cybersecurity certification demonstrates a person’s initiative to complete assigned duties. Before earning a certification, a cybersecurity professional must complete various pieces of training to acquire the desired skills. Different certifications apply to a job’s relevance, and this shows employers that a certified expert is capable of undertaking actions that come with a particular field (Boldt, 2018). Notwithstanding, one of the key reasons for earning a certification is to strengthen the bargaining power for increased pay.
According to PayScale (2019), the average annual salary for an information security analyst is US$ 70,754 while that for a CISSP certified analyst is US$ 86,352.
Which are the most essential certifications to improve one’s career prospects today?
Since many certifications produce specialties in different fields, it is vital to understand the most important ones to acquire today. A Certified Ethical Hacker (CEH) certification is most popular. It enables security professionals to acquire penetration skills used for assessing computer and network systems for security issues. The next relevant certification is Certified Information Systems Security Professional (CISSP). It validates an information security professional’s deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organization.
Also, SANS GIAC Security Essentials (GSEC) is essential for professionals competent in the technical expertise required for a hands-on security role. The certification equips additional skills such as are cryptography, password management, access control, network mapping and network controls, DNS, public key infrastructure, detecting and preventing cybersecurity incidences, among others.
In addition, a Certification in Risk and Information Systems Control (CRISC) equips security professionals with risk management abilities needed to secure an enterprise. It is an essential certification for IT management professionals, chief information officers, and assurance and control experts. Besides, it allows IT security personnel to identify and manage risks by developing and maintaining secure information systems. Last but not least, CISM (Certified Information Security Manager) certificate is necessary for professionals working at the professional level. The certification enables them to acquire skills in managing and ensuring compliance of implemented security policies, developing and managing programs for information security, and governing cybersecurity policies.
What is your take on the dearth of cybersecurity talent?
A shortage of cybersecurity talent is affecting the security of organizations operating in the finance industry, and other sectors as well. According to Irwin (2018), lack of enough cybersecurity skills affects at least 80 percent of organizations. A 2018 Cyberthreat Defense Report by Cyber-Edge Group supports this statement as it states four out of five organizations are unable to find qualified cybersecurity personnel for various positions. There is a shortage of cybersecurity talent in finance and other industries. This signifies that financial institutions may be overwhelmed by handling cybersecurity incidents.
Although many cybersecurity companies and experts have been at the forefront warning about the vast shortage, research and surveys from reputable sources indicate the deficit will continue worsening in coming years. Such a colossal lack represents an ever-growing threat to financial organizations. This, fueled by relentless attacks motivated by financial gains, requires industry leaders to take a proactive step to resolve the problem. Cyber adversaries are constantly devising more ingenious means of executing attacks. Besides, technologies like artificial intelligence enable them to develop smarter and faster attacks. Without immediate actions, the cybersecurity talent gap will continue widening.
Do you think cybersecurity education can remove the massive skill gap in cybersecurity?
Cybersecurity education can, without a doubt, assist in reducing the skill gap experienced in the cybersecurity industry. One of the underlying reasons causing the massive shortage is a lack of cybersecurity interest among the younger generation. Hospelhorn (2019) cites a survey which showed that only 9 percent of youngsters express an interest in a cybersecurity career. The diminished interest in cybersecurity may be caused by a lack of opportunities needed to learn about the industry. To solve this, educational curricula need to include cybersecurity curricula to ensure all students get a chance to learn more about the industry. Furthermore, the lack of adequately skilled professionals to counter emerging attack vectors largely contributes to the increased skill gap shortage.
Cybercriminals are always developing new and sophisticated malware, coupled with exceedingly smart attacking methods. To keep up, educational institutions need to provide students with a more hands-on education in combating attacks and other cybersecurity-related issues. For example, universities and colleges should provide students with more opportunities for defending and deploying innovative measures to secure their networks. On the other hand, organizations can provide entry-level cybersecurity training to employees with apprenticeship programs, to enable them to build their knowledge in handling cyber incidences.
What is your advice for aspiring cybersecurity professionals who want to make it big in the industry?
Aspiring cybersecurity professionals should consider completing several certifications to improve their career prospects. Kamath (2019) posits that cybersecurity is regarded as the new frontier for IT security. This is due to the increased dependence on technology to drive critical operations. Technologies like artificial intelligence will see most industries automate production and operational processes. As a result, cyber-attacks will increase as cyber adversaries target to take control of such systems. Certified cybersecurity professionals will be required to monitor and secure the systems continually. However, as is the case in all fields, companies will consider applicants with hands-on experience and the correct qualifications.
Cybersecurity certifications will enable aspiring professionals to fit in that criteria. However, as much as certifications provide aspiring professionals with skillsets needed to market and expose their careers, they should ensure a strong cybersecurity foundation. Some employers are reluctant to entrust the security of their systems or networks to employees with a single certification. A graduate degree in IT security or IT management can help alleviate such fears. Ensuring to acquire the necessary certifications to gain cybersecurity skills and a strong IT foundation is the first step of realizing a successful cybersecurity career (University of San Diego, 2018).
You can read the complete interview in the October 2019 issue of CISO MAG here.
Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.