The document summarizes a career talk on security risk careers given by four professionals with CISSP and other certifications. They discussed topics like IT risk management roles and responsibilities, common career paths, necessary experience and education, and tips for breaking into the field. The presenters also described their own backgrounds and day-to-day work in areas like risk analysis, vendor assessments, and managing technology and business risks.

2. Security Risk Career Talk
Chris Dozier - CISSP, CSSLP, CCSK
Matt Mescher - CISSP, CISA, CRISC
Prabha Jha - CISSP
Niloufer Tamboly - CPA, CISSP

3. Disclaimer
The views expressed in this presentation and during the session are the
personal opinions of the participants and do not reflect the official
policy or position of their respective employers.
This discussion is a volunteer-led effort to contribute to the profession
and pay forward the many kindnesses and instances of support and
guidance that the participants have received in the course of their
career.
#payitforward #riskcareers

4. Chris Dozier
Chris Dozier brings years of experience in application development,
security and risk management. He has led development teams
throughout his career primarily focusing on traditional and cloud based
applications requiring multiple levels of compliance and security. He
currently maintains CISSP, CSSLP, and CCSK certifications in addition to
an MSIA.
Throughout his career he has focused on training development teams
in secure by design methodologies enabling them to implement
DevSecOps pipelines. He has also focused on automating and
integrating GRC components into the SDLC to further create efficiencies
and increase profitability through security and standardization
measures.

5. Matt Mescher
Matt is a cybercecurity professional who is always curious and loves to
tinker.
He believes “There is nothing that can’t be broken or improved upon.”
Over the last two decades Matt has solved problems, reduced risk
within Retail, Finance, and Telecommunications companies.
His active Certifications: CISA, CISSP, CRISC, PMP and his education is
Bachelor of Science in IT, Masters in Business Administration, and
Masters of Science in Cyber Security, Network Defense

6. Prabha Jha
Prabha is a strong Information Security & Risk Management leader with
varied experience who thrives in an ever-changing agile environment.
She has deep knowledge of Security, Cloud-based 3rd party
assessment, eCommerce, Digital Operations, AI/ML platforms, vendor
management in association with security risks in a business
environment.
Prabha Jha (Sr. Manager - Risk Management & Compliance) is
responsible for bringing transparency to existing Information Systems
risk while helping to build trust in the process. Her team provides IT
Risk expertise to Business, Operations, and other Functional Areas for
ongoing Information systems control & compliance.

7. Niloufer Tamboly
Is a risk management professional and helps companies launch profitable
products and services by managing technology and business risks.
She holds multiple certifications in IT Security (CISSP), Audit (CISA, CIA) and
Fraud (CFE). I am a Certified Public Account licensed to practice in the State
of New Jersey.
Niloufer holds two patents for System For And Method of Generating Visual
Passwords and Establishing An Alternate Call Path Using Short-Range
Wireless Technology.
She is the co-founder and President of the (ISC)2 New Jersey Chapter.

8. Agenda
• Overview of IT Risk Management
• Types of Risk Roles
• What is compliance?
• Risk Management Career Paths
• Education & Experience
• Certifications / Training
• Tips for newcomers to the field

9. Overview of Risk Management
• What is risk management?
• Types of reviews
• Risk Categories – Finance / Operational / Vendor / Technical (Cyber)
• Risk in the Information Security and Compliance context
• What does the IT Security Risk job entail?
• How to launch your IT Security Risk career?

10. Risk and Compliance Impacts All Aspects Of
The Business
Security
- Confidentiality
- Integrity
- Availability
- Authentication
- Authorization
Compliance
- Finance
- Healthcare
- Regulatory
- Industry
- Privacy
- Internal Policies
People
Process
Technology
Operations
Network
Data
Risk
Compliance

11. Day In The Life of An IT Security Risk Analyst
• Vendor Assessment Lifecycle
• How to safely onboard new vendors
• Assess New Technology Risk
• Control Definition, Testing Methodology and Sampling, Walk-throughs, Interviews,
Evidence/Artifact Collection, Documentation, Testing Validation, Data Analysis and
Enrichment, Test Results & Reasonable Assurance, Gap Analysis, Types of Non-
compliance/gaps, Mitigating Controls, Mitigation Action Plan
• Different roles in a IT Security team

12. How to Launch Your IT Security Risk Career
Education
• Bachelor Degree in Information Technology or
Computer Science
Experience
• Information Technology
• Security
• Domain Specific
Certification
• CISSP
• CISA
• CRISC

13. Education and Experience - FAQ
• What is the minimum education requirement?
• Does it need to be formal or informal?
• What are some things that are nice to have?
• What if I don’t have a technical background?
• Is it necessary for me to have IT experience?
• What if I don’t have any?
• What will help my resume stand out for an IT Security Risk job?

14. Certifications
Security Certifications
• Certified Information Systems Security
Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified Cloud Security Professional
• Certified Information Privacy Professional
• Certified information systems auditor (CISA)
Other Information Technology Certifications
• AWS Certifications
• Comptia Certifications – Security +
• Ec-Council – Certified Ethical Hacker
Knowledge of regulations and standards like Sarbanes-Oxley (SOX), PCI DSS, HIPPA, GDPR, CCPA, GLBA, FISMA, FEDRAMP, NIST
CSF/800-53, ISO 27001 are very helpful and often required for IT auditors

15. Typical Career Paths
Aspiring IT Risk
Analyst
Big Four
Accounting
Firms
Associate Sr. Consultant Sr. Manager Director
IT Support Engineer/Analyst IT Risk Analyst
Risk/Compliance
Manager
Director of
Security
Jobs in Information Security, Technology
Risk Management, Cyber Assurance

16. The Human Element
Attributes of a Successful IT Security Risk Analyst
• Good with Technology
• Attention to Detail, Thorough, Focused
• Good at Collaboration, Teamwork and Documentation
• Intellectually Curious – Critical Thinking and Professional Skepticism
• Excellent Verbal and Written Communication Skills
• Lifelong Learner
• Ability to grasp the big picture quickly; Know the right questions to ask
• Emotional Intelligence - comfortable in potentially awkward situations and conflict resolution
• Business Acumen (learn/know the business)
• Understand Legal Ramifications, especially for non-compliance
Know yourself; know what the job entails. There is nothing worse than getting what you want only to find out it
is not what you really want and/or you are not a good fit for that kind of job.

17. Tips for newcomers / in transition
• Learn about IT security risk through online or in-person classes, read magazines/blogs)
• Become familiar with technology concepts and technology trends
• Network (reach out to people on Linked In or through current contacts)
• Get certified (CISSP, CCSP, AWS Certifications to name a few)
• Volunteer (best way to gain experience if your current job doesn’t provide you with that
opportunity)
• Join relevant organizations (e.g. (ISC)2, ISACA)
• Attend industry events
• Keep abreast of industry news
• Follow the big consulting firms (EY, PwC, KPMG, Deloitte, McKinsey)
• Look for openings at local audit firms
• Be realistic in your job hunt; focus on what you have to offer; don’t look for a perfect fit