What’s your background, how did your journey start?
I studied Computer and Communication Engineering at university. I used to work in the IT department of a bank, as an application and network administrator. After some years, there was a new regulatory requirement mandating banks to start an IT security function. Back then, I was considering a career change to move from pure Technical IT work and I thought this was an opportunity to experience a new, evolving domain. I took the role and started building the IT security function.
In order to adapt and succeed, I had to delve more into the new domain requirements, read more, pursue personal studies and take the limited training available locally to learn more about the standards and best practices to follow. In addition, I joined the local ISACA chapter where many members were like-minded and worked in IT security and IT audit. Also, I studied for the CISA (Certified Information Systems Auditor) and after passing the exam at the first try, became CISA certified.
These steps helped me to better understand the responsibilities and helped me succeed in my new role, until the next career move came. A couple of years after starting the new function, I moved to a larger bank and started a new journey. One of the biggest challenges I faced back then, especially as an introvert, was moving from a small organization where I knew everyone (~120 employees) to a bigger organization (~3000 employees), where I had to prove myself on a career level and get used to new working dynamics.
And what are you currently working on?
Currently, I work in a regional bank where I’m responsible for information security management, business continuity, security compliance and risk management for some entities the bank has inside and outside Lebanon.
My responsibilities have grown over the years, with greater functional duties as more entities have come onboard. Ultimately, I am responsible for ensuring security compliance with the group policies and procedures and applicable regulatory requirements; driving risk management efforts, access management and review; the vulnerability management program; security activities monitoring and security assessments for new products and services; third-party risk management; and user awareness.
Moreover, I am responsible for driving the business continuity management efforts for these entities, an effort which starts from the fundamental activities of performing business impact analysis to identify the organizational requirements during a crisis, to building the necessary recovery and continuity plans, to testing them and training users on a regular basis. In addition to my work, sometimes I deliver certification training courses for CISA and CISM.
What is InfoSec and risk management in plain words?
In a nutshell, Information Security describes the practices that we undertake to protect valuable information, on a personal or organizational level, from any non-legitimate access to view, modify, delete, destruct, or steal this information. It is the combination of implementing the right technology, developing and following the right processes and practices, and choosing and equipping the right personnel to do their tasks. We seek to protect the confidentiality, integrity and availability of the crown jewels of the organization, namely its valuable information.
Risk management describes the practices we undertake to identify and analyze the risk environment an organization faces, to make informed decisions about the necessary measures that should be implemented to reduce the likelihood or impact of the harm that these risks may cause. Risk management helps organizations focus their limited resources on addressing the dangers that are most harmful to them in the context of information systems and technology.
What excites you most about your role?
The diversity of projects, challenges, and requirements helps to maintain the excitement. I need to always learn new practices, do research, follow the news, learn about the latest threats, who was hacked and how, new solutions and best practices, emerging regulations, requirements, etc. It’s a continuous, non-stopping learning and development experience.
What motivated you to get started in the cybersecurity domain? How did you find your first cybersecurity job?
Security was relatively a new domain when I started around 13 years ago. I am a cautious person who embraces change and likes to learn new topics, so I decided to move from IT to IT security, which led to information security and now cybersecurity.
What skills should one have in order to be successful in cybersecurity management?
In my opinion, some of the skills needed to be successful are:
- Eagerness to always learn and develop continuously
- Natural suspicion
- Analytical skills
- Communication (listening and speaking) and convincing skills
- Critical thinking
What are the biggest challenges you’ve faced and obstacles you’ve overcome?
I have faced many challenges; the first challenge was to change my mindset from being an IT person who wants to get things done, to imposing controls on how IT personnel get things done but in a more secure manner. It took time to change this mindset, however doing so helped me to improve my empathy and understand other parties’ concerns.
Another challenge was the lack of beneficial and advanced training locally (online training and courses weren’t so trendy back then). I sought to overcome this by reading and researching more about topics of interest, reaching out to the local community and people who work in the same domain, and even funding my own training abroad. Also, I tried to gain international certifications that would represent a benchmark for my knowledge and experience.
The third challenge was the low number of women in the domain and lack of role models whom I could learn from. At times, It felt lonely being the only girl on a course or in the department, but at the same time expectation would be higher and consequently more challenging.
What are your goals for the future?
I look forward to establishing my consultancy that provides necessary security education and awareness to people to get their job done, whether it’s a CEO or a college student. I believe this topic is more important and necessary than ever. However, we need to deliver the right message for each audience based on their responsibilities and needs.
Have you found anything particularly helpful or advantageous?
On this question I could talk for hours, but I will try to be brief.
- Learn public speaking and communication. I joined Toastmasters International where I vastly enhanced my public speaking and presentation skills. Also, I delivered several technical presentations as a practice. Now I am confident in presenting for a big audience and can communicate my ideas in a clear manner.
- Volunteer in activities that help you develop leadership skills. There are several NGOs that have local and regional communities where you can volunteer and develop. In addition to Toastmasters, where I assumed several roles that helped me and developed my leadership skills, I volunteered in an ISACA international local chapter, which helps you communicate more with peers in the domain, locally and internationally. After a couple of years I was elected president of the local Lebanon chapter, where I managed to lead the organization at a full-day cybersecurity event, in addition to two-hour training events on a regular basis.
- Connect more with peers in the domain, as this will help you grow your network of like-minded people with similar aspirations and challenges.
- Join initiatives that help and empower women in cybersecurity and technology in general. You can find support, mentorship, advice and resources that you need to advance in your career. For example consider ISCAL SheleadsTech initiative, Women in Cybersecurity, and others.
What’s your advice for those who are just starting out?
Congratulations! Keep moving, have faith in your potential. Learn from others but walk your own way. There are lots of opportunities that are waiting to be grabbed and lots of problems that need to be solved.
Where do you find inspiration, news and industry trends?
Sometimes it’s challenging to follow up on all that’s going on. My main sources are:
- Twitter: following some experts in the domain as well as inspirational speakers
- LinkedIn: pages of interest, groups of peers, pioneer companies, etc.
- Mailing lists from world security leaders organizations, Security Centers
- Isaca.org, and ISACA communities, CISA.gov, darkreading.com
Anything else that you want to share with our readers?
I am encouraged by the initiatives that help young professionals find their way in the domain. We need their efforts to fill a huge gap and talent shortage.
About Nisreen Al Khatib
With over 15 years’ regional banking experience in the fields of Information Security, Cybersecurity, IS Risk Management, Security & Regulatory Compliance, Security Awareness & Education and Business Continuity Management, Nisreen is a seasoned public speaker at local and regional conferences.