The phrase “cyber security” may conjure up images of a fictional evildoer in the movies trying to extort wealth or power from a large corporation or government by hacking into a computer system and holding it for ransom. While defending against data breaches caused by hacking, malware or human error, are critical threats that cyber security experts in the field fight off on a daily basis, there are several other areas of cyber security that you may not be aware exist.
To get a better idea of exactly what cyber security entails and how interested parties can get into the field, Peninsula Chronicle recently spoke with Antonina McAvoy, CISA, Senior Manager, Cyber & Control Risk Services at PBMares, LLP, a company headquartered locally in Newport News and is nationally ranked on INSIDE Public Accounting’s IPA 100 list. The company provides corporate clients with a wide range of tax, audit, accounting, cybersecurity, and business advisory solutions.
Peninsula Chronicle: What exactly is cyber security and how it is used?
Antonina McAvoy: Cyber security focuses on protecting digital information and infrastructure. To protect an organization’s systems and data, one must, at a minimum, have a technical understanding of information technology (IT) and understand how to identify, assess, and mitigate risk. Many fundamental IT principles are integrated within the controls of the common cyber security frameworks that organizations use to assess their security stance, such as: Service Organization Controls (SOC), National Institute of Standards and Technology (NIST), Cybersecurity Maturity Model Certification (CMMC), Health Insurance Portability and Accountability Act (HIPAA), Health Information Trust Alliance (HITRUST), Center for Internet Security (CIS), International Organization for Standardization (ISO), Higher Education Community Vendor Assessment Toolkit (HECVAT), and Payment Card Industry Data Security Standard (PCI), to name a few. That could include controls, for example, around anti-virus, intrusion detection or prevention systems, administrative access, and backups.
Stepping away from the technical details for a moment, from a bird’s eye view, the career field of cyber security can be categorized at a high level by defenders and assessors. Defenders are typically security or computing professionals who work internally within an organization’s IT, Software Development, or Security and Compliance teams. Defenders can also work externally to an organization and provide outsourced IT functionality, vulnerability scanning, penetration testing, or cyber security training solutions. On the other spectrum, there are cyber professionals, similar to my profession, who specialize in assessing cyber risk and perform security or compliance assessments. I work for an accounting firm and assist our financial audit teams with gaining an understanding of the general IT controls and cyber security posture of an organization to determine if a deficiency may impact the financial statement audit. I also provide consulting and attestation assessments to a wide array of organizations from different industries to improve their cyber resilience in the form of independent third-party assessments. For example, a contract or industry compliance requirement may require an organization to hire a third-party firm to evaluate their overall cyber risk management program or assess against a certain cyber security framework, which is a service someone like I can provide to local organizations.
PC: So, you’re saying there are a number of different cyber security fields people can get into?
AM: Yes, there are a number of different cyber security job fields to choose from. As an example, during a recent summer internship program at PBMares, we had a few cyber security students from a local university with a strong cyber program. What really stood out to me during their internship was each student’s strong gasp over security issues in software development and proper coding. Due to the area in which we live, there are many government contractors and Department of Defense (DoD) positions available. Some of these students took advantage of this and went on to apply to the DoD or other public and private companies where their coding skills could be applied in a cyber defense position. We have had other students from local colleges and universities where there was a strong emphasis on IT Audit who have gone on to work for our CPA firm within our Cyber & Control Risk Services team. There are also students in accounting that might transition into the IT Audit space or enjoy working on strengthening IT or cyber security internal controls within a company. As you can see, there are many ways in which an education in cyber security can benefit an organization from programming, information technology, data security, data privacy, and compliance. It really depends on an individual’s interest, as well as education, coursework, and hands-on experiences that decide the right cyber security field to pursue.
PC: For someone who doesn’t have a focus in mind yet, is there a general path where they can start?
AM: My background is in accounting. I received my Bachelor’s in Accounting with a Business Management concentration. I only spent the first year of my career in Financial Audit, before transitioning into IT and Cyber assurance. Over the past 10-plus years, I have worked directly for CPA Firms within their IT Assurance, Risk Assurance, and Cyber & Control Risk Services teams. So, I’d say that if you are currently pursuing a general degree, try to opt for one with required or elected course work where cyber or IT principles and frameworks are taught, as that would be a differentiator worth pursuing and mentioning in a resume or interview. If you have already received a bachelor’s degree in a field that is not related to IT or cyber security, there are a number of master’s programs that are popping up across the country to look into. A master’s in Cybersecurity will differentiate an individual who has a different background and would be really helpful for getting a foot in the door.
PC: What about people who are looking for a career change and they think cyber security might be an interesting path?
AM: The first step I recommend is to look into taking the exam for a relevant cyber security certification. As a hiring manager, I would look for somebody who might have a Certified Information Systems Auditor (CISA) certification, Certified Information System Security Professional (CISSP), or Certified Internal Auditor (CIA), to name a few. However, there are a ton of cyber certifications available to choose from, so if there is interest in the field of cyber security, start with reviewing the cyber certifications that interest you. From an employer’s perspective, cyber certifications tell me the applicant is actively interested in and pursuing cyber security. Seeing those certifications would help me understand they’re ready for that transition.
PC: Is PBMares a good place for people interested in cyber security?
AM: I’ve had the opportunity to work for Big 4 accounting firms previously before PBMares, and I really enjoy working the most with small and medium sized businesses (SMBs). The SMBs in the local area are adding value to our communities. However, there is still a lot of room for improvement to strengthen their cyber security posture. As the importance of strong security controls increases and the demand for independent third-party cyber risk assessments also increases, so does the opportunity for our PBMares’ Cyber & Control Risk services team to add value to our local community. PBMares’ Cyber & Control Risk Services team is growing as a result and we have a great team of individuals, culture, and overall One Firm approach that makes PBMares a wonderful place to work and add value.