George Quinlan, CISA, has worked in IT infrastructure, operations, governance, security, risk and compliance for 25 years and currently works as a senior IT consultant for Equilibrium IT Solutions in Chicago, Illinois, USA. For the past 10 years, he has taught the CISA review courses for the ISACA Chicago Chapter, and now also teaches the CRISC review course.
What is the biggest security challenge that will be faced in 2016? How should it be addressed?
The frequency and impact of security breaches will continue to rise. Security practices need to become more mainstream.
What are your goals for 2016?
What is your favorite blog?
Krebsonsecurity.com
What is on your desk right now?
Lots of coffee cups!
What is your best piece of advice for other IT security professionals?
Work for a company/organization that has support from the top.
What do you do when you are not at work?
In the summer, I race sailboats on Lake Michigan. In the winter, I ski and I am a member of the Ski Patrol (we rescue injured skiers). In between, I try to hit the gym.
How do you think the role of the IT security professional is changing or has changed? What would be your best piece of advice for IT security professionals as they plan their career path and look at the future of IT security?
Ten to 15 years ago, IT security was an obscure IT role that few companies had or really needed. Now, IT security is becoming mainstream, highly in demand and sought after. The best advice I would give someone is to seek opportunities for training and acquiring new skills and knowledge and to leverage the resources of ISACA to improve your professional self.
How do you see the roles of IT security, governance and compliance changing in the long term?
I think these roles are going to become mainstream business functions, no longer optional or “nice to have,” but critical to the ongoing business operations in many industries and organizations.
What do you see as the biggest risk factors being addressed by IT security professionals? How can businesses protect themselves?
The biggest risk factors are the speed, complexity and ease with which an organization can become the victim of a cyberincident. Perhaps an even larger risk is the ignorance at the level of the chief executive officer (CEO) and board of directors (BoD). Many CEOs and BoDs still believe that IT has security and risk covered and are happily unaware of the real risk their organizations are facing. I do not think a business can fully protect itself, but must look at security through the lens of a risk-based approach and act accordingly.
How have the certifications you have attained advanced or enhanced your career? What certifications do you look for when recruiting new members to your team?
I started in IT as a very technical, hands-on network engineer and worked my way up into IT management. In 2005, I was running IT operations for a credit card processing company and my boss asked me to take on security and Payment Card Industry (PCI) compliance. At that time, I discovered ISACA and the Certified Information Systems Auditor (CISA) certification, and it was the best certification I had ever sat for (I had approximately 15 active technical certifications at one time). The body of knowledge I have gained through ISACA and the CISA certification has made me better in every aspect of my job. I am far more knowledgeable, and I can also relate industry best practices and that knowledge to my job and my clients.
How did you make the transition from IT security to roles in sales and marketing? And what skills have helped you the most in these more recent roles?
I think an effective IT salesperson knows the industry and the business inside and out. The skills I have obtained throughout my career help considerably. What I find interesting is that sales has a lot to do with psychology and human needs and emotions as much as it does technology.
What has been your biggest workplace or career challenge and how did you face it?
IT incidents or major outages are very challenging, and this includes security incidents. I cannot really elaborate on specific details, but I will say that the key to effective response in a time of crisis is being prepared. I have been through a number of fairly serious and high pressure incidents, some were major. Being prepared is the key. This should include a response plan, a team that has practiced responding and more.
Unfortunately, all too often I see organizations focus solely on preventative controls (the latest firewalls or other security measures) and really miss the boat on detective and corrective controls. I am a part-time ski patroller with emergency medical services (EMS) training so I see a lot of injured patients on a regular basis and deal with a lot of stressful trauma situations. The two key things I have learned are:
- Crisis situations are always stressful, confusing and never go by the book
- Preparation and practice ahead of time is absolutely critical. It is your training and practice that gets you though these kinds of crises. For instance, I would not want someone having to read the cardiopulmonary resuscitation (CPR) manual when I am in cardiac arrest.