Amar Singh, CEO and co-founder of Cyber Management Alliance, sat down with Jay Bavisi, founder and CEO of EC Council to find out more about his early career, how he started EC Council and developed their Certified Ethical Hacker program, the challenges facing CISOs in business today, and why it’s not just about technical skills.
Jay started his career as a Britsh trained barrister, having attended law school in Cardiff, Wales, but soon discovered that the world of legal affairs was not his passion. So, he sat down and started to ask himself what would be the next security attack – physical or virtual – and soon came to the conclusion that it would be a cyber attack. The next question was how to defend against a cyber attack; the answer, in Jay’s opinion, was to teach the good guys the skills of the bad guys.
Having spent some time Googling training programs that would deliver these types of skills he realized that there wasn’t really a specific training program that delivered this type of teaching and that’s how EC Council started in 2003.
Having coined the phrase Certified Ethical Hacker, Jay struggled to get in front of boards, managers and C-Suite executives, principally because they didn’t want to be associated with a ‘hacker’. Eventually, businesses started to realise that there are good and back hackers, that they could help their businesses to learn how to defend themselves against a cyber attack. Today, the EC Council can count the Navy and the FBI amongst its clients. A key turning point was when the Department of Defense added EC Council’s Certified Ethical Hacker program as part of the DOD8570 Directive; it added validity to what they do.
Whilst EC Council is about promoting their CEH programs, Jay admits that his following advice may be counter-productive. For Jay, whilst certification is definitely a step forward and a way of validating you and what you do, it’s not the be all and end all. But it’s not just about a piece of paper. It’s about choosing a training provider that is going to take you through the whole journey. Yes, the certification is important but it’s also important to be able to share and demonstrate what you have learnt. An experienced organisation will have a good trainer, they won’t take shortcuts, they will test you again and again to make sure that you are capable of succeeding. Just having the credentials is not enough; you’ve got to be able to think, talk and walk security.
To a certain extent, says Jay, it depends on the type of job. So, for example, if hiring for a penetration tester, at EC Council they will put them through a series of tests to evaluate your level of skills. However, for more managerial roles, a person’s human skills become extremely imoratnt – communication and leadership skills, for example. Just having the technical skills is no longer enough.
Right now, it’s common that CISOs don’t have many academic qualifications but that terrain is beginning to shift. Jay believes that in the next 5 – 10 years, CISOs and other board or manager level security personnel are going to be expected to have certain levels of qualifications.
CISOs today face different levels of challenges and it is no longer sufficient to have just the technical knowledge. They need to know how to manage teams, how to manage risk, how to communicate at board level. The skills required go beyond just the technical.
Hear more valuable insights from Jay Bavisi, founder and CEO of EC Council and view our exclusive Insights With Cyber Leaders interview.