Title/Organization: Security Control Assessor/National Institute for Standards and Technology, U.S. Department of Commerce
NICE Framework Category: Securely Provision
NICE Framework Work Roles: Security Control Assessor
Academic Degrees: B.A., Criminology and Criminal Justice; M.S., Cybersecurity Policy; MBA
Certifications: CompTIA Security+, Certified Information Systems Security Professional (CISSP)
Karen Wetzel: In this edition of the NICE eNewsletter series Framework in Focus, it is my pleasure to speak with Santi Kiran, Security Control Assessor at NIST, under the U.S. Department of Commerce. Santi, thank you for letting us learn about your career pathway and understand more about the NICE Framework and what we do from the lens of someone like yourself who is performing cybersecurity work.
Santi Kiran: Thank you for having me, Karen.
Karen: My first question for you is: Could you explain your role and responsibilities as a Security Control Assessor here at NIST?
Santi: I’m in a unique role. I was supporting previously NIST as a contractor, but I joined as a federal employee within the last year. I support two different areas within our team: 1) security control assessments to ensure we’re meeting compliance requirements set forth by the government; and 2) working to integrate our security assessment and privacy processes into a governance, risk, and compliance (GRC) tool. So I help with development and new efforts related to the GRC tool but also support assessments.
Karen: How did you get to become a security control assessor? Could you describe your career path?
Santi: I’s an interesting one. When I graduated from college, I initially envisioned going to law school. But then I started off my career in general management consulting and started noticing a trend in cybersecurity—how it was becoming increasingly important and relevant in terms of day-to-day business operations. With so many people in the management consulting field I wanted to develop my skill set and differentiate myself, and so I turned to a master’s degree in cybersecurity to help provide me with foundational cybersecurity knowledge that I didn’t get during my undergraduate program. That helped me pivot into cybersecurity consulting and from there I earned a few security certifications, which helped me not only build cybersecurity capabilities but also understand the vast domains within the field.
Karen: That was forward-looking of you. We’ve tried to emphasize that the NICE Framework is for those whose primary role is in cybersecurity and also for people across the enterprise who need cybersecurity knowledge or skills to reduce risks to the organization—exactly what you described, that people in the business portions of the organization also need to have this knowledge, too. I’m sure it was extremely helpful for you in developing your career. We often hear, though, that entering this field can be complex; did you experience any difficulties in going into cybersecurity as a career?
Santi: I would say there were two areas I had to really think through in making this career move. First, I come from a very business functional background, and I thought, “I don’t want to sit there and code all day and look at incident response reports.” But after doing some research, I realized cybersecurity is a very large field. There are so many different things you can support. I found leveraging the existing skills that I have from that business functional background and serving as that translator with the technical side of an organization was lacking and a role I could fill. It’s been very beneficial for me. Then, when I was actually pivoting into cybersecurity, I had to take a step back in terms of the roles I was first starting off with. Moving from an established career to a different field—I don’t want to say it’s like starting over, because some of the skills are transferrable, but I did have to take that into consideration.
Karen: In the 2020 revision of the NICE Framework we introduced Competencies. Included in our draft list of Competencies are professional skills, including ones you’ve highlighted, like communications. We keep hearing about how important it is to have those kinds of capabilities in cybersecurity careers as well as in in non-cybersecurity careers. It looks like you’re ahead of the game. You mentioned your degree and certifications; how important do you think those traditional certifications are for cybersecurity positions?
Santi: A degree was important for me because I was pivoting into a field in which I didn’t have on-the-job skills or any formal education. Once I entered this field, the guidance I received from my leadership and supervisors, especially being part of the federal government, was to have certain security certifications. I had gotten a few to help strengthen my knowledge and my skill set in the field, but they also helped me to understand cybersecurity as a broad field while having the opportunity to specialize in one or two areas where I could best use my skills.
Karen: How do you keep those skills sharp and current?
Santi: The fun part with having certifications is maintaining those with learning credits. Basically, attending conferences, webinars, and things like that to keep yourself well-informed of what’s happening – not just security trends but also new ways of approaching common security problems and challenges.
Karen: My next question is on a slightly different tack. Diversity, equity, and inclusion (DEI) are well-recognized as important for the success of the cybersecurity workforce. What role do you see for DEI in helping us to develop our future workforce?
Santi: Bringing a diverse background, different insights, and different perspectives to our field is key to help ensuring its success and fostering growth. I have attended a couple NICE webinars that have highlighted for instance, the low numbers of women in cybersecurity and the STEM workforce. I’m interested to see how we can leverage the NICE Framework to encourage more women to join the workforce.
Karen: You mentioned the variety of different kinds of roles there are in cybersecurity. We’ve been trying to focus on how to communicate to people who might be interested in this as a career that it isn’t a one-size-fits all. There is a variety of different kinds of roles and, for anyone interested in cybersecurity as a career, there is likely a role that would be a nice match for that person. The NICE Framework Work Roles are one way we highlight that, but it’s also a point of conversation in our communities of interest and working groups, in conversations around transforming the learning process and developing our workforce, for instance. Going back to you and your specific job, what is it you enjoy most about the work you do?
Santi: I really like how the things I do relate to everyday life. You hear about things like the SolarWinds hack or the ransomware attack of the Colonial Pipeline—they show the larger scale of our work and how relevant it is, and I see it becoming even more pertinent to how we live as a society. It’s always fascinating to me how, at the end of the day, the little things I do bubble into how we live our daily lives, especially with things being more interconnected.
Karen: One last question. If you could give advice to a young person considering a career in cybersecurity, what would you tell them?
Santi: Again, I would say it’s important to understand that there is a place for everyone in cybersecurity. Personally, I don’t consider myself to be very technical, but there are things I can still do in this field. Be open and do a little research in terms of what you your interests are and how they can be applied. I think that, at the end of the day, everything is interconnected.
Karen: That’s a great note to end on. Santi, I really appreciate you taking the time to speak with me today. What an interesting career path you’ve had. I’m looking forward to meeting you in person one day around the NIST corridors.
Santi: Thank you, Karen.
To listen to the full audio interview with Santi Kiran, click on the audio below:
Download a full transcript of the interview.