Welcome to our podcast series, Coffee with the Council. I'm Alicia Malone, Senior Manager of Public Relations for the PCI Security Standards Council. In this episode, we'll meet three Qualified Security Assessors, or QSAs. A QSA company is a data security firm certified by the Council to perform on-site assessments of a company's PCI Data Security Standard compliance. This ensures that robust policies and procedures are in place to protect cardholder data. The QSA Program plays a critical role in the adoption of PCI security standards.
In 2018, the Council introduced a new Associate QSA Program, with the goal of attracting new cyber talent to the QSA Program and easing the resource constraints felt by QSA companies. The Associate QSA Certification provides a professional path for new interns to join the payment card industry and gain experience to qualify as a QSA.
My three guests today successfully made the leap from AQSA to QSA. Joining us are Riona Mascarenhas, Senior Security Consultant at Coalfire; Kyle Kofsky, Senior Associate at Schellman; and Stephanie Monday, Senior Manager of Security and Privacy at Protiviti. Finally, we'll be joined by the Council's own Standards Trainer, Scott Chambers. Welcome, everybody.
Kyle Kofsky: Thanks, nice to be here.
Stephanie Monday: Thank you so much.
Riona Mascarenhas: Thank you so much, Alicia.
Alicia Malone: So, Riona, let's start with you. How did you learn about the Associate QSA Program and what inspired you to join?
Riona Mascarenhas: Thank you for the question, Alicia. The AQSA Program was introduced at Coalfire in May of 2018, which was a little less than a year after I had joined Coalfire as an associate. When I was introduced to the AQSA Program, I was elated because it propelled me to take on more roles and responsibilities apart from shadowing lead QSAs and playing the support role on our PCI engagements. The AQSA empowered me to lead interview sessions under the supervision of the lead QSA, conduct site visits, and take on more roles and responsibilities on the projects that were allocated to me, which contributed towards my holistic growth and overall development on my path to become a QSA.
Alicia Malone: Excellent. Well, welcome. And Kyle, how did you find your way to the payment security space? What made you want to become an AQSA?
Kyle Kofsky: Yeah, my experience has felt longer than I think it was. When I started my career about four years ago, I came out of college and started working in the IT audit and assurance space and really only handling IT general controls in support of financial audits for private and public clients. Eventually, I started working in a little bit of SOC 1 and SOC 2 projects, but you know, between these different types of assessments, there wasn't a lot of wiggle room for the subject matter you're seeing, the scope variation, not too many actual different things to look at, from your day to day. So, I started to feel as though I wasn't really learning anything new or seeing any new processes, systems, or controls, and I knew if I felt that way very early in my career that I would only start to feel more strongly that way over time, unless I find a way to start shaking things up and to challenge myself.
So, I decided to ask my manager if there's any opportunities for something more technical that might better suit the skillset I had received from my college education. I have a degree in information systems and security. So, I figured more technical work is probably better aligned for that skillset I had developed. So, we talked through things, and he ended up suggesting that I start to look at the QSA Program that we have, more specifically I guess at large, the PCI practice. So, I met with the senior manager who ran the PCI group and we talked through things, what I'm going to be doing from day to day, and then I slowly got immersed into PCI assessments, sort of even before I was a QSA, just to see and shadow, kind of to get a feel for what a day to day is like as a QSA, what type of things you're looking at, different types of assessments, the types of systems you're going to be looking at, to what depth you're going to be looking at those systems, the control variation, scope variation, that sort of thing.
So, I pretty quickly learned this is something I'm interested in just from shadowing. You know, this is really showing a lot of variation. I'm going to see everything from point-of-sale systems and card readers and e-commerce platforms and iframes, you know, things that I get to use every day in person, online. In addition to things on the back end, when you're dealing with service providers, getting to see some complex environments, whether they're cloud-based or locally hosted, all sorts of different facets to see. So, I ended up going from looking at just new hire listings, terminated user listings, and that sort of testing, to looking at router configurations, iframe implementations, and it felt really rewarding to make that change in not too much time, just from shadowing and developing myself into an AQSA thereafter.
And lastly, I think one thing that really interested me was, I suppose it felt rewarding that I was actually working to protect cardholder data. You know, that same cardholder data that could belong to myself or my family, working to protect that, and preventing financial damage to whether it's a company or other people - like I said, myself or my family - and knowing that I'm actively contributing towards the security of the end user. I thought that was really rewarding in addition to all of the other things I mentioned.
Alicia Malone: That does sound like a rewarding track for you, Kyle, and thank you so much and also welcome to you. And Stephanie, what inspired your career path and how did you learn about the AQSA Program?
Stephanie Monday: Yeah, so I would say that my career progression is similar to that of Kyle's. I started my career with Protiviti, the firm that I am with now, and I largely started in the technology and cyber risk space. And so, a lot of the work that I was doing was assessing risk related to an organization's applications or maybe their third-party risk. And, I realized as part of that work, that I was interested in something a little bit deeper than that, in the sense that when I was trying to communicate risk, for those of us who are familiar with some of the risk principles related to mitigation and controls around risk, that I wanted to find more information around the system components that were in place, the technologies that were there, how they were talking to each other in order to tell the full story. And so, I really wanted to get a more technical experience out of my profession.
So what ended up happening is that I was connected to a QSA within the company who gave me an overview of what PCI is, what a QSA does, and at that time, the AQSA Program was relatively new, and so it was interesting to see what that looked like as far as, you're taking the same training as a full QSA, you're doing a lot of the same activities as a full QSA, but with guardrails that make you feel a bit more secure in that sense, so that you feel empowered to learn and develop your skillset. And so, I decided that it would be a great opportunity for me to go ahead and look into getting that AQSA certification, especially with the knowledge that I didn't have the required certifications to become a QSA, but I was definitely interested in getting my feet wet in the world of PCI by first becoming that AQSA and understanding all the different aspects within PCI and getting to see all the different elements, all the different types of SAQs and the different types of engagements or projects that you could be on, that would allow you to learn some of those elements that I talked about before. Getting to understand a customer's environment and all the intricacies that are involved there. And so, ultimately, I did go forward and, of course, became an AQSA, and it has only gotten better from there.
Alicia Malone: Thank you, Stephanie. And you mentioned your QSA mentor, which is a really great segue into my next question for all of you. So, as part of the Associate QSA Program, you're assigned a QSA mentor at your company, which provides some guidance and support as you learn the role of a QSA. What was this experience like and how helpful was it to your career path? And Riona, we'll start with you.
Riona Mascarenhas: Thank you, Alicia. The QSA mentorship, which is a part of the AQSA Program, was indeed a great benefit to my overall development on becoming a QSA. I had the opportunity to work with my director as my AQSA mentor. As a part of the AQSA Program, we had monthly and quarterly check-ins to walk through the project engagement summary documentation, which was maintained for each project. The summary included detailed AQSA tasks, timelines, and feedback, that was received from the lead QSAs on the projects. The detailed tasks and milestones helped ensure the accountability of tasks, and the feedback that was received from the lead QSAs was taken into consideration as areas of potential growth and improvement. Overall, the AQSA Mentorship Program was extremely valuable, as it greatly contributed to my overall development in becoming a QSA.
Alicia Malone: Excellent. And how about you, Kyle?
Kyle Kofsky: Yeah, I've worked with a number of different QSA mentors over the past few years, all the way to, you know, before I was even an AQSA, through being an AQSA, and being a full QSA. So, as I mentioned earlier, even before I was a QSA, when I was doing shadowing and working with QSAs to learn the ropes of PCI, they were really hands-on. They treated me as though I was already an AQSA, you know, just being very willing to take time out of their day to show me the ropes and most importantly, to explain, why I'm doing some of the work that I'm doing. And that's really what got me, you know, helped me understand that QSAs are really interested in the community. They want to see other people flourish in the community, see others feel fulfilled in the work that they're doing. So then, you know, this kind of continued through being an AQSA. And, you know, even through today, now that I'm a full QSA, nothing's really changed, I don't think.
Alicia Malone: Thank you, Kyle. And how about you, Stephanie?
Stephanie Monday: Yeah, I would say that having a QSA mentor was extremely helpful for me, as well as we have a bunch of other QSAs also at the company. And so having that wealth of knowledge to lean on and especially considering my QSA mentor is someone that I've been working with for well over five or six years, and so almost every single one of my PCI engagements has been with the same mentor. And I would say at the beginning, it was really helpful in the sense that he was able to explain different parts of, for instance, the PCI DSS or different topics or components of PCI and be able to explain that once I get my head wrapped around this topic, it will allow me then to do this in the future as a full QSA, since there are limitations to being an AQSA.
It also allowed him to see my own career progression. So, if I were working on an engagement where I was specifically in the weeds with something like point-to-point encryption, we could then take a step back and say, where else do I feel like I have not had the experience? Where else can we plug me into a project where I might be able to learn something new and develop those skill sets? So, I think having that experience with a mentor who understands where you're at, the experiences that you've had and pushes you to continue to learn and to understand different concepts within the PCI world was very helpful, especially in order to get that QSA, and get the certifications in order to become the QSA and to make that final jump in the end.
Alicia Malone: Now, once an Associate QSA can fully meet the QSA qualification requirements, they are eligible to apply to PCI SSC to become a QSA. Kyle, how long did this transition take and what was it like when you finally became a QSA on your own?
Kyle Kofsky: I'd say it took me a little over a year to go from AQSA to QSA. And I felt as though it went along pretty fast, and I achieved that, and what I felt was a pretty condensed timeframe, just because I was exposed to so many different technologies and environments, and all the different types of assessments that I was able to see during my time as an AQSA. It's kind of, you make the most of it. If you ask to see more, if you ask to see different types of assessments or seek out new opportunities, I really think it helps develop your skills and you know, you can reach for that QSA, you know, as fast as you can really.
Like I mentioned before, my previous QSA mentors are still my mentors today. And, you know, they're cheering me on as I pass my CISA and my CISPP exams. You know, ultimately that kind of led me to becoming a full QSA once I finished that CISPP exam. So since becoming a QSA, I'd say I really don't feel all too different. As I mentioned before, thanks to the excellent preparation I received from my mentors, I'd say I still maintain a learning mindset. And I'm always looking for new opportunities to improve my understanding of different technologies or efficiencies and how I go about assessing and report writing. You know, always looking for different ways to improve.
Alicia Malone: That's great, Kyle. And I do agree that in this industry, we're just constantly learning, right? There really is no end to all of the information that you can learn in this industry. Riona, what was the most valuable part of the AQSA to QSA Program for you? What advantages did it bring in terms of your career path?
Riona Mascarenhas: Joining Coalfire as an associate after my master's in computer science, I can indeed say that the AQSA Program instilled confidence in me and helped pave my path in becoming a cybersecurity professional. Being an AQSA empowered me and provided me the ability to participate and render active support to multiple PCI engagements in our multiple clients. Activities like the AQSA mentorship, specific trainings that were provided, bolstered my skills towards becoming a good QSA. Upon meeting my certification requirements, I was able to seamlessly transition from being an AQSA to a QSA. I am indebted to the AQSA Program that helped me on my journey at Coalfire to become a QSA. And now in my current role at Coalfire, I support and provide guidance and mentorship to some of our non-QSAs and can indeed attest that this AQSA Program is an exceptional and great way to develop our non-QSAs and guide them towards honing in on their essential skills that are required to become a great QSA. I am indeed proud to be a QSA at Coalfire and I look forward to mentoring and supporting the AQSA Program to the best of my abilities.
Alicia Malone: Riona, I love that you were able to pay it forward by becoming a mentor yourself and I think that speaks very highly of the mentorship Program and the value that people receive by going through it. And so, Stephanie, what advice did you receive on your journey through the Program and what advice would you offer to someone who is interested in becoming a QSA?
Stephanie Monday: Yes, so one of the most valuable pieces of advice that I received when I was an AQSA was to keep up the momentum and I would definitely encourage any other AQSA who might not already have one of the two certifications that you are required to have to become a QSA, I would definitely provide that same advice in the sense that you should always be taking the next step. Don't be afraid to order the materials for the certification, schedule that exam, put together a timeline and agenda for your studying. And once you obtain that first certification, jump right into the next one, identify that plan and that path forward and how you're going to study and get that next certification, because, you know, work is busy, and life only gets busier. So, the more that you can encourage yourself to just keep going, I think that is the best advice that I got in order to reach that next step of obtaining the QSA and getting through all of the requirements that you must meet in order to become the QSA.
Then, I would also say something that I would then provide to other AQSAs who are looking to make the transition or the leap, is to continue to be a sponge. I think that is something that you could probably apply to multiple different jobs, but I do think that especially for PCI, we have to continue to be open to change and be adaptable, and to circle back on some points that Alicia, you and Kyle made, the world of PCI is large and it's always going to be evolving. Same with the technology that we are looking at every day. And so, trying to push yourself to understand those concepts, to know that an environment that you're looking at today might be entirely different next year and understanding that the more that things change, the more that you learn and grow, I think is the best way to approach your career as a QSA.
Alicia Malone: That is so true, Stephanie, that we are in such a dynamic industry that is constantly evolving and changing. And it is so critical to stay on top of your skills and keep learning in this environment. Thank you all for your helpful insights into the Program, and congratulations on your successful transition from AQSA to QSA.
Joining us now is Scott Chambers, who is one of our Standards Trainers. Scott, tell us a little more about the AQSA and QSA training Programs that the Council offers.
Scott Chambers: Absolutely. Let me just start by saying that the training that AQSAs receive from us here at the PCI SSC as part of their qualification process is exactly the same training that candidate QSAs undertake. They even take the same exam. Now, why am I mentioning that? Well, because normally when we tell people that story, they're initially surprised. But when you think about it, it actually makes total sense because those AQSAs are ultimately going to be out there assisting with real world assessments. And so, they need that same baseline of knowledge that we would expect from any of our other assessors.
So, the qualification training itself, that we provide for QSAs and AQSAs is delivered using a hybrid approach, requiring the students to undertake a series of computer-based modules, as well as a short test to confirm their understanding of some of the fundamentals of payment security. Once they achieve that initial level of knowledge, then they have the opportunity to dive deeper into PCI DSS and many of the technical concepts related to those requirements, before attending an instructor-led class with myself or one of my colleagues on the training team. And I'm telling you now, those sessions are great. There's nothing that we trainers love more than to be working with students at those live events. They've got the opportunity to ask questions and get answers, but it also gives them the opportunity to network with their peers, learning from each other's knowledge and experience as well as ours. And I have to say, we trainers sometimes learn something new, too, during some of those discussions.
But the great news for all of you out there, if you're thinking about becoming assessors, is that nowadays we offer those instructor-led sessions both online and in-person, so providing a degree of flexibility with an option, hopefully, to suit everyone.
Following completion of all of that modular training that makes up the curriculum, candidates take their final qualification exam. And if they pass, they become qualified and listed assessors. But you know, the learning opportunities don't stop there. As part of their journey to becoming a QSA, AQSAs need to continue to build their skills and knowledge. Moreover, they have to demonstrate their achievements each year by logging their Continuing Professional Education hours or CPEs. And to help with all of that, we here at the Council have developed an abundance of ongoing educational resources that are available to all of our assessors, many of which can be accessed through our online resource center, where we have a complete archive of our current and past assessor newsletters, webinars, as well as access to training modules that the assessors might want to look at again. And then we also have our fairly recent addition to our training resources, the online Global Content Library, where assessors can find a lot of on-demand recordings of presentations and informational videos that we've produced over the years.
Likewise, we also have our PCI Perspectives blog that anyone can sign up to, and that provides insights into what's happening within the payment space, and of course, we have our in-person events and knowledge training classes that cover an abundance of different PCI standards that we hold throughout the year.
You could argue that the AQSA and the QSA training and learning opportunities never really end. That exam that the assessor candidates take following class, it's really just the beginning of a bigger journey.
Alicia Malone: An overall shortage of cybersecurity talent made it difficult for QSA companies to find suitable new assessors. The Associate QSA Certification Program is designed to bring new cyber talent to the QSA Program. How much success have you seen in its ability to do that, and are there any success stories that really stand out to you?
Scott Chambers: Yes, I joined the PCI SSC in 2017, which was just prior to the launch of the AQSA Program. And before making that move to the PCI SSC, I was a hiring manager myself within an assessor company. So, I can personally attest to that skill shortage that we were seeing at the time. The problem simply was a limited pool of experienced talent out there, and as you can imagine, it was like any other supply and demand issue, lack of supply meant that costs across the industry were being driven up, impacting everybody. But that inflationary spiral wasn't really addressing the underlying problem, which was the size of the available experienced talent pool.
So then came the AQSA Program and the ability to tap into new talent streams. We realized that there was an abundance of inexperienced but extremely talented individuals out there. For example, young graduates that had spent a number of years of their life studying cyber or information security, software engineering, and various other IT related disciplines. Many of whom had fantastic and importantly current knowledge in those areas, but that simply lack practical industry experience and certs to be able to meet our QSA qualification requirements. In fact, as well as our own requirements around years of industry experience, many of those certs that we expect as prerequisites for our QSAs also require a number of years of industry experience. But how do those talented young people get that experience if they can't get a job due to lack of experience? It's kind of that chicken and egg scenario, right? And so, we realized that there was all of this untapped raw talent out there that we should be nurturing and hopefully retaining within the payment security industry. And at its core, that's what the AQSA Program is all about.
I often describe it to people who ask as being a bit like an apprenticeship program, bringing in those exceptional people that don't yet meet our prerequisite requirements to be a QSA, but with the right combination of on-the-job training and structured mentoring, can grow their experience and knowledge out there in the real world to become excellent assets within the PCI community and eventually become the next generation of QSAs. Personally, I really do think it's a great program. It provides an invaluable opportunity for the candidates, the QSAs themselves, their employers, and ultimately, the overall payments and cyber security industries. I've been a trainer since the launch of the AQSA Program, and so I've personally taught a number of the AQSAs coming through the Program, and I can honestly tell you today that I'm always impressed by their knowledge, the questions that they ask, their general keen interest in the industry.
It truly is always a delight to have AQSAs in the class. Indeed, there are several AQSA candidates that stick in my memory for all of the right reasons, whom I'm pretty certain have big futures ahead of them in the industry. In fact, in anticipation of this interview, I actually requested some stats, which I think speak for themselves. Since the introduction of the AQSA Program back in mid-2018, we have now seen 173 AQSAs successfully transition to becoming QSAs so far, with many more on the way. So that's 173 skilled and qualified individuals that we otherwise may not have had within our industry sector, had it not been for the existence of the AQSA Program and the pathway that it offers.
Alicia Malone: Scott, that is a really impressive number and I'm so glad to see that that Program has been such a success and I'm encouraged to hear that because I feel like that's going to really drive more participation to the QSA Program. If one of our listeners is interested in becoming a QSA, where should they start? What are the next steps you would recommend on his or her journey?
Scott Chambers: Yeah, that's a good question. Where to begin? Well, if somebody out there is interested in learning more, I would recommend heading over to our website and downloading our QSA Program Guide and Qualification Requirements documents. Reading those documents will provide a little bit more insight into the requirements for becoming an AQSA. But also, while you're on the website, have a look at the Qualified Security Assessor listings that we have on there, because we actually have an indicator against each of those QSA companies that show whether or not they offer an AQSA mentorship. So, find some in your region that do and send off your CV. And you know, if our interested listener happens to already work for a QSA company, perhaps in a non-assessor role, find out if your company offers AQSA mentorship and express your interest. Also, keep your eye on industry job listings. We know there's a lot of job boards out there and you might see an advert for an AQSA role out there as well. In fact, the PCI SSC also operates a job board and perhaps AQSA positions might appear on there occasionally, too. But ultimately, my message to anybody wanting to break into this sector is simply: do the legwork, explore the opportunities, and you know what, if you don't find the right opportunity immediately, just keep knocking on the doors, keep on trying.
Alicia Malone: Thank you so much, Scott. You are a wealth of information, and we're so pleased that you could join us today. I just wanted to thank all of you for joining us on Coffee with the Council today and for sharing your unique insights into our training programs. And I've enjoyed so much hearing your success stories.
Stephanie Monday: Thank you so much.
Kyle Kofsky: Happy to be here. Thanks.
Riona Mascarenhas: Thank you so much, Alicia. Thank you to the Council for providing us this wonderful opportunity of being here and representing all the AQSAs and talking more about the AQSA Program. It was wonderful to be here and wishing all the AQSAs all the very best.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, Stitcher, Audible, Overcast, or Pandora.