What I am reading at the moment?

Updated list as if 30th Nov 2019

Beyond Cybersecurity

Becoming a global CISO

Atomic Habits by James Clear

So Good They Can’t Ignore by Cal Newport

Ultra learning by Scott Young.


I read alot of books across different genres, the below are the list of books I have read since January this year.

PS: Some of the books got nothing to do with InfoSec, but I tend to focus on topics such as productivity, emotion intelligence/fitness, personal development, and other interesting topics I pick up from podcasts and books.

Book List

5 AM Club – Robin Sharma

What Got you here, Wont get you there

Tools of Titans


The Leader who has no title

The Art of Learning

80/20 Your Life

The Effective Executive

Tribe of Mentors



What do I listen to?

The following are the list of podcasts /mini series that I do listen to on frequent basis.

Cyber Security podcasts

Tim Ferriss Show

  • tim.blog/podcast

Robin Sharma

Tom Bilyeu





London Real – Brian Rose


Tony Robbins

Understand what need to be protected i.e Information and Information Assets

For the new cyber security consultants, either your internal or providing consulting services to clients. Speaking this from GRC point of view, most consultant may ignore the fact that for one being effectively in providing sound advice to clients, especially in this modern era of cyber security, one need to at least understand what need to be protected i.e information asset.

Information can be physical or digital/electronic. Information has its life cycle, and go through phases such as creation, processing, and storage. There is a famous data cycle – refer to this blog as https://www.securosis.com/blog/data-security-lifecycle-2.0 . All the phases information will need to be protected.

Data Security Lifecycle

Diagram: The data security life cycle.

Through this life cycle, when considering digital form of information, it will touch different layers such as Computing, storage, network, and well all these things they just don’t live in the vacuum (cloud), they need to physically hosted, that’s where physical security comes into play.

I believe in deconstructing things to its core or the basic bare. I think the areas below, a cyber security consultant should at least have some high level understanding on how things work and how they are built. (architecture)

  • Application and Software: Programming
  • Computing
  • Storage
  • Network
  • Virtualisation (plus containers)
  • Cloud anyone (understand the top four first)?

Building Competence

As a Cyber Security Consultant, whether you choose technical or non technical track, you will need to build competence in understand the following areas. Computing including OS, Virtualisation + Containers, Cloud, Database, Application / Software- Programming, Networking, Storage and physical at the very basic level. These areas form the basic of what you are going to protect, as they relates to information / data lifecyle.

My approach in building competence in the areas, is based on pursuing certification on each of the area or use the curriculum of those areas for self study, including reading books, webinars, seminars or litetarute aroudn the area. My go to place for this is to look at the Comptia IT Certification Roadmap – https://certification.comptia.org/docs/default-source/downloadablefiles/it-certification-roadmap.pdf

Hint: You dont have to do any the certification however you need a structural way for reading and master the topic / competence area. My approach as always been a self-study, others prefer boot-camps if they have resources (money and time) to do so.

To be continued.

Person of Interest

On fortnightly I tend to follow work of interesting individuals, these can be cyber security professional or other professional e.g. motivation speakers, human genuine pigs, peak performance coaches etc. So below is my list of person of interest and the work they did / do.

Tim (othy) Ferriss – Author of Tool of Titans, Tribe of Mentors, The 4 hours work week, and many other books – http://www.tim.blog

Robin Sharma – 5 am Club, The Monk who sold his ferrari, the leader without title

Tony Robins

Josh Waitzkin – The Art of Learning, Peak Perfomance Coach

James Clear – Atomic Habits

Damon Zahariades

To be continued ….

Staying Productive

Being a cyber security consultant, requires high discipline of self motivation, and stay on top of the task that you need to delivery to the client. Why this is assumed that everyone should behave and play the part, most of the consultants they have trouble doing this. I have a few tips and tools to stay on the task.

Tracking time – Toggl

Planning and Scheduling – Calendar (Schedule everything and put this as calendar entry – things that are scheduled are the things that get done)

Pomodoro Technique – Set timer for 25 mins work, 5 minutes break. You can use an app (mobile / WebApp) — I use Mobile/desktop App Focus To-Do and Garmin Watch. I should add during the break apart from doing tea, do anything physical like 10 pushups, wall-sits, a quick sprint or go out for a fresh air walk.

PS: Make sure you spend your weekend wisely so to minimise burnout 🙂

I will expand this post more…

I want to be a PCI QSA? How can I get started?

This a place holder, I will expand this post when I get time to write.

I have been a QSA since 2013, and before that I worked for a multi-national bank from 2007 to 2009, which had a programme to secure card payments, hence my early involvement of PCI World.

so what do PCI stands for ? Payment Card Industry, and maybe your next question will be what is PCI DSS and what is the security council SSC ( Payment Card Industry Security Standards Council )? and ofcourse what is PCI QSA? I will answer these questions in an expanded post. For now, a quick reference go to the PCI SSC website here


My Book Library

The say a typical CEO reads about 60 books per year. That is roughly around one book a week. I try to keep up with that pace, but sometimes I fall short. I tend to read one book every 2 weeks, and this covers different categories including self-help, autobio,business, cyber security among many other categories. What I would advise to new entrants to cyber security, to make sure to read different business books to complement your technical knowledge, because if you cannot translate your security knowledge to help the business, then it becomes useless.

So for the this year, I have been reading the following books:

Non-Security Books

  • The Effective Executive
  • Fast Focus – Damon Zahariades
  • 80/20 Your Life – Damon Zahariades
  • Tools of Titans – Timothy Ferris
  • 5 AM Club – Robin Sharma
  • The Art of Learning – Josh Waitzkin
  • Tribe of Mentors – Timothy Ferriss
  • Power – Jeffrey Pfeffer
  • The 4-hour Work Week (Audiobook) – Tim Ferriss
  • The 7 Habits of Highly Effective People – Stephen R. Covey
  • What Got You Here Won’t Get You There – Marshall Goldsmith

Security Books:

  • Certified Cloud Security Profession – CCSP
  • CCSK

to be continued

How to get into InfoSec Career

I have been asked this question a few many times, on how can i get started or get into infosec / cyber security? My answer it depends 🙂

It depends what path you want to travel through to your destionation – technical or non-technical.


I will start with technical path, there are couple of field for technical path including penetration tester, appplication security SME, and sec ops, just naming a few.

For example to be a pentester, you will need to have basics in Networking, Operating System (*nix, Windows, Mobile,) Database, Application, etc. This role need to have breath knowledge in order to understand how the technology is made, operate and then one can go deeper intp specific area of testing e.g. application testing or infrastructure testing. So my advice to start or to get into this field, one need to get understand of the technologies mentioned for started.

on the next post, I will speak on the other technical path.