Podcast: Meet Three Certified Security Assessors Who Successfully Completed the Council’s AQSA Mentorship Program and Advanced Their Professional Growth
Greetings to our podcast titled Coffee with the Council. I am Alicia Malone, the Senior Manager overseeing Public Relations at the PCI Security Standards Council. In this segment, we will introduce you to three Certified Security Assessors, famously known as QSAs. A QSA agency is an accredited data security company certified by the Council to conduct on-site evaluations to ensure a company’s adherence to the PCI Data Security Standard. This verification guarantees the implementation of strong policies and procedures aimed at safeguarding cardholder data. The QSA Program is pivotal in promoting the adoption of PCI security standards.
In 2018, the Council launched the Associate QSA Program with the objective of attracting fresh talent to the QSA Program and alleviating the resource constraints faced by QSA entities. The Associate QSA Certification provides a structured career path for new entrants to the payment card industry, allowing them to gather experience and eventually qualify as QSAs.
Today, we dive into the stories of my three guests who transitioned successfully from AQSA to QSA roles. Our esteemed guests include Riona Mascarenhas, operating as a Senior Security Consultant at Coalfire; Kyle Kofsky, holding the position of Senior Associate at Schellman; and Stephanie Monday, serving as the Senior Manager of Security and Privacy at Protiviti. We are also pleased to welcome the Council’s Standards Trainer, Scott Chambers. Warm greetings to all.
Kyle Kofsky: Many thanks, delighted to be part of this.
Stephanie Monday: Thank you immensely.
Riona Mascarenhas: Thank you kindly, Alicia.
Alicia Malone: Riona, let’s kick things off with you. How did you first encounter the Associate QSA Program, and what motivated you to partake in it?
Riona Mascarenhas: Thank you for asking, Alicia. The AQSA Program was rolled out at Coalfire in May 2018, just under a year after my induction as an associate at the organization. The introduction of the AQSA Program filled me with delight as it fueled my progression into assuming more varied roles and responsibilities. Besides shadowing lead QSAs and playing a supportive role in our PCI projects, the AQSA initiative enabled me to head interview sessions under supervision, conduct site visits, and handle increased duties on allocated projects. This step contributed significantly to my comprehensive development and progress on the pathway to becoming a QSA.
Alicia Malone: That’s wonderful. A hearty welcome to you. Now, Kyle, how did you venture into the realm of payment security, and what spurred your interest in becoming an AQSA?
Kyle Kofsky: My journey seems more protracted in hindsight. Upon embarking on my career approximately four years back, fresh out of college, I commenced roles in the domain of IT audit and assurance, predominantly dealing with IT general controls to support financial audits for private and public clients. Gradually, I transitioned to working on SOC 1 and SOC 2 projects; however, amidst these assessments, the lack of diversity in subject matter, scope variability, and learning stimuli began to gnaw at me. A feeling persisted that I was not expanding my horizons or encountering novel processes, systems, or controls in my daily duties.
This realization prompted me to approach my manager seeking opportunities for more technically oriented tasks in alignment with my information systems and security educational background. Through discussions, my manager proposed exploring the QSA Program within our purview, particularly within the PCI domain. Subsequently, I engaged with the senior manager overseeing the PCI division to gain insights into the day-to-day responsibilities involved. This exposure allowed me to immerse myself in PCI assessments even before formally becoming a QSA, granting me a peek into the challenges and tasks inherent in the role. This initial experience swiftly piqued my interest, showcasing a rich variation in assessments spanning from point-of-sale systems to e-commerce platforms and diverse backend configurations of service providers – whether cloud-based or local hosting environments.
From scrutinizing new hire listings to delving into router configurations and iframe setups, the transition felt rewarding, resonating with my credentials and aspirations. Moreover, the opportunity to safeguard cardholder data, including that of my own and my family, while averting financial risks for individuals and entities left an indelible imprint on my decision to pursue AQSA accreditation, underscoring the holistic appeal of the role.
Alicia Malone: Your journey is indeed inspiring, Kyle. Many thanks for sharing your experiences. Now, Stephanie, what ignited your professional trajectory, and how did you familiarize yourself with the AQSA Program?
Stephanie Monday: My career narrative aligns closely with Kyle’s trajectory. Originating my professional tenure at Protiviti, my current firm, I entered the realm of technology and cyber risk assessment. While evaluating organizational risk concerning applications and third-party entities, I developed a hunger for deeper insights into the system components, technologies, and their interconnections to present a more nuanced risk narrative. I sought a more technical dimension to my professional undertakings.
Thus, I connected with a QSA within the firm who enlightened me on the nuances of PCI compliance and the role of a QSA. The nascent AQSA Program presented a structured pathway mirroring the full QSA training and responsibilities but with supportive guardrails fostering a conducive learning environment. Recognizing the potential for skill development and experiential immersion, I seized the opportunity to pursue AQSA certification, acknowledging that while lacking the requisite certifications for a QSA, the initiation through AQSA would furnish me with a robust foundation in the realm of PCI compliance.
themes within PCI and observing all the various components, the various kinds of SAQs, and the diverse forms of engagements or projects that one could be involved in. This exposure facilitates the acquisition of the aforementioned themes. Grasping a client’s setting and all the complexities intertwined within it. As a result, I did proceed and, naturally, attained the position of an AQSA, and the journey has only progressed for the better.
Alicia Malone: Appreciations, Stephanie. As you mentioned your QSA guide, it aligns well with my next question to all of you. Hence, as a segment of the Associate QSA Initiative, a QSA guide is designated at your organization to provide guidance and assistance while you grasp the duties of a QSA. How was this journey and how did it influence your career progression? Riona, let’s kick off with you.
Riona Mascarenhas: Grateful, Alicia. The QSA mentoring, integral to the AQSA Initiative, significantly contributed to my overall evolution into a QSA. Collaborating with my supervisor as my AQSA mentor was phenomenal. As part of the AQSA Initiative, we had monthly and quarterly reviews to delve into the project engagement summarization documentation, maintained for each project. The summary encompassed comprehensive AQSA responsibilities, timelines, and feedback sourced from the lead QSAs on the projects. The thorough tasks and milestones aided in ensuring task ownership, and the feedback received was utilized to identify potential areas for growth and enhancement. Altogether, the AQSA Mentorship Initiative was immensely fruitful, propelling my transformation into a QSA.
Alicia Malone: Splendid. And what about you, Kyle?
Kyle Kofsky: Absolutely, I collaborated with several QSA guides over the past few years, stretching from the time before I even became an AQSA, my time as an AQSA, all the way to becoming a full QSA. So, even prior to being an AQSA, when I was shadowing and learning about PCI alongside QSAs, the hands-on exposure was remarkable. They treated me as if I were already an AQSA, readily dedicating their time to illustrate the practices and most importantly, the rationale behind my tasks. This understanding made me realize that QSAs genuinely care about cultivating a community. They aspire to witness others thrive within the community, finding fulfillment in their undertakings. Subsequently, this ethos continued into my AQSA tenure. Presently, as a full QSA, this mindset remains unaltered, in my opinion.
Alicia Malone: Acknowledged, Kyle. And what’s your take on this, Stephanie?
Stephanie Monday: In my viewpoint, having a QSA mentor proved exceedingly beneficial, especially with a plethora of other QSAs present within the firm. The abundance of knowledge available for consultation, alongside having my QSA mentor as a constant companion for over five or six years, with almost every PCI endeavor shared with the same mentor, has been invaluable. Initially, the mentor elucidated distinct aspects of PCI DSS or various subjects linked to PCI, highlighting the importance of grasping these concepts for future reference as a full QSA, taking into account the limitations as an AQSA.
This association also enabled tracking my career progression. Thus, when delving deeply into a specific technicality like point-to-point encryption during an engagement, we could reflect on areas that lacked my expertise. Consequently, it led to exploring novel projects for acquiring fresh knowledge and nurturing skills. Having a mentor who comprehends your present state, acknowledges your experiences, and motivates continuous learning and comprehension of diverse PCI concepts was immensely valuable, especially towards earning the QSA qualifications and transcending to the final leap.
Alicia Malone: As soon as an Associate QSA fulfills the QSA eligibility requisites, they are deemed qualified to apply to PCI SSC for QSA status. Kyle, how lengthy was this transition period and what transpired upon your autonomous transition to a QSA?
Kyle Kofsky: It took me slightly over a year to transition from AQSA to QSA. The progression felt swift, as I was immersed in myriad technologies, settings, and assessments during my AQSA tenure. Making the most of these opportunities and seeking diverse assessments or novel prospects aids in skill enhancement, expediting the journey towards QSA qualification.
As previously mentioned, my prior QSA mentors remain my mentors presently. They encouraged me throughout my CISA and CISPP examinations. This support ultimately propelled me towards becoming a full QSA post the CISPP exam. Since attaining QSA status, the learning mindset instilled during mentorship persists. Continuously seeking avenues to enhance my understanding of technologies, processes, and assessment methodologies fuels ongoing development and improvement.
Alicia Malone: Admirable, Kyle. I concur that in this domain, continuous learning is fundamental with an ever-expanding knowledge spectrum awaiting exploration. Riona, what stood out as the most valuable facet of the AQSA to QSA Initiative for you? How did this program leverage your career progression?
Riona Mascarenhas: Initiating my journey at Coalfire as an associate subsequent to my computer science master’s program, the AQSA Initiative instilled confidence and paved the way towards my cybersecurity profession. Being an AQSA empowered me to actively contribute to multiple PCI engagements across diverse clients. Elements like AQSA mentorship and specialized training fortified my QSA potential. Upon meeting certification prerequisites, transition to a QSA role was seamless. Grateful for the AQSA Initiative’s role in my Coalfire journey towards becoming a QSA. In my existing Coalfire role, guiding and supporting non-QSAs affirms the exceptional effectiveness of the AQSA Initiative in honing essential skills requisite for a remarkable QSA. Proud to serve as a QSA at Coalfire and eager to mentor and bolster the AQSA Initiative to the utmost.
Alicia Malone: Admirable how you’ve paid it forward by taking up a mentoring role, showcasing the value of mentorship in the program. Stephanie, what guidance did you receive during your program expedition and what counsel would you extend to individuals aspiring to become a QSA?
Stephanie Monday: Indeed,
One of the most valuable pieces of guidance I received during my time as an AQSA was to maintain the momentum. I highly recommend any other AQSA who may not already possess one of the two necessary certifications required to become a QSA to heed the same advice. It is crucial to always be progressing forward. Do not hesitate to procure the materials for certification, set a date for the exam, create a timeline and schedule for your study sessions. Once you achieve the initial certification, immediately move onto the next one, charting out a plan for your progress and how you will tackle the next certification. With the demands of work and life only increasing, motivating yourself to persist is key to advancing towards the QSA status and fulfilling all the necessary criteria.
Likewise, I would add that I would offer similar advice to other AQSAs seeking to transition or ascend – continue to absorb knowledge like a sponge. This principle is broadly applicable to various professions, but particularly within PCI, the mindset of embracing change and adaptability is critical. As Alicia, you, and Kyle mentioned, the realm of PCI is vast and ever-evolving, much like the technology landscape we engage with daily. Therefore, challenge yourself to comprehend these concepts, recognizing that the landscape you are navigating today could transform entirely by the following year. Embrace the notion that as things evolve, your learning and personal growth deepen, positioning you well in your career as a QSA.
Alicia Malone: Stephanie, your insights resonate with the dynamic nature of our industry, which is in a perpetual state of flux. Maintaining your skill set and embracing ongoing learning is indispensable in this environment. Thank you all for sharing your valuable perspectives on the Program, and congratulations on your successful transition from AQSA to QSA.
We are now joined by Scott Chambers, our esteemed Standards Trainer, to shed more light on the AQSA and QSA training Programs offered by the Council.
Scott Chambers: Certainly. I’d like to begin by highlighting that the training provided to AQSAs by the PCI SSC as part of their qualification process is identical to that undergone by QSA candidates. They even undergo the same examination. Why do I mention this? Well, it initially surprises many when we disclose this fact. However, upon reflection, it becomes evident that it is entirely logical. As these AQSAs will ultimately be involved in conducting real-world assessments, they require the same foundational knowledge that we expect from any other assessors.
The qualification training for QSAs and AQSAs is delivered through a hybrid approach, involving a series of computer-based modules that students must complete, followed by a brief test to confirm their grasp of essential payment security principles. Upon achieving this introductory level of knowledge, they delve deeper into PCI DSS and the technical aspects linked to those requirements before attending an instructor-led session conducted by myself or one of my colleagues in the training team. These interactive sessions are incredibly enriching. Working in collaboration with students during these live events is a delight for us trainers. It provides them with the opportunity to pose queries, gain clarifications, and also fosters networking among peers, enabling the sharing of insights and experiences. Moreover, it is not uncommon for us trainers to glean new insights from these discussions.
Moreover, for aspiring assessors out there, we now offer these instructor-led sessions both online and in-person, furnishing a level of flexibility to cater to diverse preferences.
Upon completing the modular training that constitutes the curriculum, candidates sit for the final qualification exam. Upon successful completion, they attain the status of qualified and listed assessors. Yet, educational opportunities do not culminate there. As AQSAs progress towards QSA status, they are required to continuously enhance their competencies and knowledge. Furthermore, they must annually demonstrate their accomplishments by logging Continuing Professional Education hours. To support them in these endeavors, the Council has developed a plethora of educational resources accessible to all assessors. These resources encompass an array of ongoing resources available through our online resource center, housing a comprehensive archive of our current and past assessor newsletters, webinars, and revisitable training modules. Additionally, our recent addition, the online Global Content Library, offers on-demand recordings of presentations and informational videos produced over the years.
Similarly, our PCI Perspectives blog is open for anyone seeking insights into the payment landscape. Additionally, we conduct in-person events and knowledge training classes covering various PCI standards throughout the year.
One could argue that the training and learning opportunities for AQSAs and QSAs are perpetual. The exam taken by assessor candidates following the course is merely the inception of a broader journey.
Alicia Malone: Given the prevailing shortage of cybersecurity talent, QSA companies encountered challenges in finding suitable new assessors. The Associate QSA Certification Program is designed to introduce new cyber talent to the QSA Program. In your experience, have you observed significant successes in its capability to achieve this goal? Any particular success stories that have left an indelible mark on you?
Scott Chambers: Upon joining the PCI SSC in 2017, just before the launch of the AQSA Program, I had firsthand experience of the skills shortage in the industry. The scarcity of experienced talent posed a significant issue, leading to elevated costs industry-wide, driven by supply constraints. However, this inflationary trend did not address the underlying challenge – the limited pool of experienced talent available.
Subsequently, with the advent of the AQSA Program and the avenue to tap into new talent pools, we discerned a pool of inexperienced yet highly skilled individuals. For instance, recent graduates specializing in cyber or information security, software engineering, and various IT-related disciplines who possessed up-to-date knowledge in these areas but lacked practical industry exposure and requisite certifications to fulfill our QSA qualification criteria. Many certifications mandated for QSAs, in addition to our own experience prerequisites, necessitate a substantial industry tenure. This posed a conundrum for these talented individuals – how to gain experience if they couldn’t secure employment due to the lack thereof? It created a ‘chicken-and-egg’ situation. There existed immense latent talent waiting to be unlocked.out there that we should be fostering and hopefully retaining within the payment security sector. And fundamentally, that’s the essence of the AQSA Program.
When people inquire, I often liken it to an apprenticeship initiative, bringing in those standout individuals who do not yet meet our prerequisites to be a QSA. However, with the right blend of hands-on training and structured guidance, they can expand their expertise and understanding out in the field to become valuable assets within the PCI community, eventually evolving into the next wave of QSAs. Personally, I truly believe it’s a fantastic program. It presents a priceless opportunity for the candidates, the existing QSAs, their employers, and ultimately, the broader payments and cybersecurity sectors. Since the introduction of the AQSA Program, I have been involved as a trainer, and I have had the privilege of instructing numerous AQSAs undergoing the Program. I can genuinely say that I am consistently impressed by their depth of knowledge, the insightful inquiries they pose, as well as their evident passion for the industry.
Having AQSAs in the class is always a pleasure. There are indeed several AQSA candidates who stand out in my memory for all the right reasons, individuals whom I strongly believe have promising futures in the industry. As a matter of fact, in preparation for this interview, I specifically requested some statistics, which I believe speak volumes. Since the inception of the AQSA Program in mid-2018, we have witnessed 173 AQSAs successfully transitioning to become QSAs so far, with many more in the pipeline. That equates to 173 highly skilled and certified professionals that might not have been part of our industry landscape had it not been for the existence of the AQSA Program and the pathway it offers.
Alicia Malone: Scott, that is truly an impressive figure, and I’m delighted to see that the Program has been a resounding success. This is encouraging news because I believe it will significantly boost the enrollment in the QSA Program. For any of our listeners keen on becoming a QSA, where should they initiate this journey? What would be the recommended next steps, in your opinion?
Scott Chambers: That’s a pertinent question. Where to start? If someone out there is keen to delve deeper, I suggest visiting our website and downloading our QSA Program Guide and Qualification Requirements documents. Delving into those documents will offer further insights into the prerequisites for becoming an AQSA. Additionally, while browsing the website, take a look at the listings of Qualified Security Assessors available, as we indicate against each QSA company whether they provide AQSA mentorship. Identify those in your vicinity that do and submit your CV. If our intrigued listener is already employed by a QSA company, even in a non-assessor capacity, check if your organization offers AQSA mentorship and express your interest. Also, keep an eye on industry job postings. There are numerous job boards out there, and you might chance upon an advertisement for an AQSA position. Furthermore, the PCI SSC operates a job board, where AQSA positions might pop up occasionally too. In essence, my advice to anyone aspiring to break into this sector is simple: put in the groundwork, explore the possibilities, and if the right opportunity isn’t immediately apparent, keep knocking on doors and persist.
Alicia Malone: Thank you immensely, Scott. Your depth of knowledge is commendable, and we’re thrilled to have had you with us today. I extend gratitude to all our attendees for joining us on Coffee with the Council today and for imparting your unique perspectives on our training initiatives. It has been a pleasure to listen to your success narratives.
Stephanie Monday: Many thanks.
Kyle Kofsky: Delighted to be part of this. Thank you.
Riona Mascarenhas: Thank you wholeheartedly, Alicia. A big thank you to the Council for granting us this fantastic opportunity to be here and represent all the AQSAs while discussing more about the AQSA Program. It was truly a wonderful experience, and I wish all the AQSAs the very best.
If you enjoyed what you heard, subscribe to PCI SSC’s “Coffee with the Council” podcast on various platforms including Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, Stitcher, Audible, Overcast, or Pandora.
About Author
