3 - Lionel Hapi Modje: Know your business goal to define your security objective, CISSP, CISM, CISA

Show Notes

What if the key to cybersecurity success isn’t just technical skills - but understanding the business itself? In this insightful episode, we talk to Lionel, a seasoned Senior Information Security Officer to explore his journey in IT and cybersecurity. He shares how his initial misconceptions about certifications evolved, leading him to pursue industry-recognized certifications like CISSP, CISM, CISA and multiple Microsoft certifications to bridge professional gaps. From building a comprehensive vulnerability management system to advocating for structured security processes, Lionel reflects on key career milestones that shaped his expertise. He emphasizes that true cybersecurity excellence goes beyond certifications - hands-on experience, networking and mentorship are essential for growth. One of the most powerful takeaways from this conversation? "If you know the business objective, you know the security objective." Lionel explains why understanding business goals is the key to building an effective and resilient cybersecurity strategy.  Whether you're an aspiring security professional or a seasoned leader, this episode will shift the way you think about cybersecurity. 

Our Guest:

Lionel LinkedIn: https://www.linkedin.com/in/lionel-hapi-modje-33641ba4/

Lionels typical workday: https://www.linkedin.com/posts/organisation-und-informatik-stadt-z%C3%BCrich_digitaleszaesrichmitgestalten-itjobs-berufsvielfalt-activity-7290730494382489600-WG1i/?utm_source=share&utm_medium=member_desktop&rcm=ACoAACONqncBzTmT1rca3ilVhifkpHXUs9QkM_4

25 Minutes Podcast

Hostey by: Eliel Mulumba

Audio editing & mastering: Michael Lauderez

Join conversation on LinkedIn: www.linkedin.com/in/eliel-mulumba-133919147

Chapters

• 0:00: Lionel intro and background
• 2:09: Motivation behind certifications
• 4:19: Key career milestones
• 7:39: Transition from technical to conceptual roles
• 14:45: Importance of mentorship and networking
• 16:00: Advice for aspiring cybersecurity
• 24:10: Conclusion and final thoughts

Transcript

 Leonel. Welcome to 25 Minutes. Leonel, you are a senior information security officer with more than 10 years of experience. worked in the insurance, financial institutions, but also in the public sector industry. mean, you have done all possible cybersecurity certifications we can think about.

CSSP, CISM, Caesar, ISO 27001 Lead Auditor. And you are, you have multiple Microsoft certifications as well. a pleasure to have you here on our show. Welcome.

Thank you very much Eliel, to have me on your show.

Excellent. Thank you very much. I mean, Lionel, thinking a couple of years back, Would you have imagined to have all those certifications today in 2025 when you started your IT and later also your cybersecurity journey?

Hey, answer for this question is a clear no. Why? Because back then I thought, um, it's enough to have a degree like a bachelor or master degree. I have a master's degree in cyber security and I thought maybe from time to time I can learn new thing, but I never wanted to have as many certifications that I have right now.

And I mean, what was the motivation for you to all those certifications? mean, it's massive. I mean, these are all the certifications that recruiters are asking nowadays on the market.

Yeah, this is an interesting question. So how did I started with the certification? At the point in my career, I was realizing that I'm not moving forward the way I want. So I wanted to close all the gap I had. And I also wanted to have like a certification. That shows that the knowledge I assume I tell I'm having that I really have them.

So, like I said, I wanted to close the gap. There are many, there were many things where I, I felt like these are really relevant for the industry. These are really relevant for me to be a beta information security expert. So then this is how I started to identify. The things I have to learn, the things I have to put more effort in.

And yeah, it's also a good thing to have a certification at the end because you are more attractive for, uh, the industry for the employee, you know, so it's a win win.

Absolutely. And I mean, if you're looking a bit back through your entire career in IT, but also in cybersecurity, what are maybe the three, four key milestones that you are most proud of? to all the certifications that you have collected, of course.

I would think about

I built a comprehensive vulnerability management once because I was working in in an industry industry. With many people, we were trying to assess vulnerability, remediate the problem, et cetera. But they were not a real, a good governance to all this. I spent some time. Observing the things, the processes, the things, what people were doing, like the secret engineer and so on.

Going from the bottom to the top, that's mean identifying every step in this vulnerability management. And at the end, I was able to build like a governance for this vulnerability management. to I was able to implement a structural process for continuous vulnerability scanning assessment and remediation.

So this framework ensure that potential weakness were identified promptly and addressed. Systematically reducing of our overall risk exposure.

Wow. I mean, I can't imagine that the stakeholders have been quite with the results that you have achieved at the end of the day, because this is for sure putting into a situation where they can anticipate where vulnerabilities exist with regards to the asset inventory and where they need to apply the right cybersecurity measures. an excellent story. Thank you for sharing that. Is there something else that you would also think about that you're very proud of if you're looking back at your career? I mean, you have more than 10 years of experience in cybersecurity.

So there are a lot of things I can talk about, but most of the time I've been proud when I enter a team or where I enter a, a, a, like a company or a role where things were not. We didn't have a proper structure, where things were a little bit chaotic or where things were at the beginning.

hmm.

Every time I can enter such a role,

Mm hmm.

be at the beginning of, of, of, of, of all the work, of all the, the project that we have, putting a structure in it because it's, I think it's really important in the information security world or in the, in the work world.

Mm hmm.

to put structure into things. And this is something that always make me proud.

Mm hmm.

If I can automate things, processes, if I can put good process, structural processes in place. So this is something I always. I always enjoy, I always see as like a milestone, a highlight in my career.

Yeah. And I can feel the passion that is actually also coming through my microphone that you have for those topics. I think it's one of the most important steps to also have a passion for cybersecurity, a passion improve the cybersecurity posture of organizations, helping in identifying gaps, and also helping to. companies actually to defend themselves in the best possible way against cyber attacks. I would like to come back a bit on your career track. if I'm not mistaken, you initially started as a programmer. You were heavily involved in network operations, where you also have done a lot of vulnerability assessments and remediations. now shifted more to a conceptual role. Where you're actually setting up governance, frameworks, policies, across many, many industries right now in the public sector. Can you tell us a bit more about your motivation to shift more from a technical role to a conceptual role?

Okay, maybe we should start above we should start on back then when I moved to general IT to IT security or information security. So, as you said I used to be a programmer, a web developer.

Mm

And then I also used to be, uh, to use Linux as well, you know, to install the web server and so on.

hmm. Mm hmm.

And I realized every time that I had to update component, I had to do this and that because of the security.

So, so what made me shift from broad IT? like programming, et cetera, to the security, first of all. And then when I started with security, I started to use server to implement pick PKI infrastructure to be sure that the security and infrastructure was a guarantee. And after this. I started to look for a structure, to look for a guidance, a guidance to know how and where, where I should start to make things more secure.

Not just being like a secret engineer who does his work the right way, but being also somebody who follows rules. And this is how I started to look at standard like the NIST,

hmm. Mm

the NIST standard, the ISO standard, and so on. And I wanted to be one of these guys doing conception, writing policies, help other people.

To know where they can start and what they are, they want to achieve in the information security world. So this is how, um, the transformation from like a programmer or a guys in the network security in the web security and so on. started to a guy who is more in the conceptional field.

Yeah, I mean, great. And I was wondering, how does it help you today? When you're working on several projects with different stakeholders to having done the shift from a technical role now to a conceptual role.

Okay. First of all, first of all, I will say I'm not only in the conceptual role. Now I'm mostly in the conceptual role, but I keep a fit in the technical role because from my experience and from the new experience, the new certification I get. It helped me to be able to be the person between the senior management and the technical people.

So I understand both needs. I can talk to the senior management. I know I understand the business objective. And from this business objective, I can derive the security objective. And do the conceptional work and once I've done this, I can talk to the technician people, to the security engineer, et cetera, in their language so that they understand me and so that I understand them because it's really it's really prevalent, it's really important to understand them first and then I can help them achieve our business objective.

You know, this is how my knowledge in the technical world helped me a lot right now.

And I mean, you just mentioned senior management is really focusing on business objectives, also value driven, which means revenue. they're looking at things from a different perspective. Engineers maybe want to have the newest tools, the greatest automation, which can be quite expensive, but where executives don't understand the return on invest. And I would be curious to understand how do you translate both needs to each other? Are there some tips and tricks that you can share with us? Yes. Yes.

needs from the senior management to technical. So when I know the business objective of the senior management, and as I said before, I can I can establish. The security objective are from this business objective. Once I have the secret objective, I just.

look at the goal. The goal is the secret objective. And I identify the gap. So I identify where we are right now. And where do you want to go? We want to achieve this secret objective to achieve this business objective. So having this gap, I derive component like Small things that are really important to achieve this goal.

For example, let's say we are working in the finance industry at the bank. Or no, let's say we are working at the hospital. We are in the hospital field. The data of the patients, they need to be protected. They need, when they are saved somewhere in the database. They need to be encrypted. So this is one of these small security objectives being part of this gap that I will define.

And once I have this, you know, this is something I can tell to the technical guy, like, I want you to encrypt the data. This is something clear for them, you know. So the whole business objective will be to have a, an hospital that care of the person, you know, the, the, the one, the person to be sure that their data are protected, that the, the regulation requirement met achieve, you know, so out of this, I have defined something like encrypting data.

And I have also written a policy. Let's say the data should be encrypted, um, state of the art like with the best encryption protocols. It's what I'm giving at the end to the technical guy and then they understand what they have to do. So I don't know if my example was clear enough for you to understand it.

was very clear. I mean, you mentioned that the business objectives are key and we need to make sure that our security objectives are supporting business operations and the needs that the business has. So thank you very much for elaborating on that. That was a great example. I'm just thinking about the younger Lionel. If you're just looking 12, 13, 14 years ago, what would you do differently if you would start your career again? this can maybe also be an advice for someone in a similar position as you have been 13 years ago and just embarking into the cyber security and IT journey.

This is also a really interesting question. What would I do? Like you said 12 years ago, right?

Mm hmm.

Okay. First of all, I will prioritize networking and mentorship because you mentioned before that I've done a lot of cyber security certification. You said also that what made me change like from the from a programmer to information security and so on. This is a long way where I was also looking myself for what do I want and how can I achieve this.

Unfortunately, me growing up in Cameroon, I mean, it was nice to grow up in Cameroon, but I mean, unfortunately, when I came to Europe, I didn't have a mentor. I didn't have somebody telling me what to do in my field. Like I had brothers and cousin and friend, et cetera, but nobody in my field, in the field that I wanted to do like in the IT field and information security field.

So, uh, to read books. I had to try to understand things by myself. I had to do much research. I have to try and failed as well. So, but I didn't really look for a mentorship

Mm

and something I regret. If I could do things differently, I would. Start looking for mentorship and also prioritize networking.

hmm. Mm hmm. And if you're talking about mentorship, what is the kind of guidance that you would expect from a mentor. Can you give us a couple of examples that might have helped you in your early career days?

For example back then

Mm hmm.

I was I, I started to to study electric technique,

Mm hmm.

but my goals was to to, to be in the I. T. You know,

hmm.

and back then. Okay. Okay. You need to cut this because I just, I just, okay. Can you repeat the question please?

course. So my question, and I also need to think about how I have asked you actually the question a minute earlier my question was when it comes to mentorship. What are the expectations that you would have towards a mentor and that would have helped you to make a difference when you started your career journey?

Mm-hmm

Yes. I just needed somebody I can talk to and tell what I like, tell him what I would like to achieve and how, and, and, and I was expecting the person to help me to help me. To concept a plan to achieve my goals, because let's say you are a father, for example, a father and you have a wife, you know, let's say I come I'm, I'm single and I want to build a family as well like you.

Mm-hmm

So if I come to you, you could advise me because this is something you have done, you know, me as a single person, I can just imagine how to do it. I can read book above it and so on. But I will never have the same experience that you have because you have actually built a family. So you can tell me, okay, look, learner, what a family needs is stability.

For example, emotional stability, financial stability. So make sure you make money, make sure you are emotionally stable.

Mm-hmm

Make sure you are in an environment where you want to raise your children. Make sure. You can make your wife happy, you know, these are things that maybe they are straightforward, but when you, uh, they are easy to know, but when you heard it from a mentor, you know, this is the way and you are not distracted.

You just go that way. And yeah, I think it's a safe, a lot of time.

Absolutely.

you.

I understand where you're trying to go and I think we should now lead by example. Yeah, let's imagine that you are a mentor we're speaking to cyber security individuals that are embarking on their journey right now. We have been discussing a lot about your certifications. You have a great portfolio of certifications that you have collected over time. us a bit more about the sequence. So with which certification did you actually start? Would you recommend people to do the same certifications that you have also done? It worth, if you're looking at your market situation right now, I would be happy to hear a bit more about that. Mm-hmm

Okay. If somebody wants to, um, to, to be good in cyber security from my experience, from some, someone having more than 10 years experience in the cyber security field,

Mm-hmm

the first thing I will say that it's really important. Is the hand on experience, not the certification. I have certification. I still, I'm still renew my certification and doing new certification, but having certification without hand on experience is.

Not the perfect thing to do.

Mm-hmm

So if somebody wants to make certification, I will recommend the person first of all, to identify where he wants to go,

Mm-hmm

what this person wants to achieve

Mm-hmm

in the cyber security world. Before you start with cyber security, you need to have a. Strong basic knowledge in the I. T.

Generally. So if person has this I. T. knowledge, then yeah, regarding depending on the trends, some people want to be in the O. T. Field like you. People want to be in the cloud security field. Something some people want to be in the death sick up field regarding what the person wants to achieve. I will recommend something else.

You know, me personally. My goal was always to be near to the senior management. And help or influence the senior management to build a security strategy for companies and institutions. That's why I try to address a broad field. Security, AI, everything, emerging technology.

Mm-hmm.

how did I start it? I started with cloud security.

Mm-hmm. Mm-hmm.

like understanding how Azure work, AWS, Google. When you understand one of the three, then all of them are similar.

Mm-hmm.

started also to understand what does it mean shared responsibility because being in the cloud, we talk about shared responsibility a lot. It's not like back then when you are When all your infrastructure is on premise now, depending on if you have a SaaS, a PaaS, a IaaS, there

Mm-hmm.

is, there are differential responsibility.

So I started the CC with the from CSA, the, the, the certification there, and half the cloud knowledge, general cloud knowledge, and then you can be also an auditor in the cloud. Uh, field. So this gave me like a good, a good entrance, like a door to to entrance in the to enter the cloud compute cloud security world and being able to mix it with my knowledge in Azure in other rules and Google Cloud.

I could understand more. What are the requirement? The cloud security world? What is the cloud?

Mhm. Mhm.

I could also use my experience, my hand on experience to apply what I've learned in my certification.

Mhm.

So then I also switch to the Azure, you see half seven certification in the Azure world.

Wow. That's amazing.

Yeah, thank you. From the beginning from, from the, from normal certification, like entry level until expert level.

Why? My goal was never to be an Azure engineer, Azure security engineer, but. You know, in most of the company nowadays, the usage of, you know, the usage of many company use, uh, AWS, Google, and so on as well.

Absolutely.

But.

I think the market share is divided. I mean, the entire cloud market is divided between Google, Amazon, and Azure for Microsoft. Yeah.

Exactly. But I have to decide because I'm not God, you know, I'm not Einstein. I need to, okay, not, I don't mean Einstein is God, but I'm not, you know, I'm not like a robot, you know, I don't have the Nvidia chip in my head. So I need to, I needed to, to make up my mind and choose just one. Then I choose Azure because most of us are using Microsoft at work.

Most of us, we have Microsoft listings, et cetera, and many projects are built in Microsoft. You, we observe the digitalization right now, Power App, Power Platform, Power Automate. And so many things are built on Azure, so it was really important for me to understand it so that right now when I have a project where I have to write a security conception, I know what the engineer talking about, and then I can talk to them.

Also, we can speak the same language. We know what the S3 bucket, for example, we know how to secure it, you know, and this is The reason why I decided to do this certification in Azure talking, um, above other certification like the Caesar in my current role, um, also like a security compliant guy coordinating many audit, like pen testing, IS audit and so on.

So it's really important to know, how do you do that? How do professional do that? You know. Well, how do you do that? And then having your hands on experience and deciding how can you implement what you have learned from certification in the real world, or maybe there are many things that I don't use as well because they are not practicable, you know, um, that's why I made this.

I did also see SSP. I did see them and so on just to have like a broader look, a broader knowledge above many things. And this knowledge the thing that helped me a lot right now, you know, it's having certification with Dove and experience is not a good thing to do. It's really good to have both.

Absolutely. And I have to

Now, I don't even know what the question was.

no, that's all good. And the only, I would like to thank you again for having been a guest on our show. It was really amazing to learn from your experiences. To learn from your career path on also learning a bit from your decisions. I hope that we will have the pleasure to meet you again at another occasion.

Thank you so much for being there.

Thank you very much.