Forging a career in cybersecurity is like building a house. Starting with a solid foundation makes it easier to build the layers on top. Now that I am a client-facing consultant performing ISO 27001 gap analysis and internal audits, it’s clear to me how my previous role in application support gave me a grounding in key elements of security .
Having this technical background under my belt prior to moving in to cybersecurity was a big plus for me . It made me more confident in knowing what exactly I should look for when conducting an audit for a client. It also reinforced the importance of seeing evidence of an action being done.
My time with Hewlett-Packard Enterprise (HPE) taught me the fundamentals of computers and the basics in computer security to progress in to my current consultant role. Having been a support manager for a major application that more than 8,000 engineers used, I quickly learned the importance of segregating environments. I helped to secure and improve development, testing, staging and production environments. I worked on solving issues such as capacity management, server access, allocating appropriate resources and stability issues.
In fact, many of my duties directly corresponded to a specific section of the ISO 27001 security standard. After investigating environment stability, I needed to order more resources to balance development and staging environments with the testing environment servers in the VMs (A.12.1 of ISO 27001, which covers capacity management). Later, as the environments’ workload increased, I spec’d out and ordered more servers (A.14, covering system acquisition, development and maintenance).
All told, I gained experience in a broad range of areas, such as A.14.2 (security in development and support processes), A.13.1 (network security management), A.13.2 (information transfer), A.12.4 (logging and monitoring), and A.9.2 (user access management).
Applying experience to cybersecurity
Many people think of cybersecurity and think it’s all “IT” and “computers” – which was true for my desk-based job. However, as a consultant, it is abundantly clear we look for much more. It starts as soon as I walk through the client’s office door. Is someone manning the reception area when I arrive, or does someone escort me and tell me where to go? (Sometimes I ask to use a bathroom before meeting a client. Many times, someone told me where to go and I happily sauntered through the offices unescorted.)
Now, I’m looking out for weaknesses in physical security: a fire door left open, when the fire extinguishers were last serviced, an unlocked device with nobody standing at it, the all-too-familiar Post-it note with a username and password stuck to the side of the monitor or desk.
I spent my time before BH Consulting trying to get the prerequisites I would need to work in cybersecurity. Once I started working in the field, I realised how much of my knowledge I could easily apply. The nature of the work means constant change and the opportunity to keep building on that knowledge.