Leaving University and commencing a Graduate Programme, Tony started his career in technology as a Network Engineer working hands-on with Cisco switches, routers and networking appliances for some of their managed services customers. When Tony started working with firewalls for one of his customers, he started to play around with some of the commands and did a bit of investigating into the potential of the device.
“I really enjoyed going from configuring everything wide open, to being really prescriptive in terms of well, this department needs something from here to go to here on these ports for this application. And I found that really enjoyable.”
This initial dabbling into firewalls turned into a lifelong passion for Tony, a passion which followed him from Australia to Singapore where he spent some time building firewall channels and security infrastructure for a global bank. After six years in a banking environment, Tony joined a cyber security vendor where he worked on the front lines of incident response.
“Threat intelligence, incident response, nation state attackers, malware reverse engineering, and working with all of those teams and taking that information to customers and educating them and helping them stay safe against these attacks.”
In his last couple of roles, Tony has moved into CTO/CISO advisor roles that have seen him take a step back from the keyboard and move more towards business discussions with CEOs and CI(S)Os about what this technology means from a business perspective.
In today’s climate, the security sector is undergoing a number of changes and is growing at an incredible rate. While the demand for employees is present, there are a number of roles that are struggling to find suitable applicants. This is, in part, owing to the security skills gap – when individuals working in or applying for roles lack particular skills necessary for those roles.
Although this is true, long laundry lists of skills and qualifications often seem impenetrable for new candidates entering the security space.
“Quite often, what’s asked of potential candidates is almost like a laundry list of every single thing that someone could possibly have. And you’re really not going to get anyone with all of the above. It’s almost like looking for a unicorn.”
The classic example that comes up time and time again is that entry level security role job descriptions ask for things like a CISSP certification, which requires you to have worked in the industry for five years – if you already had five years’ experience, it’s unlikely that you’d be looking for an entry level role.
Tony believes that the key to moving past this is more openness to exploring what people have to offer outside of qualifications and certificates.
“You’ve got to think about soft skills, and the diverse experiences they bring from previous roles or studies. And it’s not just specific certifications, or keywords on a CV or a JD that you’d like to be looking at. It’s really looking at the person and what they’re capable of learning and bringing, not just now, but over the long term.”
The good news is that progress is being made in key areas across the security space. Tony is seeing an increasing number of decisions being made with inclusivity at the core of the decision making. More can be done, however, in helping people understand the potential of a career in security.
“What do the career paths look like? What skills do you need? How do you go about getting those skills? What sort of learning paths are available? Are they online courses? Are they certifications, are they hacking exercises? We need to clearly explain all of this.”
Despite security seemingly being all about the technology, careers in security aren’t all technical – a point Tony is keen to share.
“Yes, you’re working with technology. But what else are you doing? You’re helping businesses facing specific challenges going through a digital transformation. It’s really about the business and the people as well as the technology. And if you can understand that, you’re going to be able to communicate these things a whole lot better and break down barriers and help a business reach its objectives.”
With Tony shining a light on the importance of softer skills, we wanted to talk to him about the ones he believes are particularly important in a cyber security career. First up was curiosity.
“Cyber security doesn’t exist in a vacuum. You’re securing cloud, you’re securing IoT. So you’ve got to be curious and want to understand how these things actually work before you can think about making it safe. You’ve got to be open to embracing new things.”
In cyber security you’re dealing with ever-evolving threats, dangers and solutions. It makes sense, therefore, that another key soft skill for a cyber security professional is passion for the craft.
“Some people want to be able to ramp up on one thing and get really good at that one thing for a number of years. That is not an option in cyber security which is changing day to day. It’s constant learning but it’s fun. You need to be the kind of person who naturally gravitates towards wanting to learn new things, seeking out online resources and learning from the experience of other professionals.”
Security is now being discussed at every level, from server rooms to the board room. Increasingly, cyber security professionals are required to think big and consider how the dangers and required solutions impact wider business goals.
“We all love talking about technology, that’s what we talk about around the watercooler. But you’ve also got to understand that there’s a bigger picture at play. You’ve got to look at it holistically. It’s about people, it’s about the business. And if you can’t relate what you’re doing hands-on-keyboard to how it’s helping the business, or how it’s interacting with people, then you aren’t connecting those dots which really do need to be connected.”
For Tony, the biggest shift he’s seeing now is in the mindset of many of the businesses he’s talking with. Instead of focusing so much time and energy on securing a physical space, more time is being spent on securing the users and the information.
“Those users can be using different devices in different places The information can be anywhere. It can be at rest, it can be in motion, and trying to focus on that will really help us because, even before COVID-19, you could be working from a coffee shop on the other side of the world, or an airport lounge, a hotel, whatever. And you’ve got to be looking at the data. If you can embed security into the document or the spreadsheet you’re working on, for example, it doesn’t matter where that goes after it’s been created. You can follow it, you can make sure that it’s being compliant with the policies that you’re setting forth. And I think that’s really where we need to be going. There’s a lot that’s being done in that area, and there are some companies that are really taking it to the next level, and they’ve got it all sorted out. But for a lot of us, it’s a perspective shift first.”
