Career Path Series - Security Assessmeent
Career Path Series - Security Assessment
Cybersecurity as we know it today has many subdomains but alot of people tend to focus on some very few(penetration testing and it’s variants).While that is intresting, there are so many opportunites in other subdomains.It is for this reason that Mosimiolu - A senior cybersecurity consultant and a member of the NaijaSecForce interviewed prominent Nigerian cybersecurity professionals in various security domains.First in our series is security assessment.
Security assessments are periodic exercises that test your organization’s security preparedness. They include checks for vulnerabilities in your IT systems and business processes, as well as recommending steps to lower the risk of future attacks. Security assessments are also useful for keeping your systems and policies up to date.It also identifies, assesses, and implementing key security controls.
Do enjoy the interviews.
Precious Silas is a technology advisor in a professional service firm. Her line of service focuses on helping organizations perform Security assessments and reviews across various platforms, as well as helping them align their IT and security practices with key industry standards, amongst other functions. When she’s not busy developing her cyber security wings, she is either trying out new cooking recipes, helping with kids work in church or spending quality time with family and friends.
What attracted you to this career path?
It’s literally my love for keeping things safe 😊. I have found that to keep your stuff safe, you need to understand possible ways by which it may be broken, tempered, altered or outrightly taken. And that’s really my view of information security. Throughout my university days studying computer engineering, I always wondered what aspect of technology I was truly interested in. I picked an interest in networking but soon got bored☹. One of the courses in my final year of university had been Network Security. I later took a course during my NYSC year to explore this interest. Let’s just say I got hooked from then 😊. As the days go by, I’ve seen more reasons why I’m in the right career for me.
How has your first few years in Security Assessments been for you?
It has been a huge learning curve. Thanks to the evolving nature of the Information Security space, there has been a lot to keep up with. It tends to get overwhelming sometimes, trying to figure out my exact area of interest and future specialization. Over time, I’ve learnt to be open to exploring and working within all the areas that my job exposes me to. Hopefully, I’ll find my exact interest soon. For now, I’m just happy exploring
What would you wish someone had told you before going into this field?
I am thankful for the path that has led me here, however, I wish I had known about Information Security before beginning my Undergraduate Studies. I also wish someone had emphasized on the importance of building networks and learning from people who have gone ahead of me.
What would be an important piece of advice for someone who is considering going into your career path?
Be passionate and believe in your capabilities to do anything. One word from a mentor that kept me going at the beginning of my journey is…. ‘Impossible is nothing’. You can excel in this field if you put your mind to it.
What advice would you give prior to getting a job in this field?
Be open and ready to learn. Develop yourself and research relevant resources. If you can, seek an internship opportunity to gain practical experience on some of the areas of the field. Build networks with individuals in the field; people with similar goals as you.
Do you have a mentor?
Yes, I do. I find that having a mentor is quite helpful. You have someone who has started their career just like you and is able to provide support and clarity on grey areas. It just helps to know that someone else has walked the path you’re on and is succeeding at it. I also look for people who have made it where I am trying to go. I study their journeys and use their lessons as an inspiration to create my own path.
Chinedu is an information security specialist with strong expertise in threat inteligence,red teaming and incidence response.He has perfromed numerous IT audits and security assessment and he is experienced in handling information security challenges across various multi-national organisations-Identifying critical areas of risk esposure and adequately mitigating them.
What attracted you to this career path?
I started off in IT trying to learn networking, self-studied for courses like Cisco’s CCNA and CCNP, as at then I had no plans for security assessments.After achieving the CCNP, I was studying for the CCIE when I stumbled on some videos from SecurityTube.net, teaching about some tools and techniques for bypassing security.
I did some further research and discovered there were very few people that understood security and I kind of developed a strong passion for the technical skills. I noticed that the concepts were easy to grasp and there was a higher demand for their skills. I was good at research and quick to understand technologies so I thought to myself - “seems I would be very good in this path”.
Was there something you wish you knew when you started?
Yes, personally, I wished I was an excellent programmer before venturing into security assessments. When I discovered that I could go far without writing code and scripts, I trained myself in Java programming and have also learnt other languages since then. I developed a knack for programming later on, but it might have made things easier if I had prior knowledge as it would enhance my understanding of most tools.
What would be an important piece of advice for someone who is considering going into your career path?
- Zeal - Most people that come into the field are doing so because it pays well and believe that one or two courses or certifications will get them there, but I have always advocated that if the passion is not there, one will be limited or just average.
- A lot of research and time must be dedicated to acquiring the skills and your skill level is directly proportional to the effort you put into it.
- Engage - Network, find the people with the right mindset around you, because it is tough to do it alone.
Do you have a mentor? How important is it to have a mentor in the Infosec field?
Starting off, there was really no one close to me that was into security assessments. My online tutorials and instructors were my mentors, I listened to them, followed their instructions and did their exercises. I joined security forums to meet more people and have better insights. I searched on LinkedIn, and connected with few fellows in Nigeria and abroad. Mentorship can’t be over-emphasized as the process guides you through the right path.
What’s the most underrated skill someone needs to have to excel in this path?
- Hacker’s Mindset - It might not be considered by some as a skill, but it is what has taken me this far. It’s the mindset that brings the breakthroughs. It enables you find unexpected ways of doing things. It is built with experience and going the extra-mile attitude.
- Presentation skill - I would describe this as the ability to explain technical concepts in simple terms. A lot of technical folks lack this, but it is very necessary to demonstrate the value add of your work and its impact to business.
How do you continuously keep yourself updated?
Top on the list is forums, security forums, where like-minded professionals engage each other and share knowledge. I am part of the NaijaSecForce group and there is a lot of knowledge sharing going on there which I have contributed to and also learned from. I dedicate some time to read and research about various subjects I believe would improve my skills and ultimately the value I add to my organisation.
What professional courses would you advice?
Courses and certifications are good and provide a structured way to learn. For someone looking to security assessments, there are various learning curves depending on your prior knowledge. It might be easier for those in IT already than someone switching from an unrelated profession. In some cases, I recommend starting with some IT courses to help understand the concepts before moving to Security courses. Certifications like the CEH, Security+, OSCP can come when concepts are fully understood.
Do you have any regrets so far?
Stephen Kofi Asamoah
Stephen Kofi Asamoah is a Snr. Cybersecurity Consultant in the U.S.A. He has over ten (10) years of experience in the IT Security industry, specializing in Offensive Cybersecurity operations including Network Infrastructure, Application, ATM, Cloud Computing, Machine Learning, Wireless, Point of Sale (PoS) penetration tests, Social Engineering, Red and Purple Teaming. He has extensive knowledge and experience in translating technical threats into business risks and aiding organizations in the development of administrative and detective controls through security operations and incident response strategies, policies and procedures development to combat cyber threats.
What would be an important piece of advice for someone who is considering going into Security Assessment?
So Information Security is very broad and encompasses several areas, which I generally put under technical and Non-technical categories. When I’m talking to someone who is considering this line of work, there are few questions I ask the person to understand where their interest really lies and also some recommended ways or paths to take. So for instance, I would ask if the person is currently employed, unemployed or in school. Whether the Technical or Non-technical path will suit the person much better.
The reason I ask the employment status is because I have found it to be a lot easier to transition from your current role into that of InfoSec within the organization than if you decide to leave, probably take some InfoSec certificates and decide to get hired in the field. For instance, I started off my career as an IT Auditor and when I realized I wanted to get into Technical InfoSec area, I started prepping myself to transition through researches, self-teaching, certifications and Masters in InfoSec, which gave me enough leverage for other companies to want to hire me when I decided to leave my current organization.
When the person is still in school, they have the advantage to study the basics and get the InfoSec fundamentals before graduation, which means the person is coming out having the fundamentals to quickly pick up when employed.For students, I recommend they start networking, attending InfoSec-related meetings and most importantly, try to get an internship or try to start applying for jobs latest at the start of your final semester (now, this part of the recommendation depends on the location of the person. Here in the U.S., you can get a job offer before graduation if you start the job search while in school and about to graduate.). For instance, one of my mentees just got an internship with one of the top consulting firms here in the U.S and that’s because he took the advice to start networking, attending seminars, conference and at one of these conference, he got few interviews and landed internship offers.
For someone currently unemployed and no experience in InfoSec, who wants to get Into this field, it becomes a bit of a challenge. This might sound unfair, however, most organizations would hire people with some sorta experience in this field, if the person is not a student. Most people who are currently not employed and come to be for advice about considering InfoSec career usually come with preconceived idea about taking certifications and that should be good enough to jump into the field. Certs are great, however, they cannot replace real experience.So my advice for those currently not working and looking to jump start career in InfoSec is based on case-by-case and can’t give a concrete one here.
Next is whether the person really wants to get into the Technical or Non-technical area. Knowing whether the person just wants to get into “general” InfoSec or want to specialize in a specific “technical” area will determine some of the certs or paths I will recommend.
What is the most underrated skill someone needs to have to excel in this path?
Persistence.Be ready to fail so many times, never give up and continue to fail until you get one right. Yes. I know that sounds cheesy but that’s the truth. More often, when I tell people what I do (professional Ethical Hacker), they get very excited and express the desire to get into my line of work. However, the moment I begin to explain to them what and how long it took me to get to this point, they begin to get discouraged. Because, they mostly expect an easy and fast way to get to this point. So my advice to whoever wants to get into this career path (Ethical Hacker) is be someone who is persistent, be ready to get frustrated, be able to do self-research into things and don’t be afraid to ask for help when you find yourself really stuck. I always tell people I’m always a student in this field and I will probably not stop learning until I decide not to pursue this career any longer because there’s too much to learn every time:-)
What is the one book you’ve read that changed/impacted your career?
None. Honestly, there are plenty of things that change or impact career and in my humble opinion, a book is not one of those things. However, there are chain of books and sources (e.g. YouTube videos, Webinars, Conferences, MeetUps, Certs) that have impacted and shaped me in the course of my career.
Do you have mentees? How do you pass on this knowledge?
Yes, I do. I use real-life stories to share my knowledge. I also point them to resources (reading materials, sites, etc) that can help them further enhance their knowledge. Where necessary, I provide them access to some of my personal resources such as my cyber range lab infrastructure to learn and practice. Occasionally, I provide webinars and also training in InfoSec.
What is your advice for experienced people like yourself?
Our line of work is an ever-changing one, with adversaries always determining the pace. Hence, we should never stop learning and sharing. We should also be open and helpful to others who want to get into our field
Stephen Kofi Asamoah is a big fun of Animated movies blush People close to him are usually surprised because they say he doesn’tlook like someone who’s into such movies.He has seen all Hotel Transilvania, Shrek, Minions, Mona, you name it (lol).
Mosimilolu Odunsaya is a cybersecurity senior consultant with experience in IT Audit and IT Security Consulting. She has assisted SEC-Listed organisations with various cyber security projects from Security Assessments, Data Privacy Law Implementation, SCADA Assessments, etc. She has also worked with various clients in various sectors including Oil & Gas Companies, Financial Institutions, Insurance Companies etc.
One of her goals is bridging the gender gap in cyber security by motivating women to join the Cyber Security Industry. She is also available for a chat/discussion if any lady needs it.
She enjoys travelling and blog about her experience on www.eattechtravel.com.