Journey to cyber security

Market demand motivated career shift and tech, coding background prove valuable

Nathan Su came to infosec with a problem-solving mindset, the Canberra-based principal security advisor tells AISA reporter Nick Moore.

Describe your current role in cyber security?

I’m a security consultant at Trustwave based in Canberra.

My role at Trustwave involves advising public sector clients of cyber security risks on major technology initiatives. The advice involves demystifying cyber security obligations as well as identifying any anti-patterns to industry better practices that may result in risks. In essence, making sure my clients learn from the lessons from other organisations.

The above can be grouped into the GRC category with emphasis on risk, and compliance.

Your job before cyber security - how has this helped with cyber security?

I was fortunate to experience multiple job roles prior to focusing on cyber security. This was only possible by starting as a graduate in a major consulting firm in Sydney.

Prior to focusing on cyber security my bread and butter was technology risk and assurance, otherwise known as technology controls auditing. It was through this experience that I learned about information security but also how it fits in a broader technology control suite that enables a business such as change management, data centre management, batch processing and application controls.

This really opened doors for me into internal audit, software asset management, enterprise risk management and information management. These are all roles I am thankful for. Technology is just really that pervasive now, that you’ll be engaging with a variety of stakeholders. The more you can understand what and why they do something, the better you can help them do it securely.

Why did you make the transition from technology risk?

Market demand.

I moved to Canberra in 2014 and there wasn’t that much technology auditing work! I dabbled in cyber security, internal audit and information management. Around 2016, demand for cyber started skyrocketing that there was enough demand to warrant dedicated focus.

I knew I needed to upskill my current skillset to be more relevant in cyber security. This involved obtaining my CISSP, OSCP and IRAP, to really understand what keeps security professionals awake at night and the attacker mindset.

That’s not to say you need those certificates to start or move into cyber security. My time in consulting really fostered my drive for continuous learning and adaptability so I can solve client problems more effectively. Those certificates were deliberately chosen based on the problems my clients were dealing with.

Right now, cloud security is one of the areas my client are seeking help on so that is what I’m learning about and tinkering with.

You studied systems development and spent some time as a software developer before your graduate role at Deloitte. Have you found coding to be an advantage or not in GRC?

Yes – for me I found it to be an advantage because of the soft skills I obtained from coding as well as the appreciation of challenges faced by developers.

Studying systems development or coding at university helped me develop my problem-solving mindset, which I’m thankful for. To make something work, you have to break it down into basic steps that you can translate to code. If you know the steps you need to take to achieve something, the programming language is secondary.

Working as a software developer exposed me into what an enterprise systems code pipeline could look like. It has helped me empathise with developers when I engage with them on GRC work. Developers and even other roles aren’t deliberately creating vulnerabilities (unless creating vulnerabilities is their job!). For me, it’s about creating the necessary guard rails so they can do their best work as securely as possible.

As passionate as I am about cyber security, I understand it isn’t the No.1 concern for everyone.

What is the most important thing you wish more people understood about risk in cyber security?

Really try to understand why the person/team/business is trying to do what you deem is risky. Once you have a grasp on the motivation, you can have a well-balanced discussion on threats that might be interested, why they are interested, how they might do it, what they might obtain and what things to put in place if necessary. It’s important this is a discussion, so you must listen and understand their reasons on why it might not be a risky undertaking. And there you have it, you have discussed the risk event, the risk likelihood, the risk consequence, explored some controls and possibly some treatments.

The reality is, security professionals including cyber security primarily think in misuse cases (how might I overcome this obstacle) and non-security professionals primarily think of use cases to achieve their business objectives. Risk is that tug of war on trying to take as much risk as you can to achieve an objective but not endanger people (team, customers, personal information etc) and the organisation (reputation, branding, data etc).

What do you think the risk landscape will look like in two years?

A lot more digital connectivity and a lot more opaqueness on who controls what, particularly at the logical access level (application access and data repositories) and physical storage level (data centres). Control can be either what is under your organisation’s control, your supplier’s control, or a fourth party, such as a supplier to supplier.

As a consequence of this I think there will be a significant increase in engagement with cyber security teams. This is because businesses are more aware of cyber security consequences, they still want to move fast and want to make sure they engage with cyber security to make sure what they are doing is secure.

The increase in engagement will result in possibly burnout for cyber security consultants because the workload has increased so significantly, but the workforce hasn’t kept up with pace.

I’m excited about the possible innovation in GRC in response to burnout and helping businesses move faster. Such as embedding cyber security guardrails through compliance-as-code via automation and continuous monitoring of controls. Other innovations I’m excited about is reducing the amount of data you hold to make organisations less attractive as a target. And finally, innovations in services provided by managed service providers to make them a viable option for outsourcing deliberate tasks and outcomes.

Career-wise, where do you see yourself in five years?

Many possibilities! My passion is really about making life easier for my clients so they can focus on what they do best. Making life easier for my client involves helping them understand cyber security, as well as for me to learn from my clients if they have found better ways to do things.

This means I still might be in consulting, a dedicated adviser to a major technology initiative, or I might even pivot from cyber to another area that is rising in demand like I’ve done many times before.

Here’s to continuous learning and adaptability!

Nathan Su: Risk is that tug-o-war on trying to take as much risk as you can to achieve an objective but not endanger people (team, customers, personal information etc) and the organisation (reputation, branding, data etc).

  Register Now