What did you want to be when you were younger?
I didn’t have a clear career path in mind. Most people don’t really I think - you want to find something you’re interested in and can make money from. I did consider jobs that wouldn’t be replaced by robots or computers and one aspect of that was to think of IT. If I was able to fix the computer or robot at least I’d always have a job.
What were you interested in?
I was always interested in technology. We had a home computer back before most people did. I was into coding and technology. I was interested in finding out how things work. What happens from a technology perspective to make things work. I was always taking apart old radios and things like that and that hasn’t really ended - even in my career. One time I called a support engineer to help fix a laser printer. I’d already taken it apart. He had the manual but he didn’t know how to put it back together. He left me the part and I figured out how to put it back together and got it working again.
What route did you take? Do you think a degree in IT is the best route?
I was very lucky I got my first choice at university. I went into DCU to do an engineering degree, again trying to future-proof myself. Looking at my team I have between 25 and 30 people and about half would have come through a formal qualification route with IT or engineering qualification and about half would have come from apprenticeship and hands-on role. Those who have come via the hands-on route have experience in the working environment that brings a lot of value.
There are lots of certifications you can get in the information security world. I don’t have that many certifications myself. You can demonstrate your skill through the certification or experience route. I am more in the experience route.
Tell us about your job.
A big part of my job is to do with trust. In the security world when a threat does come up my team and I need to help support the business and people around me in responding to it.
I’d explain the nature of my role like this. Imagine the scenario of a castle. Every day people are coming up and launching missiles at it but the walls I’ve built are so high and strong that it is impenetrable and nothing is going to happen. So every day the King of the castle is going to call me and say ‘So, how are things going?’ and I’ll say yep, all good, nothing doing, lots is going on but no one is breaching the walls. After a period of time that might seem like - well why are we paying you - we have the walls we have the castle what value are you adding.
The challenge is that there is always going to be a threat. To carry on the analogy, maybe it is a bigger catapult or a helicopter - some other way to get past those walls.
Like I say, a big part of my job is trust. Trust has to be earned and you only earn it by showing that you have appropriate controls and safeguards in place.
It is not just me and not just my team - a lot of what we do from a security perspective is working with the different parts of the business and educating people. One of the ways through our wall may be someone sending an email, someone opening something. We need people to be a little cautious or concerned if anything doesn’t seem right.
You have a qualification as an ethical hacker. What is that?
From a testing perspective we have people in our organisation called the red team. The red team are the ‘baddies’ they are trying to break in and they will try absolutely anything. We’re not just talking technology we’re talking about going into the canteen at lunchtime and trying to steal someone’s access card or password and use it. They’re trying to do anything that an ill-minded external organisation might try. Their job is to be as bad as the bad guys out there.
It’s expected now from an IT perspective that organisations need to think this way. It is not good enough to carry out traditional technology tests, you need to go beyond that and include the people factor. People in our organisations are the greatest strengths and greatest controls but also in some cases they can be the weakest links.
We have the blue team working against the red team. They are the team who defend - they are really effective.
It is an area that didn’t exist 10 years ago but it is really valuable and effective way to test security.
You can train to be a certified ethical hacker as I did. It’s all about training people to know and identify the different types of attack that might come and we share that information and knowledge within the financial services industry.
Best piece of advice you can give?
Be curious. From a security perspective be suspicious. If it looks too good to be true it probably is. The emails that people open look attractive but question and take a little pause. Ninety-nine times out of 100 that is the thing that help you to protect your online security.
- In conversation with Janet Stafford