My updated journey (so far) in a cyber security career
Back in January 2019 I wrote a blog post about my journey (so far) to a cyber security career, and I have had cause to reference it over the last few months. At that point I realised that post was over five years old, so I figured I'd write an update.
The journey to 2019
It makes sense to read the 2019 post before continuing here, but if you want the brief summary: I started working in IT when I was still a teenager in school. I skipped university, as I didn't want to be out of date by the time I finished my BSc (degree), and went straight into working full time. I then returned to my secondary school where I worked my way up to being the network manager (in charge of all the "end user computing", IT systems, servers and networking infrastructure). It was during my time working at the secondary school that I really got interested in security, partly because it sounded interesting, and partly because I needed to keep the students out of the system!
After working at the school I moved to a managed service provider (MSP), where I became the organisation's security lead by default. I spent about two years at the MSP, learning a lot about different systems (and sometimes how not to do things), before I switched to working for local government as a network & security engineer, which was my job at the time I wrote my 2019 post.
Focusing more on security - moving to deputy SISO
While the network and security engineer role was interesting, I had decided I didn't want to still be in that post at the end of 2019. I wanted to progress more into the security aspect of IT, and despite finding networking interesting (and I still do) I considered I was largely done with that part of my career. There was another restructure at the council, and the role of Deputy Senior Information Security Officer (DeSISO hereafter) was created. I was successful in getting that role, so started full time as the DeSISO in January 2020.
I still had to do some of my old role, which prompted my post on releasing people from their old roles. The pandemic contributed to the delay in handing over some of my previous role but I'll let you read the linked post if you'll want to know more about that.
As a DeSISO I got to provide teams with guidance on security matters in a more formalised manner. This was good, because it meant there was more weight / credibility behind what I was saying, but did mean I'd moved more towards the governance side of things. I no longer implemented systems (for the most part).
Gaining a CISSP
After receiving some funding from central government the council chose to send me on a course to train me for ISC2's CISSP exam. The CISSP, or Certified Information Systems Security Professional, is a highly regarded qualification that focuses on training the professional to consider how security practices can help the business achieve their goals safely. I wrote about my experience of that course and exam in an earlier post.
I felt really honoured that the council chose to send me on that training, and they named me specifically.
The team expanded
Due to another restructure, we had the opportunity to expand the security team to a Senior Information Security Officer (SISO - my boss) and two DeSISOs (one of which was me). One of my best friends applied for the role (I was not involved in the recruitment process) and joined the team. It was really good to work with her in that capacity, and I was able to mentor her in some areas. Most importantly, she and I complimented each other really well and we'd pick up on things the other missed.
During this time I also ran a number of security incident simulations, where you take a team of defenders and run through what would happen during an incident. I used tools from the NCSC's Exercise in a Box, which I had also been a tester for, to run some fake malicious software and work with the defenders to identify the problem and shut it down. I've written about "wargaming" in another blog series.
From deputy SISO to SISO
Yet another restructure was announced and it became clear to me that my time at the council was coming to an end. On a personal level I was getting quite fatigued and frustrated by these relentless restructures, and I applied for a role elsewhere. In June 2022 I left the council to work in the private sector (you can read more about my reasons for leaving).
At the council I'd been a deputy, but now I was top of the security pile. I reported to the compliance & operations director, and my job was to work with him and other managers to set the security direction and strategy for the company. This took some getting used to! Previously I had to check that what I wanted to do was OK, whereas now I had the ability to make decisions (within reason).
You can read more about my role of SISO in this blog series.
Still doing some IT
Ten days into my time as SISO the head of IT resigned - unrelated to my arrival. This meant that I was asked to help with the Internal IT side of things, and I flitted in and out of that role from 2022 to 2024 as Internal IT was handled by someone else for about 10 months. It was useful to gain a better knowledge of Microsoft 365 and its security solutions though.
Making some security changes
When I took on the role I found the organisation had a very mixed security posture. A merging of four businesses, some colleagues had Sophos Antivirus, others had ESET, others still had an expired ESET due to a failed update server (it had failed at the start of the pandemic I think), and everyone else simply had no installed antivirus. The backups at head office also had not run correctly in over a year. While internal IT was down to me I started to make some changes, which I continued with the Group IT Manager when he was appointed.
We wanted to enhance our antispam, antiphishing, and impersonation protection capability so we implemented Microsoft Defender for Office 365. Our antivirus problem was solved by purchasing Microsoft Defender for Endpoint P2, which was rolled out to all Windows and MacOS devices. The impersonation protection part of the product didn't seem to work that well (people were still being emailed by people pretending to be our CEO) so I implemented a bit of a hacky workaround to quarantine those emails - I need to write a blog post on that.
In 2024 I worked with the IT team to start implementing Microsoft Entra Conditional Access, which would allow us to restrict access to our data depending on the device and location of the colleague. We also started to look at implementing Data Leakage Prevention (DLP), again through Defender.
I've talked a lot about internal IT changes, but the wider part of my SISO role is discussed in my insights into SISO blog series. While keeping myself up to date with technical implementations and technologies was helpful, I wasn't able to do this completely due to internal IT not being my main role. I would have loved to have got our security state further on, but come May 2024 that wasn't so relevant...
Being bought and onto another role
In May 2024 my employer of around 350 people was bought by a much larger company (3,000+ people). I spent a lot of time between May and October working on integration tasks for both internal IT and security as the two companies joined together. Maybe in time I'll write more about that process, but for now I'll just say that I found it incredibly stressful and depressing at times. At other times there were fantastic joint victories as the teams worked increasingly well together.
Since 1st November my role has changed to being a Senior Information Security Engagement Consultant, something I'm still getting used to. I'm part of a bigger security team which is split into three sub-teams. My biggest challenge is that my previous role of SISO is split across many people, massively reducing what I can do and what my role entails. I'm not sure how this factors into my career and progression - at the moment it very much feels like a backwards step.
Keeping up with CPE
I'm still very keen to keep learning and developing my understanding, so make sure I read articles and attend webinars / talks in person wherever I can. If you need some tips on that I've got just the blog post you need here.
Banner image: "Computer Programmer - colour", from OpenClipart.org, by j4p4n.