Did you enjoy school?
I loved school. I was lucky enough to go to a very good state grammar school which was very well-regarded in the county. I focused very heavily on STEM during my schooling and ended up taking A-levels in Biology, Chemistry, Physics and Maths.
We had some very passionate teachers in the science department at my school, and their enthusiasm rubbed off on me, and on a lot of my fellow pupils.
It’s probably also worth mentioning that this was a single-sex grammar school – we may have been a girl’s school, but there was never any expectation that we wouldn’t be interested in or successful in STEM because of our sex. I think that environment was helpful for me.
What qualifications do you have?
I have a B. Eng. (Hons.) in Computing from Imperial College.
I also have professional qualifications issued by CREST. I’m a CREST Certified Tester in Infrastructure and Applications, and a CREST Certified Simulated Attack Specialist and Simulated Attack Manager. I have held CHECK Team Leader status (managed by the UK NCSC) since 2007.
Has your career path been a smooth transition, a rocky road or combination of both?
Generally, I think it’s been pretty smooth. At the beginning of my career, following my degree, I wasn’t sure which path I wanted to take. I was ready for a change in direction, but I didn’t know what the destination was for me. Enter security – when I applied for my first job, working as a trainee security consultant, I was thinking “this sounds like fun”. And it was! Great fun – and I still love it today.
What’s the best career advice you can give to others?
Be prepared to step outside your comfort zone once in a while. I am where I am today because during my career, I have been lucky enough to work with supportive, enthusiastic colleagues and mentors who have had confidence in me and encouraged me to push my boundaries – people who have forced me to do things that I wasn’t necessarily sure I was ready to tackle. It was scary. It was difficult. But ultimately, it taught me the value of challenging myself and I am a more confident person, and a better security consultant, because of it. It’s so easy to lack confidence in yourself. Imposter syndrome is rife, in my experience – especially in the technical areas of cybersecurity. Taking the occasional risk and pushing yourself further than you want to go now and then, builds your confidence like nothing else.
Also: Network, network, network!
If you had to pick one mentor who has had the biggest influence on you, who would it be?
It’s very difficult to choose just one person! Having moved on from my first job, I found myself working in a larger team of penetration testers, in an environment where there was lots of knowledge-sharing and cross-training going on. It was great for me. My line manager in that role was one of the people who really pushed me outside of my comfort zone. He gave me high-profile consultancy projects that I wasn’t sure I could complete. He entrusted me with responsibilities that I wasn’t sure I was up to. He entered me for an exam (the then-CESG CHECK Team Leader exam) which terrified me! But he was right: I coped with it all and achieved good results. I succeeded in the challenges he gave me, and those experiences built a confidence in me that has persisted throughout my career. I think I would be much less-successful today without his support and challenge in that early role.
From where do you draw inspiration?
What gets me out of bed in the morning is helping people solve their problems. We don’t always have the best image in penetration testing – there are a lot of people who see us as a bunch of antisocial misfits, sitting in the dark in our hoodies causing trouble. The reality is that we work to make everybody safer. When I’m working with my customers, I’m looking for the best ways to achieve the outcomes they want safely and securely. I’m helping them to make the right choices and to manage the risk that they have. I work with a supporting, inclusive group of people, all of whom want to achieve these same outcomes. It’s that mission that inspires me, and the colleagues I work with who share it with me.
What is the biggest challenge you’ve faced to date?
Starting Cyberis with my two business partners is by far the biggest challenge I’ve faced to date. In the early years, as you might expect, we were responsible for everything – juggling delivering projects for our customers with the annual budget, VAT returns, bookkeeping, invoicing, credit control, cashflow planning, marketing and sales activities was incredibly difficult! I think we all forgot what it was like to rest. Since those early days, we’ve built up a team of incredible people at Cyberis to support the business and although growth still presents us with some big challenges on a day-to-day basis, I think we all look back and wonder how we managed sometimes!
What qualities do you feel makes a good leader?
Empathy is really important for leaders. If you want to develop people and inspire people, you need to be able to understand others’ experiences and emotions. Fostering a connection with people – be they your colleagues, your customers or your industry peers – is incredibly important. We often think of cybersecurity and penetration testing as technical fields, but security is so dependent on the decisions and actions of individual people you ignore the human side at your peril.
Good leaders have confidence tempered with a healthy dose of humility. There’s a fine line between confidence and arrogance, but a good leader has to know when other people can deliver an outcome better than they can themselves. Good leaders definitely will lead from the front when it’s appropriate, but they will also push people from behind where this will get a better result.
From a work viewpoint what was 2020 been like for you?
In a word: Interesting. Talking about the elephant in the room, the COVID-19 pandemic threw some new challenges into the mix for everybody. We were already a highly cloud-focussed business and so for us and our staff, the switch to homeworking wasn’t such a big step for us, but we’ve still had to adapt to new working patterns and constraints on the way we do things.
Before COVID-19 we visited customer sites and datacentres a lot. We would have face-to-face scoping meetings and workshops. We would sit with development teams while we tested their applications, and have chats with security architects while we reviewed their networks. When the pandemic hit, that activity all stopped immediately, and we had to come up with other solutions to help our customers assess their onsite components. Penetration testers have always had the capability to test ‘internal’ systems from a remote point of view. What has really changed in recent months is the appetite from our customers for us to do those tests remotely. As an employer, we want to protect the health of our staff, and our customers are doing the same. Customers who previously wanted us to work onsite closely with their teams are suddenly open to trialling remote testing options. The cost / benefit analysis for provisioning remote access to testing teams has fundamentally changed for our customers.
This year we have been working with a lot of customers who are either rolling out solutions designed to help their customers deal with the pandemic, or solutions designed to help their staff work effectively remotely. Crises tend to accelerate societal change, and we can see that people are innovating during the pandemic, which means we’ve been working on some very interesting projects as a result.
What would you say are the biggest cybersecurity challenges we face today?
At heart, the biggest challenges we face tend to be human-related. Technology gives us great opportunities, but we’re only as secure as the humans that use it, and humans are fallible. Think about phishing. We all know about phishing, we all know that it’s something we need to be vigilant about, and that we shouldn’t open documents we weren’t expecting, or click on links to random websites. Whilst we all know this, maintaining the level of vigilance necessary to ensure that we never fall victim to it is simply unrealistic. If a phishing hook is good enough, anybody could fall for it – even me. And this applies especially if you’re in a hurry, or under pressure, or feeling stressed out. I’m not saying that vigilance and user education aren’t important – they are – but we need to make sure all our controls take into account the fallibility of the human experience, and that we don’t push all of the responsibility for cybersecurity down onto individuals. We need solutions to these problems that are more constructive than “you should have known better”.
Give us a fact about you that most other people wouldn’t know.
I’m a very fast reader, and an avid devourer of fantasy novels. It’s pure escapism but wandering off into another world in your head is a fantastic antidote for stress.