The day starts at 6.30am — I like to get up early and go for a bike ride when it’s quiet. It’s a great time to relax and get my thoughts in order. Then it’s back home to help my wife get the kids ready for school, so I’m at my office desk by 8 a.m.
I know it’s a cliché, but no day is the same. It depends on so many things. We work as cybersecurity experts for many different types of businesses across the UK. If someone rings out of the blue and tells me that their business has been compromised by a cyberattack, then our day (and sometimes much of the night) is spent detecting the attack, preventing access to IT systems, removing vulnerabilities, and starting the long process of communicating with customers and stakeholders and cleaning and protecting all their IT processes and systems. It is not uncommon to see a business being brought to its knees by what appears to be an innocuous theft or other lapse in security.
Attacks on small and medium businesses in the UK are rising rapidly, and so many are still completely unprepared. A lot of this is due to the fact that business owners don’t understand why their data is of interest to cyber criminals. The fact is that there is a huge market for customer details and financial and commercially sensitive information. Small businesses are often the first and weakest link in the chain and the way to reach the bigger suppliers and companies. It’s a huge problem — the government is doing its best to educate the business community about the importance of protecting their valuable assets, but there are reports of more data breaches emerging every day.
Prioritizing PCI
I work with a tight team spread across the South of England. Each of us is an expert in our field, and my expertise is in payment card security, in the PCI DSS security standards. My operations manager Sarah will call me to check through the day’s appointments — a lot of my time is spent advising individuals about the need for PCI compliance and visiting head offices to speak to directors about more generalised cybersecurity as well as the more technical issues.
In the afternoon, I usually work on one or two proposals and get the chance to speak to the team about continuing security assessments and pen-testing assignments. We are constantly busy and have worked in most professional industry sectors. It can be frustrating that we can’t publicise the successful outcomes of the work that we do. Almost all our work is highly confidential — clients are often very embarrassed that they have suffered a security breach, and they don’t want any damage to their brand.
The best jobs are the clients that call us before anything disastrous has happened. They realise that they are at risk, so they contact us to do a thorough security assessment so that we can identify the vulnerabilities and advise on next steps.
I’m often out in the evenings as well — either presenting on cyber security at a conference or chairing an industry event. I’m heavily involved in the ISSA UK; it’s the largest international, not-for-profit association specifically for information security professionals, and I do my best to help publicise its events and support the organisation by doing my own presentations and question-and-answer sessions.
If I’m not out, then I’ll work on my blog. I’ve just written pieces on the recent Hatton Garden heist as well as PoSeidon, the latest malware to attack point-of-sale systems. Anything that I can do to raise the profile of cybersecurity in the UK is a bonus.
It’s difficult to relax sometimes, but the infosec community is really supportive; everyone knows everyone else, and it’s a brilliant (if sometimes stressful) career for any technically minded person. The hacking landscape changes so fast, and keeping one step ahead of the cyber criminals is a full-time concern.
This article was first published on 16th June 2015 in Information Week