Last week, I spoke with Candy Alexander. An attack by the famous Kevin Mitnick started her cybersecurity career!
This time, I had the pleasure of interviewing Kim Wong. She recently started in a cybersecurity role in the UK’s financial services industry.
Kim Crawley: Tell me a bit about what you do.
Kim Wong: I’m a security analyst in the cyber operations team, working for a bank. I just started this role, and I’m currently four months in.
We’re the defenders of the bank, the first line warriors. We’re the eyes and ears of monitoring, identifying and mitigating any malicious activity on the company’s estate, as well as looking at events in our SIEM that come from various other devices like IDS, email and web monitoring.
I obtained a diploma in computing before gaining a degree in digital forensics. That gave me a taste for security and I’ve been hooked ever since. I wanted to specialize, as I saw security as a niche.
My first job was as a security engineer, where I got hands-on with firewalls. I tried out different roles like pre-sales before trying my hand in analytics. I’ve been in the industry for about five years. Still a baby!
KC: What motivated you to choose computing when you started your studies?
KW: I guess it was my interest in taking things apart and finding out what they do, together with my interest in technology and video games.
My interest in computing started at a very young age when I built my first PC. My family, as always, asking me to help them – though I don’t understand why they think if you studied computing, you should end up as their technical support for life. Ha ha!
KC: Yeah, that’s a common problem. I’m called for tech support in my personal life, too, and I’m just a tech journalist now. Although I did work in helpdesk a decade ago.
Working for a bank now must be intense. I think finance tends to have the best security hardening in the private sector. Is that true from your experience?
KW: This is my first role in the private sector, but from what I’ve seen so far, I would say yes.
We have a duty to protect our data and stay up-to-date with the current threats that are ever-changing and challenging at times. But I also think more security education awareness needs to be instilled in users.
It’s quite chill, actually. I’m lucky to be in a good team. I am the only female, but that doesn’t turn me off, and everyone’s willing to help each other out.
Chaos comes when you get notified of a malware spam campaign like Lutikus, for example. Then it’s all hands on deck, trying to find the users who clicked on a malicious link and gathering the IOCs. Do we need any rebuilds? I communicate with the other teams. But it’s all part of the fun.
KC: Are there a lot of cybersecurity compliance standards in Britain’s financial sector?
KW: From the top of my head, although I don’t work in the compliance area, we have ISO27001, ITIL, COBIT, EU Data Protection Act, PCI DSS, and Basel Accords.
Various areas are policed by different bodies, such as the FCA (Financial Conduct Authority), which is the conduct regulator for 56,000 financial services firms and financial markets in the UK. There’s also the Information Commissioner’s Office and others.
KC: I know you haven’t been at your job for long, but what are some misconceptions people have about it?
KW: People think the security world is male-dominated, and being the only female, there’s this misconception you don’t know anything, which is BS. I believe with hard work, perseverance, and a sprinkle of patience, you can get to where you want to go. I was lucky to have good mentors at university, and I also look up to my colleagues in my role now. Every day is a school day. It’s like a fountain of knowledge!
KC: How do you think cybersecurity could attract more diversity?
KW: I think it starts with schools. Maybe they can have talks from people in the industry, workshops, and so on. When I was at school, we had zero stuff on cybersecurity. Google was my friend.
KC: What do you think the biggest problem in information security is now?
KW: I think it’s keeping on top of the types of the attacks out there and ways to prevent them. It’s ever-changing and evolving. Attackers are getting more sophisticated in their methods. You can’t 100% rely on technology. It can only get you so far. The users are the first line of defence. It makes me cringe that users still want to click on malicious links in an email they don’t know, but I guess we humans are hard-wired for curiosity.
KC: Is there anything you’d like to add before we go?
KW: Are there any people in the industry who train in parkour? It’s one of my passions, and I’d be interested if there are any security peeps out there who do. Maybe I will see you on a wall sometime.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.