Name: Amy Ertan
Job Title: Cyber Security PhD Researcher and Freelance Security Researcher
Company: Royal Holloway, University of London
Location: Hertfordshire, UK
Tell us an interesting or fun fact about you:
I love adventures and travelling off-grid – I have hitch-hiked across six countries, and volunteered in another six (doing everything from koala care to teaching English to a class of enthusiastic librarians!).
What drew you towards a career in cyber security?
Maybe it’s cliché, but I wanted to keep people safe. My bachelors was in Philosophy, Politics and Economics and I was always drawn to the security (and international security in particular) parts of my programme. In 2017 – the year of Equifax, WannaCry, and in the midst of the Sony fall-out, I began to read around the media stories, and something just ‘clicked’ for me. I realised cyber security was a field that would continue to evolve and challenge the security (in technical but in very real terms) of organisations and individuals across society. Constantly evolving threats require creativity and agility on the part of cyber defenders – and I wanted to contribute to that in an impactful way. I chose to pursue an academic programme in cyber security that would allow me to play to my strengths and develop the credibility to enter the field.
What do you enjoy most about what you do in the industry?
I enjoy the space for creativity and change. Before converting my career (and studies) over to cyber security, I worked in finance for a number of years. I was fortunate to have a series of interesting roles and have some great mentors, but I was highly aware that I had yet to find a role that kept me curious and occupied beyond a six-month period. Between my PhD research and freelancing projects, I have had the chance to dip into so many different aspects of cyber security – from behavioural cyber-psychology research and interviewing CISOs, to modelling threat scenarios and participating in international cyber strategy competitions. I think the variety links directly into my last point which is that a large part of the friction between information security practitioners and the wider organisation is to do with communication. I love being able to build bridges and connect colleagues and concepts – so it was great to discover there’s a demand for this in the field!
What things are the most challenging in your role?
While I love the rapid pace of change across cyber security, it certainly plays havoc with a four-year PhD programme, through which one long-term contribution to the field must be presented. New research comes out daily, and I am continually rewriting parts of my research to adapt to a changing status quo. That said – I wouldn’t have it any other way and could easily have re-designed the current scope of my research (security threats pertaining emerging technology) to avoid this issue.
Perhaps other challenging aspects that apply across the field might be the overload of information to the extent that it can be hard to distinguish ‘hype’ from genuine insights. I have been to expos where I have felt overwhelmed by hundreds of vendor stalls – all of which claim to have a market-leading product. While experience has, I hope, helped me recognise which service offerings stand up to their marketing material, I see others across the industry that complain of the overwhelming fear, uncertainty and doubt encouraged by a vendor-driven environment.
One final prominent challenge that frequently rears its head is imposter syndrome, and the associated feeling of being out of my depth or being insufficiently experienced compared to other peers. Having mentors and spaces to speak to colleagues informally has been invaluable in helping me realise that most have faced similar challenges with their confidence.
Have you come up against any challenges or roadblocks and if so, what were they and how did you overcome them?
At a risk of being cliché once again, I honestly think the largest roadblock has been me doubting my own abilities. I realised early on in my PhD that the way I was introducing myself – as someone new, non-technical, and appearing out of my depth – was disqualifying me from opportunities that I was more than capable of doing. Speaking to others in the field (especially colleagues from underrepresented groups) I realised how widespread this lack of confidence is felt across the community – and also realised how detrimental it was in terms of personal growth. Connecting with others through online and university-based networks has been wonderful in helping me explore my thoughts around the diverse set of perspectives in cybersecurity, and how everyone has strengths to bring to the field. I have also found incredibly useful assistance through a number of senior colleagues who have taken the time to mentor me. Hearing their stories, and the career stories of others in the cyber domain, is a frequent reminder that there are many paths into the field, and no one path is less valid than another.
What have been your career defining moments?
The game-changing moments in my career have been where a senior leader has given me a chance to prove myself. I can clearly remember the moment in a coffee meeting with a chief information security officer, who I had asked for career advice before starting my PhD, where he decided to take me on in a part-time capacity alongside my academic programme. It is the first step into a new employment field that always feels like the hardest – and it’s true. The fact that this one person took the leap of faith that this (inexperienced but enthusiastic) colleague would be a good addition to the team has changed the direction of my exposure to the industry, and for that I will always be grateful.
Another defining moment for me was when I, alongside three of my fellow PhD colleagues, won the Cyber Strategy 9/12 Competition in London in 2018, which contributed to the subsequent ‘Student Cyber Security Student of the Year’ granted by the SC Media Awards a few months later. The competition was the first cyber security competition if it’s kind that focused on cyber strategy and policy. It was organised in such a way that its goals were to demonstrate to industry and government partners how much value interdisciplinary approaches bring to cyber security. It was through engaging in initiatives like the competition that I realised how my background in international relations and cyber intelligence had helped me build valuable skills that could be deployed across a number of roles.
What trends or changes do you think we will see in cyber security in the next 10 years?
I think the automation of offensive tactics will become a concern through amplifying the potential frequency of attacks (we already see scheduled denial of service attacks which do not need the naps or attention breaks of their human-attacker counterparts) and through the increased speed of reconnaissance, which can be automated at scale to determine the most effective attacks. I also think we will see a continued increase in focus on social engineering and cyber-enabled fraud, especially given the increase in spear-phishing that is enabled by web-scraping public social media profiles or given the capabilities of automated technologies to create convincing fake text, image and video media.
In the next decade, I hope we see renewed approaches to supply chain risk management. Looking at the impact from supply chain attacks from Target to CCleaner, from NotPetya to the BA hack, we can see how your security posture is only as strong as least secure critical supplier. This is already on the agenda for many organisations who are well aware that the confidentiality, availability and integrity of their data has dependencies on a number of external vendors, but I hope more organisations are given the frameworks and resources to track and manage this attack vector.
Finally, I hope that cyber security and privacy education continues to improve across and beyond the UK. The digital divide we have currently puts those least comfortable with technology at the greatest risk of being scammed, or having their information compromised. Focusing on having user-centred security, or secure-by-design consumer products, would help shift the burden off consumers and minimise the information they need to consume in the name of cyber awareness. I believe we want cyber security to be as intuitive a process as possible for all involved – and there’s a long way to go.
Has the coronavirus pandemic impacted on your career, and if so in what ways?
On the PhD side, my fieldwork was postponed by six months and a fellowship switched from a resident placement in the US to remote. I did find my research was effectively halted for 2-3 months as (understand) my industry research participants were unable to commit to meetings, particularly as security teams generally saw an uptick in their workloads. As lockdowns release around the world it will be an ongoing process to see which research opportunities remain virtual – and this will impact my final methodological reflections.
On the paid employment side, I was going through the process of redundancy going into March 2020 which was unchanged due to COVID-19 – though it did make the search for a replacement role harder. I had one verbal offer renounced as the pandemic unfolded and was told the pandemic was putting recruitment plans on hold for a while.
I have instead started freelancing for a short period (pausing the PhD to allow me to test employment full-time, effectively giving myself an internship) and that has been a very positive experience. I was able to use my network to secure these roles and it was straightforward to have a default arrangement be remote work. Much as I love chatting to colleagues, I do not miss the commute into London, and will not be rushing to leave the remote work lifestyle anytime soon.
What soft skills do you think are important for women in cyber security to have?
I think I would change ‘soft skills’ to ‘professional skills’ in this question (and ‘hard’ skills to ‘technical’ skills – ‘soft skills’ mistakenly implies relative ease!) – and I would also challenge that women need to have any particular skills ahead of men (apart from stubbornness if women end up in unsupportive situations). All colleagues would do well to have excellent communication skills, the ability to adapt to change and challenges, and the contentiousness to realise who they are impacting during their work, and question practices that challenge their values.
Why do you think more women should consider a career in cyber security?
First of all, I think women should be eyeing up cyber security as a desirable field in terms of career progression and job stability. Cyber security is a field with high demand, and this is not going to change anytime soon. Joining the field is likely to suit curious personalities who like a changing environment – and who are happy to keep learning as they go! Depending on your specialisation, cyber security roles can be lucrative, offering location mobility and opportunities to move easily between organisations. Because information security has a large skills gap, the field is open to colleagues from a number of different backgrounds, which mean your work experience to date is likely to have you well-equipped from the start.
Secondly, cyber security is also a field in which we need women to be represented. Increased diversity within a team or function increases the range of perspectives that are considered, and this is essential when threat-modelling and anticipating the behaviour or an adversary, as well as when organising the most effective way to protect and mitigate against cyber incidents. To highlight one example: women and men frequently have differing threat-modelling scenarios (from running alone at night to considering insecure home smart-locks) and this aspect should be accounted for any security design process. Where a section of society is not represented in a function, it is less likely that those people’s viewpoints will be considered in line with those in the room. By bringing their perspectives to the room, women are able to contribute to better-rounded space – hopefully making it even more inclusive for subsequent entrants to the industry.
What advice would you give to a woman looking to make the move into cyber security?
Reach out! There are plenty of people who are willing to offer advice to enthusiastic potential recruits. If you are looking to make the move into the industry but do not quite know how best to proceed or what roles you’re well suited too, message a few cyber security professionals with specific questions. The worst that can happen is that you get ignored. More often than note, engaging questions may lead to a call or virtual meeting, at the end of which you can ask for introductions to other colleagues as appropriate. Many cyber security colleagues have relied on our online network to inform us of opportunities and find out more about aspects of the field, and I would urge anyone curious about information security to leverage this community who are generally more than willing to be generous with their time.
In your perspective – what are the biggest cyber security threats to companies presently?I think social engineering has only recently been recognised as a major threat, in light of high-profile compromises and the rise of wide-spread cyber-enabled fraud. Particularly as social engineering email techniques become more sophisticated – with foreign prince emails becoming few and far between – it is easy to mistakenly be convinced that an email is genuine. The rise of ‘threat-jacking’ where an attacker compromises an account and replies on a legitimate email chain, makes it incredibly difficult for colleagues to detect malicious activity. The creativity of malicious actors requires constant adaptation, training and awareness by colleagues across an organisation.
Secondly, within the context of COVID-19 a steep increase in ransomware has been observed, and cases are frequently reported where organisations are continuing to pay ransoms to attackers. As the recent Blackbaud attack highlights, even if data backups are functional ransomware may be paid to attackers to attempt to prevent further leak of the data. There is an irony that ransom payments take a malicious cyber attacker at their word when they could just as easily continue with further blackmail. We might expect organisations without appropriate patch management procedures, incident response plans and with low levels of cyber risk maturity to be more susceptible to ransomware – but this still risks impacting even the most well-resourced cyber security functions through supply chain attacks.
Do you think it is important to close the gender gap in cyber security and if so, how do you think this could be done?I do not see any downside to having a cyber security function that represents the community to which it serves. I do think more effort needs to take place earlier on than we might assume in the education system, to avoid discouraging women away from scientific subjects. This subject-based disparately is already well-established by GCSE-stage in the UK, so I would welcome more initiatives that encourage 11+, or even primary age children, into learn-to-code initiatives. That said, I also think there should be outreach to pipeline talent about the wide range of opportunities available in cyber security, from penetration testers to intelligence analysts, from policy advisors to risk and compliance functions. Cyber security doesn’t have the set path that we see in law, medicine or engineering – and this is a strength in the sense that it welcomes diversity – but those we want to attract must know the field exists and will welcome them. From highlighting this as a path to school and university careers advisors, to making sure there are resources for curious teenagers, there are many things we can do to ensure a strong pipeline of all talented young people into the field.
I also think representation at senior management levels is important too, in terms of shaping the direction and maintaining diversity of power throughout an organisation, but also in terms of promoting role models for women entering the field. Women need to be supported when applying for leadership roles and be set up to succeed in management.
Finally, is there anything else you would like to share with our readers?
For those looking to break into the industry, my advice is to reach out to as many people as possible with any specific questions you might have. LinkedIn and Twitter are your friends when it comes to developing your network, and as long as you are engaged and targeted with your introductions you should find individuals happy to talk to you. This is especially relevant if you are looking at particular organisations or roles, as you can collect candid insights from colleagues in the field that you might not find on a company website.
For those who are already established in the cyber security field, please don’t underestimate your influence and impact in extending opportunities to those potential future talent. Even if your organisation does not have current opportunities for junior colleagues, interns or work experience placement, you can make a difference through putting yourself forward on social media as a potential mentor, or for one-off advice. Outreach activities, including presentations to schools or universities, can be eye-opening for those who were never exposed to the idea of a career in cyber security, and can help communicate the wide range of opportunities in an employable discipline. Finally, if you are in a position of influence or privilege through your employment or position in the field, recognise and use that for positive ends. From checking (and challenging!) inequalities in your work environment, ensuring hiring practices are designed to hire in an inclusive way, to encouraging diversity of perspectives (both in technical and non-technical terms, as well as through the formation of a team representative of the society to which it serves), the ways to support a better industry environment are broad. It is 2020. Now is the time for all of us to practice what we preach.
Read Amy’s chapter and others in “The Rise of the Cyber Women: Volume 1″, available now via the links below:
About Amy Ertan
Amy is an interdisciplinary cyber security PhD researcher at Royal Holloway, University, where she researchers the security consequences of AI technology in defence and the military. Amy is a Cyber Project Fellow at Harvard University’s Belfer Center, a researching scholar at NATO’s Cooperative Cyber Defence Center of Excellence, and Data Protection Fellow at the Institute for Technology and Society, Rio. Amy contributes to industry projects part-time in roles relating to cyber threat intelligence, cyber-psychology, and cyber security risk management research positions. Before switching to cyber security, she was involved in regulatory change and digital innovation for Barclays.