Name: Cheryl Torano
Job Title: Security Engineer
Location: Dundee, Scotland, UK
Tell us an interesting or fun fact about you:
I have a huge soft spot for dogs! I have a German Shepherd that is very much my furry child, she is one of the most loving and loyal beings to walk this earth. My love of dogs lead me to foster rescue dogs. I have fostered many dogs over the years, that have now gone on to loving forever homes. Some of these dogs come to me with terrible behavioural issues due them being abused and neglected, but with some love and patience they soon turn into happy well-behaved dogs. Gaining the trust of a dog that has experienced horrific abuse is truly a rewarding honour. I keep in touch with, with the new owners of every dog that I’ve fostered. I thoroughly enjoy watching them thrive in their new homes with their adoptive families.
If I ever win millions on the lottery, one of the things I would do is buy a huge patch of land and turn into a sanctuary for rescue dogs. It would be a place filled with love and kindness. All dogs of every breed, gender, size and colour would be welcome.
What drew you towards a career in cyber security?
I was first drawn towards a career in technology when I first became aware of the digital transformation that was happening throughout the world. I figured computers were the way of the future and I wanted to be a part of that future. I was drawn to cyber security when I realised that the people of the world weren’t ready to have digital technology so easily at their fingertips. Right from the start, my main interest has been, and still to this day is protecting the end user, especially the young and vulnerable.
Whilst the technology we have available to us nowadays can do some fantastic good for the world, there are many that use technology to scam, hurt, manipulate and abuse innocent people. Hiding behind a computer screen makes it too easy for malicious people to pretend to be someone they’re not. As a Mother, this terrifies me. I’m all for encouraging the younger generation to get into technology, but we need to educate people on how to use technology safely. There is a general lack of awareness of cyber security and I want to help change that.
What do you enjoy most about what you do in the industry?
The part I enjoy the most is being able to help protect people from exposing themselves to cyber threats. We all have some form of digital footprint, wither it be personal details stored on a banks database, or a profile on one of the many social media platforms available. However, most people are unaware of the digital footprint they’re leaving behind them as they go, and the things that can be done with this digital trail of information. Any individual or business, that is using risky behaviour online such as over sharing on social media, or not using the correct privacy settings and security configurations, makes them a very easy target for malicious hackers to exploit. I thoroughly enjoy spreading awareness of online risks and helping people become safer whilst they’re online. When I hear that I’ve managed to protect an individual from an online danger or learn of an instance of shielding my employer from a cyber-attack, it really makes my day!
Have you come up against any challenges or roadblocks and if so, what were they and how did you overcome them?
One of the biggest challenges I’ve come up against is getting people to “buy in” to cyber security. This ranges from the everyday computer user refusing to believe how real of a risk, things like social engineering and phishing attacks are, to senior management not fully understanding a risk and therefore initially deeming it as acceptable. I’ve often had to explain to people the purpose of an ethical hacker and the need for things like penetration tests.
On a professional level, I overcome such roadblocks by explaining risks and possible outcomes in great detail. I try to find valid examples where possible to backup what I’m saying, and I don’t hesitate to escalate an issue when needed.
On more of a personal level, it is apparent to me that people don’t really care about the risk of being hacked or exploited online, until such a time when it actually happens. Through experience, I’ve come to realise that sometimes explaining how a cyber-criminal may penetrate a device is no place near as effective as demonstrating it. I’ve been fortunate enough to perform live hacking demonstrations in my working environment, as well as at various STEM events, for many groups of people, and seeing the look of sheer horror on someone’s face when I show them how quick and easy it is to gain full control over a device, shows a remarkable difference between just talking them through how cyber-attacks work.
What have been your career defining moments?
Throughout my working life, I have had various job roles, some of which I managed to work my way up to management level, but, the most defining moment to date was graduating from Abertay University with a Bachelor of Science degree in Ethical Hacking.
I come from a disadvantaged background so achieving a degree was a huge deal for me. Not only that, the degree has now changed my life. I now no longer have a job; I have a career. A career that I am very passionate about. I can now comfortably afford to raise my children whilst working in an industry that I love. The education I received during my degree has given me the knowledge to allow me to protect innocent people from online risks. Protecting the innocent has always defined me as a person, now I get to do it for a living.
What changes have you seen in the cyber security industry in the time that you have been in it?
Throughout my cyber journey I have witnessed the rate of cyber-crime going up and up and up! Nowadays, criminals don’t even need to leave their house to commit crime, they just need a computing device and an internet connection. Anyone with the time and patience can use online tutorials to teach themselves how to become a malicious hacker to commit a cyber-crime of some kind. Some online criminals make big money out of scams. This means that online risks will keep increasing, and exploits will become more and more sophisticated.
A malicious hacker has one very big advantage over an ethical hacker, and this advantage is time. An ethical hacker will be hired for a set period of time and given an exact amount of time to, for example, carry out a penetration test for an organisation. The ethical hacker will clock in, do their shift then clock out again. But the malicious hacker doesn’t have set hours to work within and they don’t have a set deadline from their boss. A malicious hackers main aim is to penetrate their target and they have all the time they like to achieve it.
There is an ever-greater need for trained cyber security specialists who can work against these malicious cyber attackers.
What trends or changes do you think we will see in cyber security in the next 10 years?
The Covid-19 pandemic has brought on the trend of “working from home”, which in turn has brought on a whole load of new risks to organisations. Many organisations had to shift their entire business online very quickly! Meaning that security may have been compromised in some areas for some organisations. Unfortunately, cyber criminals are very aware of the new conditions that organisations currently find themselves in and are out in force trying to inflict cyber-attacks on businesses. During the past few months whilst the majority of the world have been in lockdown, there has been a huge increase in malicious hackers exploiting employees whilst they’ve been getting to grips with their new working from home environment. The pandemic has brought a huge amount of fear to people and when people are scared, they sometimes do things they would never usually do, such as fall for a phishing attack.
Even before the pandemic, I saw an increase in organisations moving to cloud environments. However, the covid-19 epidemic has forced many organisations into the cloud, faster than they originally anticipated. The days of having physical servers on location are rapidly becoming a thing of the past. Cloud environments such as AWS, Azure and Google are growing in popularity because they give users the power to scale in/out their environment in a quick, easy and cost-efficient manner. Unfortunately, due to the convenience of these new cloud technologies, security gaps can happen very easily, and occur often, if the correct security configurations aren’t used. Therefore, I believe that anyone thinking of joining, or already in the cyber industry, should start skilling up on cloud security.
How much job demand have you seen for cyber security professionals, and what things do you think will shape this demand in the coming years.
Recently, I’ve saw a big increase in the recruitment of cyber security professionals. When I graduated university, there weren’t a lot of cyber jobs advertised in Scotland. However, I now see new job roles being advertised daily. I’ve also saw an increase in the advertisement of remote roles with the industry, meaning that geographical restrictions are becoming less of an issue.
As I’ve mentioned, cloud computing is becoming increasingly popular, as is the need for cloud security professionals. As an example, a cloud instance running Windows Server can easily be set up within minutes, but if not configured correctly, can lead to serious data breaches. A cloud computer set to public view, due to human error, can essentially take down a business. As with any computing device, security must come first, even with virtual machines.
The demand for cyber security professionals is growing every day but currently there aren’t enough skilled professionals to meet the demand.
Has the coronavirus pandemic impacted on your career, and if so in what ways?
Like many others, I have been working remotely since the start of the pandemic. During this time, I have found a much better work life balance, which in turn has made me happier and more productive. By removing my daily to commute to and from the office, not only am I now less tired and stressed from not driving in rush hour traffic, but I’ve also gained an extra 2 hours per day. I have been using those extra 10 hours per week wisely! I’ve had more time to spend with my family, more time to relax and enjoy myself, which has improved my mental wellbeing, given me more energy and motivated me to carry on with my cyber journey. During this time, I’ve had time to think and plan my next career move, and I’ve had more time to study for upcoming exams. This pandemic has opened my eyes in a lot of ways.
What soft skills do you think are important for women in cyber security to have?
Depending on your job role, you may need some depth of technical knowledge and problem-solving skills, but you will definitely need to have good communication skills and be a team player! A big part of my job role as a security engineer, involves pointing out risks, i.e. things that are insecure. Sometimes this means pointing out mistakes that colleagues have made whilst configuring a machine, which has resulted in the machine being left vulnerable. Sometimes it’s pointing out security flaws in high level designs created by senior management. Whatever the case may be, people often don’t like being told they’ve created a security risk. How you communicate these types of issues to your colleagues will make all the difference. Finding the right balance between standing your ground whilst not being an arse is very important for anyone in the industry, but even more so for women.
Why do you think more women should consider a career in cyber security?
Well, why not? There shouldn’t be anything stopping women nowadays from having their career of choice. Many of the barriers and stereotypes that existed years ago have since been broken down. The problem now is the lack of awareness of careers in cyber security, and the lack of awareness of women in jobs that were traditionally thought of as “men’s jobs”.
Kids today cannot possibly aspire to acquire a job that they don’t know exists. I know that in my local area, cyber security isn’t on the school curriculum because the schools don’t have the necessary resources to accommodate such teaching. If the kids of today aren’t being told about this kind of stuff in school, then how will they know that it’s possible for them to have a career within the cyber security industry?! I wish I’d known years ago that cyber security was a thing, it may have made me realise sooner that I was a good fit for a career in the industry.
I implore any woman that is currently working in a role that is stereotypically defined as a male role, to get out and scream about it from the rooftops. Talk to other women about your job. Try to encourage the younger generation into your industry. Sometimes all it takes is one conversation to inspire someone. I believe that women should be role models for other women.
What advice would you give to a women looking to make the move into cyber security?
There are many ways to get into cyber security. Personally, I went back into education as a mature student on a very steep learning curve. I went from an office administrator to a security engineer. Although going back into education 10+ years after leaving school was initially very daunting, I soon found my feet and made friends. Going back into education was one of the best decisions I’ve ever made.
Taking the academic route as I did, isn’t the only option. There are various different training methods available. The Mosse Cyber Security Institute have created a remote internship in cyber security and are providing it to women – free of charge! The learning material is fantastic and allows you to build up a comprehensive portfolio demonstrating your technical competencies. This would be a great starting point for any women looking to get into a technical role within cyber.
Reaching out to people already working in the industry will also put you in good stead. By talking to people in various job roles, you can get a feel for the area they work in which help you decide what’s the best fit for you, and you’ll get some excellent guidance and tips at the same time. I have found the cyber community to be very welcoming.
Of course, another excellent idea is for women to read “The Rise of the Cyber Women” book 😉 It’s full of stories from inspirational women talking about their journeys into the cyber security industry.
In your perspective – what are the biggest cyber security threats to companies presently?
Throughout my cyber journey, it has become very apparent to me that employees are the biggest cyber security threat to companies. I’m not just talking about insider threat, which is also a very real risk for employers, I’m also referring to human error and lack of awareness. Yes, sometimes disgruntled employees can go rogue and cause terrible disruption to a business from the inside, but so can loyal hard-working employees who unknowingly inflict a cyber-attack on their employer.
Ensuring that employees receive good, continuous, cyber security awareness training is crucial to any business. By training employees to spot “red flags” in phishing emails, the employer is drastically reducing their chances of an employee innocently clicking on a link that will give a cyber-criminal entry to the company’s computer systems. By training employees about the importance of good password hygiene, best security practices and common cyber-attacks to be aware of, such as social engineering and deepfakes, again the employer is drastically improving their chances of not being exposed to a cyber-attack. Education is ultimately our best defence against cyber security threats.
Do you think it is important to close the gender gap in cyber security and if so, how do you think this could be done?
I believe that closing the gender gap is very important. A good starting point to achieve this would be to introduce awareness of cyber security to school aged young people. In the council run schools in my local area, as well as not having the resources to provide young people with an education in cyber security, they also have very strict firewall rules on the school computers that block pretty much all content relating to ethical hacking and cyber security. These kids can’t even research the topic on their own in their designated learning environment.
When looking at how introducing awareness of cyber security in schools may influence upcoming generations of young females in particular, I think that by letting girls know at a young age that a career within technology is an option for them, and by exposing them to the various job roles available within the industry and what working in the sector involves, it would inspire more females (in fact, young people in general) to get on-board. This combined with promoting awareness about females as role models within the industry will suppress the perception that a cyber security career isn’t possible for women and highlight that the technology industry is not totally male dominated.
The need for trained cyber security professionals is growing by the day. We need as many women, and men, as possible to get into the industry. The cyber industry needs people with all different skill sets, regardless of their gender.
While the situation in the cyber security industry has marginally improved in recent years, it is still a very male dominated world. What are your thoughts on this, and have you seen an improvement yourself?
I have saw a small increase in women getting into STEM related roles, and an even smaller increase in women getting into cyber security. However, the male to female ratio is still seriously under balanced. For example, within the operations department of the organisation I work for, only 14% are females. Women are seriously underrepresented in the technology industry. It really shouldn’t be this way; us girls have very useful skills to bring to the table.
We are a long way off gender equality being the normal, but us women can help the process along by being inspirational role models to other women. We can raise each other up, by supporting and encouraging each other. We can offer that same support to the younger generations. We can challenge stereotypes by using our voices. We can use the digital world around us to shout so our voices are heard.
Read Cheryl’s chapter and others in “The Rise of the Cyber Women: Volume 1″, available now via the links below: