It’s been just over two years since you graduated from SAIT. What are you up to now?
Since graduating, I have been working with KPMG doing cybersecurity risk consulting. When I’m not supporting clients, I am working towards various certifications to help me grow in the industry.
What does a cybersecurity risk advisory consultant actually do?
My job entails performing cyber maturity assessments — evaluating the level of an organization’s cybersecurity strategy and making recommendations for improvement.
I also assist with technical audits, which measure how an organization is performing in the area of cybersecurity against industry standards. We will collect a company’s documentation and determine if their processes meet the specified criteria, then write a report of our findings.
And I conduct cybersecurity risk assessments. My work is determined by client need and where my assistance is required.
The probability of exposure, harm or loss resulting from a cyberattack or data breach within an organization.
What do you love most about working in cybersecurity?
I have really enjoyed learning the risk side of cybersecurity and growing in that area. There are so many different things to consider when performing risk assessments, especially with cybersecurity changing on what seems to be a day-to-day basis.
18% of Canadian businesses were impacted by cybersecurity incidents in 2021. That’s nearly one in five businesses. The most common types of incidents included those to steal money or demand ransom payments (7%) and those to steal personal or financial data (6%).
You mentioned things constantly change in your field. What’s an example of a rising cyber-threat for organizations?
One of the biggest changes I’ve seen is the importance of protecting operational technology (OT) systems.
Hardware and software that monitors and controls devices, processes and infrastructure in industrial settings. Examples include industrial control systems and building management systems.
We are seeing a lot of silo-ing between information technology (IT) environments and OT environments, and that presents a major risk because a lot of machinery is controlled by or connected to a computer in some fashion. If a hacker was able to access these machines they could potentially affect the electronic safety mechanisms or notifications to a main device which could lead to catastrophic consequences — including loss of life. Examples might include a blowout on an oil rig or disrupted oxygen flow in a hospital.
OT systems are becoming major targets for hackers, so it’s critical to ensure proper safeguards are in place — like network segregation, firewalls and demilitarized zones (DMZs).
Demilitarized zone, or DMZ
A perimeter network that creates an extra layer of protection from external attack for an organization’s internal local-area network.
What challenges do you encounter in your work, and how do you manage them?
One of the biggest challenges I’ve faced is switching between multiple projects. For example, I’m currently revamping a corporate security policy while at the same time completing a research project on cybersecurity regulations. Sometimes shifting gears between the two is difficult. I make sure to take little breaks if I find myself distracted or struggling to get into the flow.
What’s the most valuable skill you learned at SAIT you’ve been able to use in cybersecurity?
My presentation and communication skills. Since I work in consulting, I’m less involved in the technical aspect of cybersecurity, but being able to communicate effectively to different levels within the organization is critical. I am often trying to meet client deliverables, so ensuring my writing is concise has also been important.
Think back to when you started working in cybersecurity two years ago. How has your career evolved so far?
It’s interesting to see the different exposure I’ve had to various departments and clients. My role never feels like it’s the same — getting to work with different industries has been rewarding.
I am always proud to tell connections that I went to SAIT.
Information Systems Security ’21