NEXT UP ON this.
With the rise in cloud computing, portable devices and the simple fact that practically every organisation and its people rely on the internet these days, we’re all vulnerable to cyber-attacks. And leaking of personal details can have serious consequences. In 2019, it was reported that 65% of businesses experienced a disruptive security breach in the previous year, and in 2021 it was reported that online crime is costing Australians up to $29 billion a year. Stats like these mean there’s an increasing demand for cyber security specialists.
Job roles in this specialised field of IT can include ‘information security officer’, ‘security administrator’, ‘cyber security consultant’, ‘cyber security analyst’, ‘penetration tester’ and many others. According to The Australian Government’s Job Outlook, the number of people working in this field will increase strongly to 41,000 by 2022, with full-time workers commanding $1,693 per week on average.
So what does it really mean to be an expert in cyber safety? In this article, Colby, a Security Analyst at Deloitte and graduate of Deakin’s Bachelor of IT Security (now called Bachelor of Cyber Security), shares his insights into what the job’s really like.
‘From very early in my career I noticed a growing need for cyber security professionals in Australia. Every day we hear terms like ‘data breach’, ‘cyber-attack’ or ‘ransomware’, and the impact these issues can have on individuals, organisations and governments. Security extends beyond technology and into the physical world, integrated in everything we do.
‘My career as a penetration tester allows me to assist organisations in securing their infrastructure and digital assets. Through emulating real-world cyber-attacks and advising on best practice security strategies, I am able to assist clients in providing a safe and secure environment for consumers. Ultimately, what led me to a career in cyber security was the opportunity to make an impact in people’s lives.’
‘My job involves two types of testing which simulate real-world cyber-attacks; internal and external. Internal testing is looking for internal vulnerabilities behind an organisations defences with the same levels of access as employees. A common misconception in security is that hackers cause the greatest risk to a business. A lot of the time, people within the organisation can be just as dangerous. My goal in external testing is to hack into any visible externally facing entities, emulating the steps an attacker might take in hacking into a system.
‘There are four main steps involved in performing a penetration test. Enumeration is the gathering of information and preliminary intelligence on a target. Discovery then searches for potential vulnerabilities in a target system. Exploitation involves attacking the target using some exploit and gaining access to privileged information or services. From here, data exfiltration and escalation of privileges occurs. Lastly, any evidence of the exploit and subsequent access is removed.
‘After successful completion of an assessment, a report is provided to the client which details the steps involved in exploiting each vulnerability discovered, and recommendations to secure the affected system.
‘A typical day could involve any combination of these activities, in addition to attending meetings with projects to gather requirements, triage security issues and contextualise technical risk to business.’
'A common misconception in security is that hackers cause the greatest risk to a business. A lot of the time, people within the organisation can be just as dangerous.'
‘The best part of my job is variety. Technology is an ever-changing landscape, and so cyber security is constantly evolving. My role requires me to work with a variety of different systems, be it web applications, infrastructure, mobile or even physical security. From there, I work with countless types of technology, frameworks and programming languages, across multiple industry sectors.
‘The systems I work with are often cutting-edge, so as a technology enthusiast I get the opportunity to work with some truly incredible and innovative applications.
‘Equally, my role at Deloitte provides me with opportunities for future study, allows me to attend conferences, travel around Australia and internationally, and exposure to a global network of professionals from a range of occupations, backgrounds and experiences.’
‘Security analysts must continually adapt to stay a step ahead of cyber-criminals. This involves monitoring current trends in cyber-crime, the latest methods and exploits used by attackers to infiltrate systems, and new developments in technology. Additionally, it is an expectation as a penetration tester that we are subject matter experts in a range of roles across information technology. Consuming all of this information can be quite overwhelming.
‘While challenging, this is a crucial aspect of ensuring a comprehensive assessment of an organisations security and weaknesses, and advising clients on tailored solutions for mitigating risk.’
‘The most important quality a penetration tester requires is a strong ethical code. We often work with highly confidential information and have access to critical infrastructure. It is important to maintain integrity and accountability in everything we do.
‘Equally as important is a deep analytical mindset and the ability to identify trends in data. Sometimes, complete compromise of a network could be caused by as little as one error in a single line of code.
‘An inquisitive nature and ingenuity in discovering new methods to achieve desired outcomes and, at a technical level, an understanding of web development, programming, security fundamentals and networking is crucial.’
‘It is an expectation that penetration testers are subject matter experts in a range of roles across information technology. Notably, my colleagues come from a range of backgrounds, such as computer science, information systems, forensics and engineering. The most crucial subject will be those specifically relating to cyber security, as these will lay the foundations for a deep technical understanding of risk.
‘Ultimately, a keen interest in IT, security and personal drive will pave the way for a successful career as a security analyst.’
Subscribe for a regular dose of technology, innovation, culture and personal development.