Podcast Episode #16 Exploring careers in Cyber Security, an interview with expert Claire Pales

In this interview, Relaunch Me coach Clare Pickard, interviews cybersecurity expert
Claire Pales about the world of information security.

Claire is the best selling author of “The Secure CIO”, host of “The Secure CIO Podcast” and Director of 27 Lanterns, a consulting company committed to helping organisations create and sustain effective information and cybersecurity teams.

Prior to establishing her own consulting business, Claire also had 15+ years experience leading teams in Corporate Security, Online Trust and Safety and Cyber Security within organisations including Telstra, Sensis and Sportbet.

In this episode, Clare and Claire discussed:

  • Claire’s career journey to date. her decisions along the way and how she came to run her own business 27 Lanterns
  • The different types of roles within cybersecurity and what they involve
  • What would be a typical study background for people working within cybersecurity
  • The key skills and attributes required to be successful in information security
  • What sort of research should someone conduct if they are thinking about making a career change into cybersecurity
  • Claire’s advice for people considering a career change in this industry
  • What are some of the common backgrounds for people transitioning into this area
  • A typical day for a cybersecurity professional
  • Claire’s work at 27 Lanterns and why she started her business
  • Claire’s advice for someone considering this area as a potential career path

If you are keen to hear more about the Information Security industry, then Claire is also the host of The Secure CIO Podcast.

You can also sign up to her newsletter here: http://eepurl.com/dMeS9A

Transcript

Leah Lambart : 

Welcome to the Relaunch Your Career podcast. I’m your host Leah Lambart, Career and Interview Coach and Founder of Relaunch Me, where we help you find the work that you were meant to do.

Clare Pickard : 

Hi everyone, and welcome to the Relaunch Your Career Podcast. I am Clare Pickard, and today I have the pleasure of speaking with Claire Pales. Claire is the author of the best selling book The Secure CIO, a podcast host and director of 27 Lanterns, a consulting company committed to helping organisations create and sustain effective information and cybersecurity teams. She has 17 years of experience establishing teams and leading award winning security strategies throughout Australia and Asia, including Hong Kong, China and India. Her focus is now to grow and coach information security professionals help businesses to establish exceptional information security practices. Based in Melbourne, Claire is a sought after speaker and advocate for people in cyber. Claire, welcome to the podcast. I’m thrilled to have you here as a guest to talk about all things cyber security. It’s such an interesting and fast growing industry and I thought that it would be valuable today to give our listeners some insight into the industry, the different roles that exist and perhaps some of the career opportunities that may be available for someone looking at moving into the industry. Claire, we first met back in 2008 when you were working at Telstra, and I was helping you recruit for your analyst team. Since then, your career in information security or the cyber security industry has taken you to Hong Kong, China and back again to Australia where you now successfully run your own consulting business. To start with, can you just give our listeners a little bit of an overview of your career journey to date, some of the decisions you may have made along the way, and ultimately how you came to run your own business.

Claire Pales : 

Thanks, Clare, for having me on the podcast today and thanks for the introduction. My career has been in security since the very start. I’ve got a degree in police studies, and I really had an interest in how I crime and criminal activity happens and how the police manage that, and so I started my cyber security adventure I suppose way back at university. I came out of there and met a couple of people who were working at Telstra and got an opportunity to work in their corporate security team and that was really the start of opening my eyes to how security worked in a corporate environment. I spent 11 years at Telstra and while I was there I worked in one of their small legal teams at Sensis where I worked in corporate security for five years as an expert witness, giving evidence in court on behalf of usually the prosecution about the telecommunication records that Telstra was collecting. So that was a fascinating job and one that I moved on from in order to lead a fraud team, which is, as you mentioned, where you and I met and and had the opportunity to work in fraud, which is again, just a different style of security. When I left Telstra, I took a year off and had my second child and then I had an opportunity to apply for a job in Hong Kong as the head of information security for a power company that covered four countries. However, I thought that was a bit of a stretch for me, I did the interview and I flew up to Hong Kong and met the team there and and essentially got the job. It was a pretty crazy three and a half years and I probably got 10 years experience in that time. I made a decision to surround myself with really strong technical staff because, I knew that that was how I would lead the team to the success at the end of our strategy. I absolutely saw those those guys in Hong Kong as my peers and together, we delivered a cybersecurity strategy face to face to all 5000 staff which was a huge accomplishment. Although I was sad to leave, I came back to Australia in 2015 and I spent a year as a head of information security at Sportsbet. After that, I went out on my own and built my business and I really wanted to run a company that was giving back to the information security industry. But there were plenty of cyber consultancies out there, and I really thought that recruitment was an area where there were not many companies doing a great job around security recruitment. So I took the opportunity to take all my skills across my career and provide a product to market which both gave recruitment and interim leadership services. So, I work as an interim leader as an interim head of information security, for example, while I also recruit my successor, and that to me gives the CIO which is usually the boss of a head of security, the opportunity to reduce risk straightaway, they don’t have an empty seat when they’re hiring. I can use my network and my experience to help really find the right candidate to put into that chair. So I have been they passionate about the security industry for the last 20 years and continue to try to serve that industry in the best way that I can.

Clare Pickard : 

Wow, what an extraordinary career to date. You talked about how security works in a corporate environment. The demand for cyber professionals is increasing. Can you give us an understanding of the different types of roles that you find in cyber security?

Claire Pales : 

Sure, I think no matter how big your organisation is, there’s a number of functions that the security team needs to execute and services that they need to provide to the business and whether or not that happens from within the team or using outsource partners. Most organizations big and small, need a number of security services to be delivered. And some of those are quite technical. And so you might need to hire or obtain capabilities around testing of software, or you might need to find analytical skills. So you might look for security analysts. But you also need the sort of more assurance and audit and governance side of security. So most organizations would have an information security policy. A lot of organizations need to make certain legal or regulatory requests. And so for that you need some people in your team that can help you to make sure you’re aligning with those compliance needs. So there’s sort of two sides, I guess. One side is quite technical. And, you know, we’ve talked about testing of networks. That includes roles like penetration testers and security control testers. There is also the side where we’re looking at the more governance and then above all of that you’ve got the leadership. So you might have a head of information security, you might have a cyber security leader, or you might have a chief information security officer. And no matter what their title is VP of security, the most senior person in the organization will usually have a role around security communication as well. So dealing with the board, dealing with potentially an audit committee dealing with third parties, and being able to be the voice of security. So there’s a lot of skills in information security that are not solely focused on having a computer engineering degree or a software engineering degree, for example, there are many jobs out there that require you to have soft skills, such as analysis or stakeholder management or leadership.

Clare Pickard : 

What would be a typical kind of study background and the key skills and attributes that are most important?

Claire Pales : 

There’s not a typical study background for cybersecurity professionals. There are Information Security qualifications, you can get all the way down to TAFE level. At bachelor level, masters PhD, there are lots of dedicated security courses that you can do. There’s also the more traditional style like a computer engineering course or an Information Systems course. And then there’s also I guess the background of those people who come out of professions such as risk or they come out of audit, or those types of backgrounds that are not Computer Engineering as such, but they are a typical study background, I guess, if you’re heading in the direction of governance and risk. Some of the key skills though, and attributes that I think are key for security professionals are certainly things like curiosity. They’re certainly things like attention to detail, integrity, analytical skills, questioning skills, leadership skills, and relationship skills. I think out of all of those building relationships and dealing with stakeholders is one of the key skills that an information security leader needs to work on. Because there are a lot of technically sound people out there who are brilliant minds when it comes to analysis and testing of networks. But at the end of the day, those people need to be able to have conversations, or write reports in order for clients or bosses or coax internal customers to consume the outputs of the security team. So you know, the real supporting skills and attributes are just as important as that study background in computer engineering or systems or for cyber security courses in themselves.

Clare Pickard : 

We often talk with people who might be interested in moving into a more technical, focused role when changing careers. We encourage our clients to spend time researching and exploring particular areas before they kind of make a jump, if you like. If someone was considering a career change into cyber out of some of the areas that you discussed just before, what do you think that they need to research?

Claire Pales : 

A change of career into cyber, I couldn’t recommend it more highly. I think it’s a really amazing community of professionals, and a very welcoming community of professionals who are very giving. So if you wanted to get into cybersecurity, one of the key things I would recommend that you do is to attend events and I know at the moment that’s very challenging because in person events are not occurring, but to try to join organisations such as the Australian Information Security Association, or the Australian Women in Security Network, those types of groups where you can meet other professionals who are in security alread and you can then understand some of the career paths that they have taken. And secondly, when you attend events, you often hear about the challenges that the industry is experiencing and then as a person wanting to enter the industry you can think about what problems you might be solving on a day to day basis. Having that understanding of where the industry is and the types of people that are in the industry, and what you might have to therefore offer the industry, is something I think you can do independently. And it helps with your research around where you might fit in terms of a qualification that would guarantee you finding a role. A lot of people sit on the fence around postgraduate qualifications, such as certificates in, you know, a CISSP or a CISM, or those types of qualifications because, for starters, you need experience in the industry in order to even apply for some of those qualifications. But also, while having a qualification like that gives a common language, it doesn’t necessarily guarantee you of getting a job. So there are some misconceptions out there about the types of qualifications you can get, that will guarantee you getting a job because it’s not necessarily the case. What I would say is if you have an opportunity to within your own organisation sit with the security team, talk to them about their careers, take an interest in in how they’ve come to be where they are, that will open your eyes into the opportunities that might be out there for you. So coming into the security team is a great one. Understanding what the security team in your own organization does, will I guess, give you an opportunity to use your corporate knowledge of the business that you’re in and apply that to some of the challenges that the security team might be facing.

Clare Pickard : 

In your experience, what are some of the more common career paths that you’ve seen for someone transitioning into the industry?

Claire Pales : 

Certainly I’ve seen people come out of risk. I know a colleague of mine in the industry who was in the insurance space and she moved into risks around that, that sort of insurance side and then into the cyber security team and then has now built her own cybersecurity consultancy. I was talking to a cyber recruiter this week who has decided to go and get some qualifications around cyber because he’s so vested in the industry that he wanted to go and and get some qualifications to upskill himself. So risk is certainly an area that people come from, audit is certainly an area that people come from, communications really amazing writers do really well in cybersecurity because we really need people who can articulate risks in a corporate fashion. I would also say that people who come out of consultancy firms have a really good ability to solve problems and work kind of on the fly. A lot of people who work in security are also ex military or police officers. So, you know, they have that inquisitive investigative mind, and they’re able to transfer those skills into the workplace or the corporate workplace, where they’ve learned them through their military career or law enforcement careers. So there’s lots of different places that you can come from in order to end up in cyber or information security.

Clare Pickard : 

That’s amazing. I certainly didn’t realise the varied career paths that some people can take into cyber. So it actually sounds like you might spend a lot of time in front of a computer analyzing data or information or working with systems. Is this the case? Can you give us an idea of what a typical day or week would look like?

Claire Pales : 

So the typical day or week, as you might imagine, can be quite varied and a lot of what security teams do is serve the business. So, yes, there are policies that need enforcement, but there’s also projects that need security advice. There’s also conversations to be had around new products that might be being launched into the market and therefore, the developers or the product or marketing teams might come to security and say “Hey, we want to launch this new product. But we’re a bit concerned about protecting the data that we’re collecting from our customers”. They could be opportunities to speak at events which the security industry is very generous with. Their time in speaking at events and sharing their experience. There’s also a lot of report writing to be done letting the board and audit committee know what’s been happening in the business. Most security leaders will be following a strategy so really trying to deliver on their own projects and their own timelines to build new security function and controls into the organization. There’s a lot of time spent meeting with different parts of the business to help them make sure they’re meeting the security obligations of the organization. And then there’s also every time a business consults with a third party and wants to contract with a third party, the security team may want to talk to that third party about “Hey, are you going to be protecting our customers data the same way that we protect it”, so there are opportunities to deal with so many different people and give advice in so many different areas where the organization can then make decisions, risk based decisions as to which direction they might go, how much security they might put in place to balance also with usability and customer requirements and also meeting regulatory and legal obligations as well. So it’s pretty intense working in security. And often, in fact, security professionals experience burnout because it’s a 24 seven job for a lot of people, which is probably a really good point that I didn’t mention earlier that resilience is a huge attribute that organizations need to realize when they’re hiring a security professional. Some way of testing their resilience is really key because it is a often a thankless job working in the security team, and yet it is high demand and quite intense.

Clare Pickard : 

Hmm, it certainly sounds that way. So, perhaps for some of our listeners who might be at the early stages of their career, perhaps interested in starting at career in cyber, what sorts of interests or subjects might be a good fit for cybersecurity?

Claire Pales : 

So from STEM perspective (science, technology, engineering and maths), that’s often the direction that students will take to go into more technical fields. But having said that, there are now people talking about not STEM but STEAM and adding an A for arts into that and you know, there are, I guess the the mindset of the person and the skills and experience they have all depend on which direction they want to go with their careers, but certainly if you enjoy maths and those types of subjects, then you might go down the path of a more technical problem solving type degree. But there is also as I’ve said previously, the communication aspect. The support for the marketing, the interaction with the government, the interaction with regulators and the interaction with third parties. Now we really need people with those strong kind of leadership and communication skills as well. So, no matter what you’ve enjoyed at school, there are many opportunities within information in cybersecurity to get a job. From a graduate perspective, the obvious gradute programs that are out there are the Big 4 so; PwC, EY, KPMG and Deloitte. But then there are also the big banks they offer graduate programs as well. Telstra offer graduate programs. But there are also lots of opportunities within smaller organizations where it might not be a graduate program as such, but they often welcome in people who are early in their careers, and you can get an amazing breadth of experience. So a lot of those jobs come through networking, and as I mentioned earlier, really getting involved in either the AWS, attending events, getting known to people will really help you to get a job. If you can be part of roundtables where you can voice your opinion gets people to understand the type of person that you are on top of things that you’re passionate about within the industry as well. So for graduates, getting a job as a graduate isn’t just about applying to graduate programs where you’re competing with thousands of others. It’s about finding innovative ways to get work as well. And I would add to that, that grads aren’t just people who have come out of university in the early 20s. Those types of actions, you know, joining different organizations and volunteering and being part of the security community. It doesn’t matter if you’re 18 or 48 or 68. You can still use networking as a really great way to find job opportunities.

Clare Pickard : 

Yeah, absolutely. And we talk about the importance of networking and building all the time. Is there any other advice that you can give for people who might be considering a career change into the industry?

Claire Pales : 

I would certainly look at the skills that you have and which of those skills you think will be transferable. So really being able to articulate where you’ve been in your career and how those skills that you’ve learned over the jobs that you’ve had, how you can apply them to cyber. So really trying to understand what you can offer to a new position in the cybersecurity industry is really important. Because if you don’t have a traditional cybersecurity background, like we’ve talked about earlier, yes, then being able to show how you can use the skills you’ve got would be extremely important. And I guess the other thing that we spoke about earlier is, you know, looking at the cybersecurity team within your own organization, and if that’s a place that you could start to learn some new skills in cyber,

Clare Pickard : 

Yeah, absolutely. Internal opportunities and like you said, job shadowing secondments are all great ways to broaden your understanding of the business and different areas of the business. So, just finally, can you tell us a little bit more about your business and perhaps how someone can find you?

Claire Pales : 

Sure. So I mentioned a little bit earlier about the work that I do in providing interim leadership services and also recruitment services for heads in information security or chief information security officer roles. I’ve been doing this for the last four years and I found that most of my clients have been in financial services but I’m more than happy to branch out into other verticals as well, and the ability that I can provide that service to clients, the feedback that I’ve had has really been around that opportunity to reduce risk straightaway. And even though they’ve got an opportunity in the market, they’ve got somebody that can talk to the board or can look at projects and provide security advice no matter how long it takes to fill the role. So that’s my business. It’s just me at the moment. So I’m hoping that the business will scale in the years to come. People can find me by going to my website, www.27lanterns.com.au I’ve also got my own podcast called The Secure CIO, that you can listen to and you can also find me on LinkedIn.

Unknown Speaker : 

Amazing, Claire, thank you for joining me. It’s been great to have you here. And I think that you’ve really given our listeners an enormous amount of insight and knowledge into the industry. Thank you for sharing your passion. You clearly enjoy what you do and I think today’s been particularly helpful for those who might be interested in making a career transition into the world of information security. So thanks again for your time.

Claire Pales : 

Thanks Clare, great to chat.

Leah Lambart : 

I hope you enjoyed this episode of Relaunch Your Career. If you did, please subscribe, share with your friends, leave a review or connect with us on social media @relaunchmecareerconsulting. If you have any questions about the episode or the work that we do, then contact us via the website www.relaunchme.com.au Thanks for listening. Have a great day.