Hi, I'm an information security analyst
Phil is an information security analyst with a Silicon Valley based solutions provider, enabling professionals to be more productive by revolutionising their work processes.
Although Phil is now working in a role in security, previously he has worked in roles where he has been in charge of hiring and firing candidates for IT positions.
We chat to him about the value he places on accreditation, and what he feels are important skills to stand out in the industry.
What value do you place in accreditations?
“I think it’s important if you’re looking at specific skillsets.
“The accreditations from specific manufacturers – Microsoft and Cisco for example – are very useful to have on your CV; more so I would say than the generic higher education qualifications.
“They tend to be more specific, and the experience I have had with people that have, for example, a Computer Science degree, is that they are perhaps too broad in their scope.
“As an example I had someone who started with my old company who had done a foundation degree in CS, but when it came to the real world they’d done a little bit of everything but not enough to be able to deliver an end to end solution.
“So, in previous roles, I’ve employed people who have done a computer science course and they’ve done a bit of Java programming, a bit of HTML, and a bit of networking – all useful in the general scheme of things, but when they came into the workplace and I asked them set the Microsoft printing up, they had no idea.”
How did you get into IT security as a career?
“A few years ago I was fortunate enough to get quite a lot of work on security aspects and projects as, while I was at a management level, I was looking to get more hands on again with technology.
“I hold two accreditations in ethical hacking so know a lot about hands on technologies which mitigate against hacking – so protective white hat hacking as opposed to undermining black hat hacking.”
What does your job role entail?
“I focus on hacking our own systems in the same way that criminals would in order to identify vulnerabilities before they do.
“While this part is hands on, I also deal with policies, procedures, training and offering advice for members of staff working in specific technology areas such as servers or networking.”
How would you describe IT security?
“The principles of security are to look at the risk – what would be the impact of a breach against the three main areas of responsibility – confidentiality, integrity and availability – if any of those were to be breached, what would the impact on the business be?
“You break that down into different systems, for example database servers or web servers – if one of those was breached what would the impact be?
“Then, when you have the impact on a scale of one to five for example, you would then have to carry out a risk assessment – what are the chances of that breach happening?
“That includes business continuity, from natural disasters like pandemics leading to staff shortages, or power outages, to confidentiality, so by asking the question, is our network secure?
“We look at all the different elements around risk and then, taking into account the impact, you come up with a risk score, and then you can calculate which risks are too high and need additional controls put in place to reduce them.
“That can be from using white hat hacking to social engineering e.g. sending a spoof email out with a link to see who clicks on it.
“We’re continuously testing to improve our security across all areas of the operation.
“It’s very important to note that when working in security you might not need to be an expert in a particular technology area, you have to be a generalist – you need a good understanding of the network but it would be a Microsoft or Cisco expert who actually implements the fixes.”
What advice would you offer a young person looking for a career in IT security?
“CompTIA Security+ is a certification I would recommend for new candidates, as it’s a good introduction to the different domains of security – the social engineering, the vulnerability side of things, the depth in defense and the different aspects of security.
“Beyond that, if you’re studying for a Cisco certification then you’re likely to have a good grounding in IT already.
“And, if you’re fresh out of college and want a career in security then I would say definitely get the CompTIA A+ IT Technician.”
When you were in a hiring and firing role in the past, what sort of things did you look for in a candidate?
“If a candidate was looking to get into their first IT role, focusing on maybe a technical support role, I used to look for someone who had put the effort in to get something like a CompTIA A+.
“It was always good when they explained their interest in IT and what sort of things they’d have done in their own time as well.
“I’ve interviewed some people who have built a PC at home, but everybody has done that these days – I was always looking for something a little bit more advanced than that.
“Any other training, or voluntary or work experience in technical environments is really valuable as it shows commitment.
“Obviously someone who has got an accreditation is going to do better in an interview than someone who doesn’t.
“I would definitely have focused on someone who had a CompTIA A+ and also a CompTIA Network+ over someone had a degree, because it shows that person is focused.
“These credentials are also relevant to today’s technology and the A+ as technical support and networking is very much part of that.
“The accreditations someone has was the first thing I looked at and I used to discount CVs if they didn’t have anything listed – it simply saved time due to the large volume we received.”
