We’ve seen a lot in the news surrounding cyber security recently especially during the massive shift to work from home during the Covid19 pandemic. You may remember there have been questions surrounding Zoom’s ability to provide a safe platform – so much so that Dropbox focused on it during its Hackathon last year.
There are many reports on the skills gap within the Cyber Security space in Australia and around the world and I’m often asked by candidates what path they should take to get into the industry so I’d like to share the path of one of the experts.
Before the lockdowns, I met up with Hemi Gur-Ary – Co-founder and CTO of Vata a DevSecOps boutique consultancy and Partner at Polarys a Cyber Security advisory consultancy. We discussed his path to become a Cyber Security expert, certifications and the skills and attitude necessary to be successful in the industry.
RC: If movies have shown us anything it’s that we love an origin story. How did you get to where you are today in cyber security?
HG: It’s a career-long endeavour. I started working when I was 15. In Israel it’s more common for people to finish high school but I dropped out doing this hacker thing. I didn’t like the traditional school system. I did my school degree and later, when I was 26, a formal economics degree.
I was working in banking to provide for myself. I was an online banker at one of the medium sized banks in Israel. I was with the technical team in support. We also did sales and all the online banking and trading, but it was more and more technical and later I was advanced into a junior cyber security role. I joined a team of two people and within two years I was managing ten.
RC: That’s explosive growth…
HG: Yeah, that’s what we’re talking about when we talk about the skills-gap. A lot of people inside cyber security don’t really understand how it works in banks, and how things have changed over the years. In Israel ten years ago, there was a tenth of the number of the workforce we have now in security architects and technicians in banks.
So, my background since 2010 has been in security architecture and management. After my roles in the banks, I did some Security Architect contracts and then started Vata and later Polarys with my friend Mike Partush. We are now one of the best at understanding application security problems, because that is what we used to do when we worked at our previous corporations.
RC: Were you always interested in technology? Was it part of your life growing up as well?
HG: Yes, I was using it since the age of eight. I was programming websites for money at the age of 17 so was kind of familiar with technologies. I wouldn’t say I was involved in anything fishy, but I did know what hackers did and how they do it. The biggest thing we wanted as teenagers, was a robot to keep our chatroom open for us. Because if there’s nobody there when you go to sleep, it’s empty. It’s like the trade name of your group and people can take it over. It took us out of treehouses and into the virtual world. It still happens in Facebook and places like that where administrators kick each other off for certain reasons, but we’re not twelve anymore.
I was understanding how you can take people off the internet, but I was really interested in economy and was sure I wanted to do economics. The role just fell on me. Today it’s a little bit harder to get into the cyber security space, but there are a lot of people from different backgrounds because cyber space is remarkably diverse.
We now work on different kinds of application security which is a subset of cyber security and it becomes more and more specialised because there are so many challenges.
RC: What are your thoughts on certifications in Cyber Security?
HG: I’ve been professionally certified since 2009 as a security expert, Certified Information Systems Security Professional (CISSP). So, when you want to work for the Federal Government in the States, and you want a manager role in cyber security you need either CISSP, CISA, or CISA.
It’s funny. Some of the more technical guys, more non-conformative people would say, “Who needs the certification? You just know that you are the best.” I think in Australia people appreciate the tradies a lot of times and people who are underground doing the work. So, there are sides to both.
When I was beginning, everybody wanted to be the Chief Information Security Officer. I really wanted to do an MBA, but I don’t want to do it anymore, I invested my resources differently. Different titles have no appeal for me now, you know, I have my freedom and I have become an independent business owner.
RC: What do you look for in a candidate or someone wanting to get into the industry?
HG: Before you spend any money on courses, or anything, start working on it yourself. There are so many apps and groups around Australia. Melbourne is a little bit livelier than Sydney, but there are so many places you can learn how to program and do cyber security for free. There are many communities. I wanted to be more available for one-on-one mentoring but it’s impossible at this moment but there are certainly people who are. You can use LinkedIn to match up with mentors.
I’ve had two mentors who made a big impact on my career, [but] it’s mostly self-driven.
Passion is a little bit overused and hard to measure. But it’s definitely a passion for the role and alignment of the goals of the role that I look for. A lot of people can be passionate for information security, but not passionate for the role that they’re currently working in, or they only see it as a step to their career.
And so I look for passion for the role and passion for the profession, it must come together. Cyber security is one of the fastest paced technological roles out there and there are a lot of technological roles. In security everything changes around you all the time.
Previously in application security, your company might have worked on one programming language, let’s say JAVA, worked on one specific type of server with one specific framework, but it doesn’t happen like this anymore. Now everything has changed. We give a lot of freedom to our employees to match and choose the different solution stacks.
We also want to have mobile phones with digital information. You might have a mobile app, and somebody develops something else right now, and suddenly you need application security for your company. Or the strategy of the company can change and revolve around you and you can be in the same role and suddenly learn a bunch of new things. You need to be able to adapt quickly.
RC: What else do you attribute to yours and Mike’s success?
HG: We are collaborators. We don’t mind talking to anyone and we appreciate everyone’s opinion and understand everyone has value to add. We civilly discuss it. We look at the benefits of the organization. We innovate. We are highly technical, and we are highly strategic. In Israel, everyone is militarily trained right? So, there’s a little bit of military training in us. Also, there’s the previous work we did and the economics degrees that we both have. Lastly, again, the passion.
I hope getting to know Hemi and his career path in Cyber Security was as interesting to you as it is to me. Hemi and I also spoke about some of the challenges that are facing todays CIOs and CTOs and I’ll cover that in a separate article. In the meantime if you have any questions or need access to top talent from the ‘passive market’ that you won’t find on the job boards please get in touch – you can call me on 0422 297 274 or email email@example.com
About the author Ross Chandler: I manage the ERP, Tech and Digital Recruitment desk for Norwest Recruitment. I’m an Accredited Professional Recruiter with the RCSA (Recruitment, Consulting and Staffing Association of Australia and New Zealand) and a Tech Recruitment Certified Professional with Devskiller. To get in touch, call me on 0422 297 274 or email me firstname.lastname@example.org