Sivani Peesapati Curious about a career in Cyber Security?

Video Transcription

Hi, everyone. Uh I'm Shivani. I'm going to talk to you about um uh how I built my career in cybersecurity and what it takes to build a career in cybersecurity.And uh I'm uh open to a lot of questions from one of you because cybersecurity being the field, what it is now, uh post pandemic world, it has gained a lot of momentum which it already had before the pandemic and it has just accelerated. So I know there would be a lot, lots of questions. Um I'm all there to answer um any of your questions. Um So before I go there, I just wanted to give you a quick glance on my career. Uh and uh uh how I started my career and where I am today, uh just to give you a glance on, it doesn't need to start everything from cybersecurity or you don't have to be an expert to move into that field. So I am with GE for the past 15 plus years. Uh or rather, I have been with only G for the 15 years of my career, um started uh as a developer uh in the installed based team. Um Mm II, I was lucky enough to be able to play a lot of roles uh within G itself.

Uh And uh it was exciting when I was hearing Rajni in the last session on her transition, which I myself did um within uh program management, product management and finally now into people management with the domain expertise. Um So, yeah, uh so currently I lead the cybersecurity lab.

Uh the lab perform cybersecurity testing for our healthcare products. Um So I have a team of ethical hackers who try and hack into our own devices to be able to uh get uh the issues even before the customer is able to find it or any hacker is uh getting it for the customer and creating have a trouble for them. Um Since I have been with you for a long, long time now, um I just thought uh probably I should uh share uh and since this uh talk is about career, I thought uh I should share one career advice. I value the most um that I got from my mentors uh within the uh or uh outside as well. Uh It is to stay relevant, whichever domain you are in, whichever field you are in, whatever you are doing, always stay relevant, always stay current. I understand what's going on. Uh That, that is what we take you uh to wherever you want and keep an eye on the big picture, whatever role you do be a developer, be a program manager, be a product owner or a people manager. What is important is that you understand the bigger picture uh mm in your organization in your uh wherever you are working on, what am I doing? Why doing this and what is the impact of my work on the end customer?

If you have that knowledge of the big picture, it doesn't uh it, it, it, it, it is sure that you will be able to do the roles that you want, you will be able to gain the knowledge in the domain that you want to get into. Um And my learning, I do, I, I don't look at rules. Uh mm I don't think looking at roles is important, what is important is understanding your own strengths. Uh If you understand what are your strengths, you will find the opportunities within your organization or outside and those opportunities naturally come your way if you are playing to your strength and keeping on improvising uh on your weaknesses. And that's one learning that I had and it has helped me a lot in my career progression. Uh I thought it would be helpful uh for others as well and now quickly moving on uh to cybersecurity. Uh So before I get into um talking about a career in cybersecurity, uh just to get us all uh mm into why we are talking about cybersecurity and what are these cyber attacks that are going on across and every day, uh, you learn, you get into some technical, uh, mm, uh, publication you will hear about one or the other organization being hacked, uh, 10 years, um, back, uh, somewhere around 2011, 12.

Um, if you are hacked, it used to be, uh, it used to be something like, uh, shameful. It used to be something like you should be, you should feel bad about and now being hacked is ok. And it's like, are you prepared to come back um in a short span of time, are you prepared to handle that attack? That is where we have reached. That's how sophisticated the Attackers have become and that's how this field has grown. Um So you all would have heard about uh mm uh Twitter's uh attack, right? Uh Its platform, even though it is world's most popular micro logging platform. Um The hackers went ahead and they hacked the mm accounts of uh very prominent personalities which included Jeff Bezos, uh Bill Gates, Elon Musk, uh Obama, Joe Biden, even our India's um communication Minister Ravishankar Prasad, and they started posting something and again, I'm saying it was Twitter quickly realized that that uh the accounts were hacked, they, they were able to regain it.

Um So that's how sophisticated uh the Attackers have become. That's how this, this field is growing. Uh If you haven't heard about it, maybe Marriott chain of uh hotels and resorts in the early 2020. Uh when we were all struggling with the pandemic. Um, in the first half of this year, uh, Marriott International reported that hackers accessed 5.2 million records uh of their guests and, uh, through, uh, they were able to get into their employee database, um, by getting the login credentials, uh, at one of their franchise and they, they kind of hacked 5.2 million records of their tests, um, which is a huge deal.

All of you would have heard about the solar insurance software hack, uh which, which was in the news for a long, long time because this was one of the hacks where recovery was not quick. Uh This hack went on and on for almost a year and a half. Um Just to give you a quick update of Orion software is a software that is used to mm uh we used to uh keep an eye or keep check the infrastructure and uh mm solar Winds Orion software is used by m many multinational companies like VM Cisco, NVIDIA and a lot of us government agencies as well.

And what the attacker did was they put a malware uh through Orion software uh into, into and got access into all of these companies database. And uh realizing that an attack has happened itself took almost six months. And then from there understanding how many companies were impacted itself, took a long, long time. And there was a lot of data that was around that was kind of leaked to the hackers and uh a lot of money was spent or given to the hackers to get back the systems. Uh It is one of the most notorious attacks that happened in um in, by the end of 2019 and continued until 2020 21. Um The hackers didn't even spare the Coronavirus uh mm vaccines. Uh even the vaccine research institutions were hacked. Um and uh including uh the vaccine research institution in India. Uh All of you would be hearing about the supply chain, right? Uh The supply chain crisis chip shortage and all of that and uh cybersecurity domain would not lag behind. Uh There is a lot of increase in supply chain attacks. And what we uh uh in a natural supply chain attack is you get into um you are able to go and attack a particular organization through a third party organization.

Uh like someone gets access to my house to my friend whom I have invited uh for something. So mm supply chain attacks hit three out of five companies in 2021 and it's only increasing in 2022. So similarly, Costa Rica's public health system, entire health system was attacked and uh a state emergency was declared post that attack and it was a ransomware attack. Ransomware was paid to get the healthcare system back. Uh Similarly windows zero day exploitation that happened and a phishing email was sent with the malware. People just clicked on it and uh mm because it's windows um and a lot of people use it who do not have knowledge of cybersecurity and all of that. A lot of passwords, images and user data was stolen. Now, movies and MO uh BNC player, BNC player, all of us use it to watch movies and we all want to see subtitles for the languages that for the languages that we do not understand. And BNC player had a vulnerability and what happened was in the subtitle file of the attacker put malware and which enabled him uh to access the data. Um And again, this was a huge one and uh mm lot of um you know, a lot of impact. So uh so I'll not go through all the stats. But what is important is uh professional services Hyaloid. It found that uh average spending on security has increased by the organizations because what I have shown you now, you understand, right?

But the uh the sophistication of attacks has increased. Um The the impact of the attacks is becoming more and more uh and all the sectors, the finance, government agencies, healthcare, um every sector is being attacked. And so organizations are spending more on cybersecurity domain.

Now, the spend has increased from $2337 per employee in 2019 to $2691 in 2020 and 95% of security breaches happen because of human errors. It's not because some sophisticated uh mm uh technology, it happens because humans make those mistakes. And the cost associated with ransomware threat is somewhere around 133 K US dollars. So no, now with all of why I'm talking about all of these stats is now you might be understanding that why cybersecurity as a domain is gaining so much momentum. Why it is so important that all of us uh are cyber aware and do not think that cybersecurity is the responsibility of only the it uh team um in your organization. Um And it is important that all of us understand. See um I just wanted to present the data, most of you would think that OK, somehow big organizations might be getting impacted. But see education and research organizations are the ones which are getting impacted the most healthcare, manufacturing, hardware vendors are the least.

But then um government and military communications, all of these sectors, finance and banking would be the would someone would think that financial and banking would be the one that would be uh hacked the highest, but that's not the case. So data, the user information is with the new oil now. And uh so people want that and that's where uh the importance of security as a domain, the importance of knowing uh this domain uh has gained so much momentum. Uh And that is why we are all talking as to how we can build a career in cybersecurity. So, uh as I said, we are living in this golden age uh for hackers because now uh with this pandemic and even before the pandemic started, uh there was this huge push uh to get into cloud digitization and all of that, right? So the more you digitize, the more you get connected um life becomes easier, um mm uh You, you are able to access your data from anywhere from your phone, your t your laptop. Uh you don't have to carry paper. So there is so much good that it brings but then along with that, it has also emboldened or it has also enabled the bad actors to be able to access your data and then uh do all wrong things with it or to or blackmail you with whatever information they have.

Now with all of this demand increasing um about security professionals, organizations are now struggling because uh the pace at which the digitization has uh mm in has just kind of uh mm gone ahead and the pace at which um cyber crimes have increased. Uh The and the security professionals are not getting trained in that place. So what's happening is there are a lot of security rules in the organizations that are going without being filled because you don't have the knowledge, you don't have the right skills and there is a gap and it is forcing the organizations to operate with understaffed people, understaffed teams that's for forcing the organizations to operate, uh, with people with lesser skill because you simply do not have the right talent in the organization.

And that brings, uh, the need for someone to build a career in cybersecurity. You want, uh, you are knowledgeable, you, you have that information, uh, to be able to, mm uh, you, you are, you are, you are relevant, you know, what needs to be done and then you earn a lot of money. So it's important uh that uh so now I'll talk to you on um what are the different roles that are there um in cybersecurity and 100 ft view into the careers, right? Um There are multiple roles you think that OK, it is a penetration tester or someone who is fixing the bus. No, that's not the case. There are lot of roles and there are a lot of domains within cybersecurity itself. There is a security specialist that is a security administrator that there are incident reporter, incident responder, there is a vulnerability access assessor and then there is an engineer and then there, there is a and these are all technical positions where you know, cryptography by cryptography.

I mean, uh someone who is able to uh encrypt your messages. He he is the one who will be able to encrypt the data and all of that. So there are, these are all uh technical rules, the security engineers, the security architects, the forensic experts, all of these are the technical rules and then comes uh the roles that you need. A security director, security manager AC O which is Chief Information Security Officer and all which are manage real roles. Um And these are not specifically technical, these are more about roles that you can manage the people, you know what you need to do and you define the goals of your organization. Remember one thing, nobody can be 100% secure and nobody can be prepared for the future attacks.

But you need to know what your, what's your organization's policy and where and until what you want to secure your devices, what is the right data that you want to protect? Not everything but maybe your core data, the one that is most important for you. What is it that you want to prepare? How are you going to safeguard all that? So all that is done by the management team, the governance policies, the principles that all of it, there's this entire stream of auditors, there is these auditors who will audit these policies and the technical work that has been done. So there are lot of roles that we have.

Um So if you see the multiple career options that I was just talking about, you can be a penetration tester, a malware analyzer, a cryptography professional. Um so that you, you name it, there are so many options that are there uh to build a career in cybersecurity and all of these um are today uh in demand. All of these, I and all of these are required because each has its own role to play in the organization to prevent the organization's data, uh or the organization's customers from unnecessary cyber attack. Right. Um So I've just kept uh a little uh information on what each of these roles do. I'll pick one or two to explain what exactly uh these roles do. So, uh if I talk about uh security risk manager, which has become a very important role uh in, in the current uh scenarios right there. So this security risk manager is the one who manages the adherence to the regulatory compliance. Every country uh has a regulatory requirements, right?

Uh It's a country, it's domain specific healthcare has its own regulatory needs. A manufacturing would have its own regulatory needs. Aviation industry would have its own regulatory needs, right? So the security risk manager would be the role who would uh who would manage the adherence to the regulatory and the compliance standards uh related to the systems and infrastructures that we would make. Um similarly a technical project manager. Uh mm um Rajni was talking about the product manager, right? Uh This is uh similar to one, but this is technical project manager, but this is the person who provides the project planning management and oversight for the key initiatives and implementations that you would want to do all of you would be talking about network security engineer, right at some level or the other, you would have network security engineer in your colleges.

If you are from college, you would have network security engineer in the organizations uh who maintain and administer perimeter security to the systems. They, they manage the firewalls, they manage the intrusion detection systems in the organization and all of that no threat response engineer, this role has become very, very important and in demand, um as we speak, because these are the ones who develop and handle the protection against malware.

So if uh uh if I talk about healthcare industry to which I belong to, um if a hospital calls up and says, 01 of your G system has been hacked, that's not a good situation for me. So what I would do is I'll have some of the other software in my device that would run and it could detect a threat if even before the threat has happened full blown way. And once it detects it would send a notification to my back office saying that someone is trying to do something wrong on your system. And my threat response engineers would respond, they will have the complete catalog of what needs to be done to what particular uh type of threat that's happening there. And uh this is an important role. Uh they, they kind of uh these, the, these uh they develop and handle the protection against malware, email spams and any other type of threats, a ransomware attack in progress, an intrusion happen. You are seeing a lot of uh data coming on to your firewall and all of that, this, this role is the one which is going to capture uh that and would uh respond with the right um uh controls or with the right steps.

There are other uh security awareness architect, the cybersecurity architect, again, um one of the most in demand roles that I can talk about. Uh they are the one who design, build and oversee the entire uh implementation um in terms of cybersecurity of any product um or the network because uh it's required for all across the organization, right? So, and the these are the ones who will see that the the product being built, the network being set up, the solution being delivered to the customer uh is adhering to the security standards, the security policies and the security of the com the required security controls that uh one needs as per the customer ask cybersecurity career path.

So I I just spoke about it, right. So there are multiple career options within cybersecurity. You can choose to be in engineering and architecture, career path. You can choose to be in the incident response path. You can choose to be in management and administration uh or you can choose to be a consultant, you want to be independent and you can choose to be a consultant, you can, you can choose to be into testing and hacking. So o out of these, the testing and hacking, consulting and engineering and architecture are, are very much technical. Um they need uh hands on um experience. And if you have that in you to learn the technology to play with it, uh keep learning every day, um outsmart the bad guys. These are the rules for you um incident response management and administration. Again, if you want to work under pressure, if you are or if you are organized, you have excellent communication skills, you enjoy working with people. These are the career options that you have. And um in cybersecurity, uh certifications are very, very important because it will tell you uh from the basics to what it requires for each of those uh domains that you choose. So there are multiple certification options. I'll be discuss that in detail as well.

But those certifications also would add um a feather uh to your cap if you are able to take up those certification courses as well. Now, what does one need to do uh or to get there? Uh You need the right qualification, you need the right skills, you need to learn the basics. That's, that's very, very important. Read as much as you can, you, you keep reading, keep understanding what's going on around. You, stay relevant, prepare yourself and select your path, which career path you want to be in and then look for those certifications. What are those certificates? As I told you, there are multiple certifications for each of that career path. So look for those certifications, attend conferences and meetings and practice. That's what you have to do. See, not nowhere. I said you have to be deep. Uh mm you have to be very, you keep on practicing. You have to be very technical and all. It's more about knowing what you want to do and be there. Um So as I said, you have to be certified, you have to have a little bit hand on experience technical skills, soft skills, all of this is required. Um Top three cybersecurity certifications are uh the cert hacker certification, certified, information, security professional, um certifications and compli security plus certifications. So these are the popular cybersecurity certifications. Uh the comple certifications, um uh the EC Council certifications uh and the IA A certifications isc two certifications.

These are the notifications that have a lot, lot of uh value. Um and they teach and the, the they have a good exam and uh the course is very uh is very, is in depth. A lot of organizations are getting into a tie up with. This is a AI A two and all so that their employees can get trained and certified. But even if you don't want to go for an exam, you don't want to get into certifications. I would still recommend that go through the courses. The courses are really, really good for each of these and th those courses teach you a lot. Once you go through that course, your, uh, mm, uh, view of looking into an attack when you read about it, um, would change, you will, you will read it in a way of, um, and your understanding would, would be completely different. Um, so I would recommend that even if you think you don't want to go for the certification, you don't want to give the exam, it's OK. Um Go through that courses, all these courses are available into in on multiple platforms. Um So it's good to go through those courses and then you are confident you can go ahead and give the exam, but going through the courses is very, very important uh which will give you the knowledge from basics to mm uh mm very much in detail.

Um As I said, technical skills quite good with computer networking. If you have the basic knowledge of computer networking, it will be a great on uh strong operating system internals. If you know them, it's even easier for you. Um It's good if you know any scripting language and then uh if you're good with data structures, all of this will help you. If you want to get into the technical career side of it, you want to become a hacker, you want to get in and an ethical hacker, you want to get into an incident responder, you want to get into an architecture road map and all of that. Um these are the skills that are we already needed. So, uh that's where I would um end my session uh again, repeating um when I got into cybersecurity uh product management. Um So I did not uh do the certifications first, right? Uh Because I had hands on experience and all of that, I got started, but slowly I started getting into uh reading about it, get uh doing those courses and all of that and it really helped me. So I would recommend that get started with those courses. Stay relevant, keep reading, reading, reading a lot of things. Are there being published nowadays? So keep reading. Uh it's going to help you a lot.

And if you are excited about the career, if you want to build that career, uh go for some certifications, read through, choose the right path that suits your uh requirement as well as your uh enthusiasm. And then sure. Thank

you. Amazing, Sivani. Thank you so much for this awesome presentation I think um just while we're still uh while you're still staring, sharing the screen, uh Aika asked to navigate to one of the previous slides. And I think that was the slide about the different certifications.

Uh There was so much information and so many useful resources. I think in your slides that uh either you can uh maybe share your uh slides again or you can just uh copy some of the information in the chat. It would be, I think really useful for our audience because uh yeah, the there was just so much useful info. Um I really like to, you know, starting from this, not so much expecting whether you're going to get attacked, but when are you going to get attacked? And I think this maybe in the past something that uh you know, people with more power or with more information were concerned about, but nowadays, it's just relevant to basically everyone. Um So yeah, what would you actually um recommend to the general population? I think there was a comment. Uh yeah, by Revathi, not just organizations need to think about their cybersecurity, but more awareness to be created among common people. So to say, to identify and address cybercrimes, do you have any thoughts on that? Any recommendations or? Yeah, any direction.


I would say, yeah, that's a good question. So I would say uh even this thing is something that I keep talking to my family and uh extended family, right? Uh Just in when uh just be aware uh understand that cybersecurity is not an it team's responsibility or it's not a cybersecurity team's responsibility. All of us are equally a stakeholder to uh into it and the basic knowledge that anybody can be attacked and we carry a smartphone, we keep connecting internet uh entire day. So it's important that all of us have a basic knowledge, we don't unnecessarily access applications that we really don't need to. Don't give permissions in your phone to access your phone data. Uh unnecessarily if it is needed only then provide that and then don't say that, go ahead and use it forever. Maybe it says that just for this time, select that. Uh remember one thing if there is an application which is free, the cost is you. So don't, don't just think that ok, this is an application which is free. Let me just go download it, use it. This is a uh there is some kind of quiz that has come on Facebook. I have to just fill it.

It will give me some rewards, don't get into it. All of those are tricks to collect information from you, right? So be aware, maybe the basic information, teach your kids. That's the, it's very, very important being the mothers, being the women in the family. Uh it's important that we are knowledgeable enough. We know those basics you don't have to code, you don't have to go fix an attack. But it is what is important is, you know, enough to protect your family right from, from, from some attack. Somebody sends a message that the you you have won some some money. So just send your details of your credit card or your debit card or your address and all of that uh just know that these are all tricks, nothing comes free. And so you have to be aware so that awareness is very important. And I can again tell you there are multiple courses about basic cyber awareness on multiple platforms. Be it linked in udemy anywhere you can go through those courses, those courses will talk much more than what I'm spacing. But it is important that all of us the technologists, whichever mm uh uh career path we choose whichever domain we belong to. We are aware of these basics, these basic tricks and these basics that all of us are kind of uh prone to attacks.

It's just that we can delay it as much as we can if we are aware and we kind of are sensible enough to not get into something wrong knowingly. That's what I

can. Yeah, absolutely. I agree with you that at the moment there's so much you have free resources, you, you know, we would often go for convenience and there's also such an overwhelming amount of information, you know, just it comes at us every day. So it's easy to become deyn size. So I completely agree with you on that. We have another question actually, more about the certifications. I think that everyone is uh you know, really into the, the hard skills. So to say it's uh you know, uh Rajni was sharing more about soft skills and uh I like that you are kind of on the other side more about the courses and the technical skills that people would need about the certifications if you, uh, if those are available, uh, online and if you have any particular recommendations for, for courses.

So I told you, right, uh, Comp, Tia Plus EC Council is a A and ISC two, you can do certifications from all these four. Uh, most of these certifications are, there is a course that you have to go through, you have to read basically. Um, they are not very easy uh or neither, they are very difficult but they, they ask you basics. So you just go through, do your reading and then whenever you are ready to give the exam, just go ahead and give the exam and if you pass you get the certification. Um but those courses that reading is available in multiple platforms, they have good books as well. You can put, you can purchase a book, read it or else you can do those courses on the online platforms as well. That is also very uh mm uh very much available. Uh I have done multiple courses on Udemy, uh linkedin Learning and all of that. So that way it is possible, Adriana, you are on mute. I'm not able to hear you

well. Um Thank you so much for your amazing session today. We get lots of positive feedback from uh the participants in chat.