Getting into cyber security

Dieter Vandenbroeck, Belgium

From university to EY, tell us about your journey to a career in cyber security.

Shortly before I graduated as a master in computer science in 2012, I had no idea what I wanted to do with the rest of my life. During the year I always put off thinking about jobs and starting my career, mostly because I didn’t have a good view on all of the different options I had. My technical background, interest in security and a case study about EY consultancy during an oral exam pushed me towards the start of this journey.

We often hear about high-profile cyber attacks in the news, how does that influence your job?

On the one hand, the attention from the media ensures that people are becoming increasingly aware of the risks that our new way of living brings. We live in a world where fridges and toilets are connected to the internet, where customer require flexibility and companies make a shift from brick-and-morter shops to 24/7 online presence and where huge parts of our lives involve an internet connection. Too often the focus of organizations is only on the user experience and being first, without thoroughly considering the risks related to their products and services. I’m a huge fan of webshops and online / mobile banking, but I am aware that attackers try to profit as well.

When more people are aware of the risks, attackers are less likely to make victims without putting in a lot of effort. The evolution phishing emails went through is a perfect example: a few years ago phishing emails could be detected without any effort due to bad spelling and a lack of trustworthiness, but people still feel victim. These days even security professionals have a hard time distinguishing between an authentic email and phishing, but the success rate of attackers is much lower.

The awareness has also reached top-level management and regulators, who are gaining a better understanding of the risks and the challenges in managing these risks. Many companies started late or underestimated the seriousness, making them vulnerable to attacks. Most big organizations have put cyber-security high on the corporate agenda, protecting themselves but also their customers.

What is the ‘typical’ cyber-security profile, is it the young hacker wearing a "hoody"?

The association between cyber-security and the typical hacker image is well known, but rather incorrect. In our team we have ethical hackers: upon request they will hack the client’s systems and applications, and help the client in re-mediating vulnerabilities found during the tests. This mimics the type of attacks that will be launched by people with malicious intentions, but with the intention of preventing potential disasters (such as online banking fraud and data breaches exposing customer information).

Building an organization that is well prepared to handle all kinds of cyber-attacks is not just an IT problem. This is still a common misconception, even amongst the biggest organizations. When the HR representative forgets a map containing the latest employee information, this will be a major item in the media. Employees will be disgruntled that their information is leaked, the organization itself will suffer reputational damage and may even be fined by the privacy commission. When a finance representative confirms a large money transfer based on an urgent (malicious) phone call, the organization will suffer financial damage. In both cases technical (IT) controls would be useless; everyone within an organization needs to contribute to a secure environment, because the human remains the weakest link.

This is a huge challenge for our teams. Our different backgrounds (including IT, linguistics, criminology, physics and economics) enable us to focus on all aspects an organization needs to take into account to protect against cyber-security attacks. In the end, all of us work on the identification and remediation of risks related to processes, people and technology.

What have been some of your highlights over the last five years?

One thing I’m most happy about from the last five years is the broadness of my activities during this time. I’ve worked directly with a large amount of small, medium and large organizations in different countries (Belgium, Netherlands, UK, Luxembourg and the US) and I’ve learned that every one of these organizations is unique. The culture of an organization is extremely important and can never be fully described or compared. Of course this also means adopting your approach and way of working to the customer; this can be challenging but helps understanding challenges and the type of solution that would work. Not to be forgotten, this is also extremely valuable as a person: being pushed out of your comfort zone and having to adopt to different environments helps you growing as a person, something valuable for non-work activities.