Under The Hoodie is a weekly series where we talk to people about their journey into tech. It focuses on the intersection between life and career. UTH Week 8.
Simbiat is an Information Security Professional, who is currently a program lead for CyberGirls fellowship. In this Under The Hoodie edition, she tells us about her first encounter with cybersecurity, and her passion for helping a lot of women get into the field.
What was your first encounter with cybersecurity like?
I grew up in Okene, Kogi state—had my secondary school education there too. After I finished secondary school, I wanted to study medicine, so I applied to study Medicine at Ahmadu Bello University, Zaria.
I didn’t get in, so I had to wait for a year. During that time, I decided to work at a cybercafe that belonged to a family friend.
At the cybercafes, we used tickets that gave people time slots between 30 minutes to an hour. There was this one customer that would come around, I don’t remember his name but I can never forget his face. He would buy one ticket and use it for several days, sometimes up to a week.
I thought it was suspicious, so I told the owner of the cybercafe. She had a tech-support person who came around and looked into it. The support guy told us that the customer had been pausing the time using a combination of keys on the keyboard.
I found that intriguing and decided to read more about it. That was when I first came across the word “hacking”. I was instantly hooked to it. I read everything I could find, and when the next JAMB came, I applied to study cybersecurity at the Federal University of Technology, Minna, Niger state.
How did your parents react to your decision to change courses?
They were not too happy with it. I made it worse by picking cybersecurity as both first and second choice on my JAMB form. My father could not make sense of it? Who does stuff like that? [laughs]
Anyway, it worked out. I scored less than I did on my first JAMB, but I got admitted to study cybersecurity, and that was where the real journey started.
How was school? Did they teach relevant things?
Yes. At first, it was hectic because we did Maths, Geography, Technical Drawing, and a number of other courses I had no interest in. But, I always had access to the course handbook, so I knew we would get to the relevant parts eventually.
But a lot of things we were thought were really applicable in the real world. Back in school, our lecture curriculum used to change every year and it got me pissed off because it meant we couldn’t use the materials from the previous set. However, I have come to learn that it’s because cybersecurity itself is a fast-developing field. Things get outdated really fast.
Also, when I was in school, I was part of a self-study group where we learnt extra stuff outside of the curriculum. That helped a lot. I have learnt a lot on the job, but what we were taught was pretty much enough to get an entry-level job.
So, what’s your day-to-day in cybersecurity like?
As a cybersecurity engineer, you have to implement solutions to protect against cyber threats. You need to understand your environment and tools. For instance, if you’re working with a data-loss prevention tool, you need to understand all the sources of data and configure security for all of them. If there are 10 sources of data, and you configure for just six, you’ll be exposed on four ends.
My day-to-day is around threat intelligence, incident response, and monitoring events to ensure they do not become incidents.
What do those mean in layman’s English?
[laughs] My day-to-day is to ensure that I have visibility into happenings in the organization, so I am able to track things that are out-of-place and prevent them from becoming security incidents.
In your opinion, what would you say are the most important qualities for someone in cybersecurity?
I think communication is very important because there are many stakeholders involved. Cybersecurity leverages several entities—the people you’re trying to protect, the people handling the environment, etc. Sometimes, you need to strip away the professional jargon to help people understand what you intend on achieving.
Then, there’s patience. Cybersecurity can impede the work of certain people, so it’s understandable that they are averse to it. However, you have to be able to bring them around, and that requires some patience.
Then, you need to be a fast learner. As I’ve said earlier, it’s a rapidly evolving field and you can get outdated really quickly.
Can you share some of the tools you use for your work?
I use a Security Information and Events Manager to get visibility into the environment. There are threat intelligence platforms—there are a lot of them you can choose from depending on your environment. Then finally, vulnerability management tools. The rest of it is processes, procedures, and policies.
What are the common mistakes you see organisations make as regards cybersecurity?
For organizations, I think it would be investing more in tools, than in the human capital manning these tools. Regardless of how good these tools are, you need people who are adequately trained to use them, if you will optimize their functionalities.
In line with that, you frequently have people managing multiple roles in cybersecurity despite being hired for one role. For instance, someone could be hired for incident response, and during the course of their jobs, they have to handle information security, digital forensics, and a couple of other roles.
Some people argue that it allows people to have a diversified experience, but in a fast-developing field like cybersecurity, that is not always a good thing. Organisations should encourage people to go for depth [specialisation] instead of spreading them across different roles.
Do you have any advice for your fellow cybersecurity professionals?
Right now, certifications are a very big deal in the industry. Many people rack up certifications because it helps validates their knowledge to their employers. But then, I’ve met a number of people who treat these certifications the same way they treated school—they just memorize stuff for the certification exams, and forget after. I have also met a number of people who are very good at what they do but don’t have many certifications.
Of course, I don’t think certifications are bad, I take at least one every year. However, I think people should be more focused on acquiring skills, than racking up certifications.
What are the cybersecurity tips you use in your everyday life that some readers could benefit from?
Everything and everyone can be hacked. However, the point of cybersecurity is making it as difficult as possible for hackers to get to you. The more energy a hacker has to expend hacking you, the less likely you’ll be a target.
There are many things I think people should be more careful with. For instance, randomly clicking links on social media makes people prone to phishing. If someone sends me a link via social media, I always ask to know what it’s about first. Then, I go to google to find the link myself.
Also, there’s the bit of giving out too much information. I’m quite paranoid about who I give my information to. I’ve even turned down an anonymous gift because I wasn’t sure who the giver was, and didn’t know the vendor.
To be fair, the second time I did receive an anonymous gift, I was more comfortable receiving it because I knew who the vendor was. Even at that, I didn’t give out my address. I think that is something a lot more people should do.
At the top of your career, what do you see yourself doing?
For me, the top of my career would be community building—which I have already started. I love cybersecurity and would love for a lot more people, especially women to get into it. Recently, I and a group of friends started a community called CyberGirls to provide mentorship and guidance for young women coming into cybersecurity.
If I had a lot of money now, I would quit mainstream cybersecurity and just focus on bringing as many young ladies as I can into the ecosystem.
Young women interested in cybersecurity can reach out to Simbiat via her LinkedIn or Twitter. People or organisations interested in volunteering or donating to CyberGirls can visit the website for further instructions.