As with many roles in tech, people tend to have little idea what it is that I do on a day to day basis. ‘So, what do you actually do?’ is a question I’ve got used to answering and it’s exciting that more and more people are asking me, so hopefully this helps…
A large part of my role is understanding two different areas. I walk the line between what the client wants their product to do and how we can best achieve that securely.
When a client wants to build a new piece of technology, I have to be clued up on how the technology will work, how it will be built and act as the clients subject matter expert in providing security assurance.
I don’t do any of the coding or architecture, but I have to know the right questions to ask. This means I have to ask developers many questions on what they are doing to manage security or how the intricacies of the technology will work. Only by knowing all the ins and outs and granular details can I identify the risks involved. In practical terms, this means doing security risk assessments of the technology design and wider processes and highlighting risks that will need to be managed.
We work using Agile methodologies and use a DevOps model to build technologies, so things are constantly moving and improving. In such a dynamic project, I have to be in regular communication with everyone involved in order to keep things up to date. It is not just one fast paced project, the whole industry moves so quickly, so I need to keep up to date with security industry trends and ensure we consider any emerging threats that may be relevant to our environment.
As well as understanding how the technology will be built, I also have to keep the client’s requirements in mind, understanding what it is we’re aiming to deliver to users. I spend a lot of time talking to clients to understand what it is they are expecting and offering advice and guidance from a statutory and regulatory perspective, and more often, the impact to their business.
I spend a lot of time talking to people but also get involved in a lot of written work, including drafting policies, strategies, scoping documents, conducting data privacy impact analysis and submitting formal recommendation papers. It is rewarding to consolidate all the knowledge, step back and see the bigger picture.
Once I understand the project, and how it will be developed, I have to move back and forth between the client and the development team to make sure that every part of the build takes security into account. As well as managing the delivery of security policies and processed and ensuring everyone is signed up to best practice longer term.
Some teams may find security a blocker when we constantly question everything into ‘how does this impact security?’, But if the project isn’t secure, I haven’t done my job.
The project will largely be focussed on ensuring the product is delivered on time and to budget and it is therefore so important security becomes an enabler and works with all teams to integrate security into process, including security operations, service operations, incident management and even HR and procurement. This means engaging with such a wide range of people and switching my brain throughout the day to tackle different audiences.
If a client comes to me with a well-informed query on a security risk, it means I’ve managed to get the importance of security and risk management across and we are all on the same page. It is important to encourage healthy discussion on security versus business impact, we are here to enable the business and support decision making. If security is in the room and having challenging conversations we are going in the right direction!
Of course, there’s no better feeling than seeing a project you have been part of go live. Knowing that it’s out there and it’s delivering for clients safely is always exciting!
If you like the sound of this role, check out our Careers page.
Written by Alex Marsden, Cyber Security Assurance Manager