What the Tech?!

Kathleen Abols_edited.jpg

Kathleen Abols

Cyber Security Analyst at RBC

Interviewer: Lucas Wong

Q. In your opinion, what are the most important qualities for being successful in cyber security?

If I had to narrow it down to just a couple of key qualities I’d say: curiosity, a meticulous eye for detail, and integrity. Curiosity is a major asset not only because the cyber landscape is constantly evolving, but I think it lends itself well to cultivating the type of person who is constantly asking questions. What does ‘X’ do and how does it work? Why do we do ‘X’ this way and not a different way? What are the risks of doing ‘X’ a certain way? This curiosity and an attention to detail are incredibly helpful to identifying, mitigating, and preventing vulnerabilities. Oftentimes, doing something with security in mind can be more costly in terms of time/effort/money, thus why I think integrity also plays a key role. Many cyber security fields deal with sensitive data, and poor decisions can lead to catastrophic harm. This can have serious implications from both a moral and financial standpoint.

Q. What is something you enjoy about being in cyber security? 

I (like probably every other computer scientist in the world) absolutely love solving puzzles. I’m also always trying to figure out how things work (and sometimes how to make them stop working). In cyber security you get to look creatively at things from both sides of ‘making’ and ‘breaking’. If I was an attacker, how could I break this software and conversely how could I defend against that? I also love learning new things, so I enjoy that cyber security constantly makes you do just that.

Q. What are some examples of day-to-day tasks one might do as a cyber security professional? 

That would vary greatly depending on the job itself. Perhaps you’re a penetration tester so your job might involve testing the latest app update by using various tools to try and break it. Maybe you’re into more purely analytical work in which case you could be using data science techniques to catch money launderers. There’s also malware analysis, where you could be investigating/reverse-engineering malware artifacts to prevent future attacks. The list goes on and on with things like: digital forensics, network security, cryptography, security compliance, research, etc. 

Q. What is a common misconception of being in cyber security? 

I think one of the most common misconceptions about being in cyber security is that it’s a narrow field that you must have always been in/interested in to excel in. In reality, it’s a massively broad field as noted in the previous question. A lot of the people I look up to in industry have told me that they didn’t start their careers in cyber security, but then through happenstance or exploration fell into it and realized they really enjoyed it. Many of the experiences shared with me were along the lines of, “I didn’t think I had the skills/qualities/programming background/etc. because I wasn’t into bug bounties, capture the flag competitions, etc.” I myself used to think this way too because my conception of cyber security was mostly related to network penetration testing, which didn’t really fit my interests before I realized that the field was more than just white-hat hacking and working for CSIS.

Q. What's some of the biggest challenges of working in cyber security?

I think [some] of the biggest challenges are the human-related aspects of it. I like to think of it in two categories: human error, and human desire. Factoring in both of these things is critical to fostering a defensible cyber ecosystem, but unlike an encryption algorithm, we can’t mathematically prove a solution’s robustness for these categories. Say I build a really great antivirus – I have to balance its protective abilities with what users will tolerate. In terms of fallibility to human error, if it’s easy to make mistakes setting up permissions it may lose some/all of its protective ability. Likewise, if the cost of using it (e.g., permissions are too rigid, makes your computer slower, annoys you with pop-ups) gets to the point of outweighing the desire for protection, people just won't use it. People will often disregard security if it gets in the way of something they prioritize. A lot of cyber attacks don’t simply rely on technology, but also social engineering – taking advantage of that human error and human desire to make their attack successful. Whether it’s crafting targeted phishing email, getting someone’s security question answers through a seemingly innocuous online quiz, or simply leaving a USB-drive in the parking lot hoping someone plugs it into their work laptop – many attacks don’t try to “break through the fortress’ wall”, but rather try to trick someone into opening the front door. It can be a challenge to keep in mind that your security solution is only useful if people are actually using it, so you have to think beyond just the technological aspects and consider the human ones too.