‘An ethical hacking course was the game changer that led to the career I had in mind, combining IT and criminality

’

Anneloes Geerts

Cybersecurity Consultant

Opleiding

Bachelor Criminology, Erasmus University Rotterdam
Master Criminology: Corporate and Organised Crime, Erasmus University Rotterdam

Cybersecurity Consultant, what does that mean?

The main goal of my work is to make organizations more resilient against various forms of criminality related to the digital environment. To improve cyber resilience we focus on three key aspects: organisational-, human- and technical elements. Testing whether an organisation is vulnerable can be done in several ways, for instance through social engineering and hacking. Social engineering entails testing whether employees of an organization are willing to convey confidential information or provide me with login credentials to gain access to their systems. With these social engineering projects we aim to increase the resilience of people within organizations. Whereas social engineering focusses on behavioural aspects, hacking concentrates on the technical aspects of cybersecurity. I search all the systems of an organization that are linked to the internet in order to find vulnerabilities. These vulnerabilities vary from leaking confidential information to granting myself access to their network and finding their crown jewels. In other words, I try to gain control over their systems as if I were the system operator.

What kind of projects are you involved in?

I can’t go into much detail about our projects because we guarantee full discretion to our clients. I can say however that we work for all sorts of organizations, from small businesses to large corporations and governments. Digital security is something that is relevant to every organization nowadays. The department I work for is usually hired as a preventive measure. We are often asked to do a check to find out what the current status of security is, find vulnerabilities and see whether the organization is resilient. Based on our findings we propose a follow up to improve security.

Why did you pursue this career?

Although I’ve occasionally built websites in the past, I did not really aspire a career in IT. I was actually interested in working for the police or Marechaussee (Dutch Military Police). Unfortunately, when I applied it didn’t work out because of the large number of graduates applying and the small number of available jobs. It meant I had to rethink my options and consider what I wanted to do and which matched my competences. That’s where IT came back around. I dared to take the plunge into IT without a specific IT-education. I started as a software tester to gain experience and hoped that I could do something with criminality and IT at one point down the road. Luckily that’s exactly what happened.

Can you come up with a milestone in your career?

My biggest accomplishment is that I have managed to become a cybersecurity consultant. When I started working I had no education in IT. So I estimated my chances of becoming a cybersecurity consultant to be slim. I’ve always held onto my goal of becoming one and kept believing that I could make it. I grabbed every opportunity that came my way with both hands and now I’m doing the job I wanted to do. How awesome is that?!

How will your job change over the next few years and how do you keep up?

You never know for sure how IT will develop. New techniques and applications come and go and all have their pro’s and con’s. It’s impossible to stay up to date with every development. The techniques that are relevant for me depend on whatever project I’m doing at any given time. I’m always working for a specific client so whatever technique that client is using is relevant for me. Sometimes I learn about new techniques at home, sometimes while doing research for a project. It’s  a lot of trial and error really, finding your way in new applications and techniques.

Another element that is changing is the increasing awareness about cybersecurity within organizations. However, cybersecurity awareness does not always have cybersecure behaviour as consequence. That’s where we do things differently at Hoffmann: we combine social engineering with psychological research into why the desired behaviour does not occur. Then we propose technical, organisational and human interventions, of which an awareness programme might be an option. Awareness is good, but we prefer responsible cybersecure behaviour.

Also our ‘attack surface’ is changing in the sense that it is growing bigger because more and more objects are connected to the internet, especially now with the developments around ‘Internet of Things’. This comes with a challenge in finding a balance between technical measures on the one hand and organizational level resilience on the other hand. For me personally it means that I fo sure need to stay up to date on how to hack various systems.

Finally, we have to abide to laws and regulations which are also subject to change. You never know which new laws and regulations will be adopted in the (near) future and how they will impact your job. For instance: is ‘ethical hacking’ allowed or punishable? And, What kinds of techniques are we allowed to use or How intrusive can we operate? All questions which will be answered differently as new laws and regulations are adopted.

How did you find a job after your study?

My first ambition, to work for the police or Marechaussee, didn’t work out. After some reconsideration I decided to try IT. I uploaded my resume on an IT job portal. Via that channel I got the offer to do a traineeship to become a software tester. As a software tester you don’t really need deep technical skills. Your job is to test software as if you’re the end user and report anomalies. It was the perfect way to start my career in IT and gain experience. During that period I attended relevant courses and did some self teaching and experimenting with more technical subjects. Eventually, I had gained technical skills and enrolled in a course on ethical hacking. In the job I had back then, I unfortunately could not put my new skills to use. That’s when I started looking around again and found the job I’m in now. The ethical hacking course was the game changer that led to the career I had in mind, combining IT and criminality.

Do you have any suggestions for-up-and coming talent?

Dare to take the step and discover IT. It’s a sector of industry in which much is possible, also due to the ongoing developments. As long as you keep believing, many opportunities will open up to you.