‘People, process and technology: Combining digital business and human behavior insights in the field of cyber security

’

Laura Sumajow

Advisor Cybersecurity at EY

EY

Opleiding

Bachelor Social Psychology, University of Amsterdam 
Master Business Administration (Digital Business), University of Amsterdam  

Advisor Cybersecurity, what does that mean? 

The essence of my job is to help organisations improve and strengthen their cyber security function. At the EY Cybersecurity team, which I joined in September 2017, we help our clients gain insight into their cyber security programme and strategy. We can help them to build an active defense system along with clear response procedures aimed at minimizing breach impacts.  

In addition, I focus specifically on cyber risk management. Within this topic, we help companies tackle the many cyber security challenges they face on a daily basis. For example, by simulating a ransomware attack or a data leakage incident, we were able to test an organisation’s incident response processes and, based on our observations during the exercise, were able to help them to improve those processes. At first, organisations can be somewhat skeptical to engage in such a simulation, but afterwards they are often surprised about the many factors they hadn’t considered yet and feel like they really should take action to be prepared for a cyber incident.  

We develop effective solutions using people, processes and technology, while enabling better security and risk decisions. This combination of three factors (people, process, technology) perfectly suits my study background in psychology and digital business. Ultimately, my goal is to apply my knowledge and experience to a variety of organisations, both in the private and public sector, to be able to significantly contribute to a more cybersecure society.  

 Why did you pursue this career? 

After completing my bachelor’s degree in Social Psychology, I switched to the Master Business Administration in which I chose the Digital Business track. During this master, I orientated myself within the working field of Business Administration and found out that actually cyber security is really interesting to me. However, given my study background, I wasn’t aware of my possibilities within this field. During an inhouse day at EY, I actually found out that I was eligible to apply for my current job. From that moment onwards, I became very excited about the cyber security domain. I would like to encourage other students (especially women!) to consider working in cyber security too. The job opportunities could and should be made more visible.  

How did finding a job after your study go, and do you have any tips for up-and-coming talent? 

I would give other students the advice to get in touch with as many companies as possible in the final phase of their studies, for example at events such as Career Days. You get the possibility to meet relevant contacts and to become familiar with the atmosphere within that particular company, which in my opinion is also very important. To qualify for, and actually land a job, I think it is important that you are able to express your motivation very well. Why do you want to work at this company, and what distinguishes you from others? Try to emphasize your own strengths in a concrete way. Give examples of skills you have gained as a result of the activities you have done that can be useful for that particular job. I did not have any work experience or activities that at first sight seemed relevant to cyber security on my resume. What I could elaborate on, for example, were certain capabilities that I developed during the membership of the board of a student association or the TEDx committee that I joined. It is important that you are aware of your potential. I think that future security talents have to be diverse, with a broad range of knowledge and competences.  

What has been a highlight in your current work, what motivates and excites you in your work?  

I have been working for EY for about a year now, and what I really like about my job is that you get the opportunity to meet a lot of new people and learn about a broad range of issue areas very quickly. I get to watch experienced colleagues, and there are a lot of possibilities to follow relevant trainings to expand your technical skills, for instance. In addition, working in a company like EY enables you to work in cross-competence teams. That way, I am also able to learn from different fields of expertise. A couple of weeks ago, I passed my CIPP/E (Certified Information Privacy Professional/Europe), which involves understanding the current data privacy law and regulation. I feel like I am really involved in the issues and topics that are relevant at this moment in time, like the introduction of the GDPR. You are not only technically involved with companies, but also contribute to the society more broadly. This societal impact of our efforts is a part of the job that really satisfies me.  

How will your industry or job in particular change over the next few years?  

Nowadays, you sometimes still see a separation between the technical side and the business side of cyber security. The two sides can have different interests which can conflict, for example when an application still contains certain vulnerabilities, but the board wants to launch it anyway. Although there has been a lot of improvement during the last couple of years, I hope that cyber security will get even more priority on the agenda of organisation’s boards.  

Could you elaborate on what security challenges need to be tackled and how that translates into your work?  

Sometimes it can take days or months before a breach or compromise gets noticed. The methods of threat actors are getting more and more advanced. While the focus previously was more on the prevent side, it gets more shifted towards detect and respond. For most companies, fire drills are part of the usual practice. However, there are a lot less organisations that have procedures documented or in place for when a cyber incident occurs. I think a lot can be gained when companies consider the primary cyber threats that are relevant to them (define their threat landscape), and develop appropriate incident response procedures. For example, what should all the different organisational departments do when the organisation is target of a ransomware attack? When dealing with cyber incidents in a right manner, for example informing the right authorities regarding legal issues or clearly communicate the issue to the public or customers, the negative impact of an incident can be minimized.  

How does your average, but interesting, working day look like? And what is the worksetting? 

No day is the same, which I like about the job. One day can filled with interviews and client visits, the other day with working at the office with colleagues. The atmosphere is very pleasant and open. We work in multidisciplinary teams using the latest technology and innovation is stimulated. Everyone is really motivated to make sure we come up with the best cyber security solutions.