Sergey Nivens - Fotolia
Making a mark in cyber security
Claudean Zheng’s knack for hacking landed her a career in cyber security, one that has been dotted by stints in both public and private sectors
When computing graduate Claudean Zheng was looking for a job during her final year at the National University of Singapore, she came across an opening for an IT consultant at EY that paved the way for her career in cyber security.
She was called up for an interview, during which she showed her knack for hacking when she was asked about how she would break into an application. At the time, she had no experience in cyber security, but was somehow able to provide her interviewer with answers on how to circumvent the existing controls in the application.
Zheng eventually landed her first job at EY, but in a role that would see her take on projects related to cyber security. She received training in areas such as extreme hacking before she went on to secure industry certifications such as the Certified Information Systems Security Professional (CISSP) granted by the International Information System Security Certification Consortium (ISC)².
From EY, Zheng progressed in her cyber security career, including stints at the Monetary Authority of Singapore, a China-based financial technology company and her current role as the Asia-Pacific head of technology risk and controls at insurance firm AIG.
Her day-to-day job at AIG includes looking at various technology risk regulations and risk management guidelines across Asia, ensuring the company is compliant and that the necessary security and risk controls are in place and adhered to.
Zheng’s team also monitors and tracks potential risks for the company and surfaces them to AIG’s senior management if needed while making sure that all risk-related issues are tracked and acted upon.
Throughout her career in a highly dynamic field, Zheng has had to keep abreast of the latest technology risks as well as the tactics, techniques and procedures (TTPs) employed by cyber criminals. “It will be best if you have a good foundation in terms of technical skill sets, because it makes it easier for you to understand issues and threats,” she says.
Read more about cyber security in APAC
- Singapore’s Government Technology Agency has launched a vulnerability rewards programme that offers rewards to white hat hackers who find vulnerabilities in critical government systems.
- Australia’s New South Wales department of education was hit by a cyber attack days before remote learning commenced in the new school term.
- Security experts at Black Hat Asia 2021 discuss the state of ransomware and supply chain attacks, two of the most common attack vectors that offer high returns for threat actors.
- The user names and passwords of Tokyo 2020 ticket holders and event volunteers were reportedly compromised, but government official claims the data leak was not large.
Half her team are women, which is a rarity in the field, given that women remain under-represented in cyber security. According to a 2020 cyber security workforce study by (ISC)², just 30% of respondents in Asia-Pacific were women – though this figure was higher than that of North America (21%) and Europe (23%).
From her experience working with diverse teams, Zheng says having women onboard brings a diversity of views which improve decision-making. “It helps the team to crystallise ideas and decisions, and some studies have shown that organisations that have more women on their board of directors tend to perform better than single-gender boards,” she says.
“People with similar experiences tend to think in a certain manner, but sometimes women might bring in a different aspect that nobody was considering,” she says, adding that diversity also means having people from different backgrounds on the team, beyond gender mix.
Some threat intelligence teams, Zheng says, may also rope in people with an economics background because they want to look at the economic and political factors that could determine which types of threat actors to be wary of. “This is where someone with a non-technical background could complement the cyber security work we do.”
To encourage more women professionals to join their ranks, some organisations have started mentorship programmes to guide those who are new to the field. At AIG, there are also similar programmes in place to foster women leadership and diversity in the technology field.
Mentorship
Zheng is also a mentor at the Association of Information Security Professionals, which runs a mentorship programme that provides career guidance for young cyber security talent. She is currently mentoring an undergraduate at Singapore Management University.
“She’s very bright and knowledgeable, and she’s trying to find her way around the technology space, specifically in cyber security,” she says. “Through our conversations, she’ll be exposed to what someone in cyber security does and she’ll find out if it’s a passion she wants to pursue.”
As for the challenges in the job, Zheng says it’s often about getting someone to recognise cyber security issues.
“Sometimes when you bring up a valid vulnerability to, say, the application owners or those in charge of a project, their first instinct is to defend themselves and say that it’s not an issue,” she says. “We’ll have to find very relatable ways to explain how the issue could manifest and have a huge impact.”
Zheng advises women who are looking to enter the field of cyber security to remain undaunted, especially during the early stages of their careers, as long as they have the passion and interest in how cyber attacks are carried out. “They should have some background in technology and as with all other careers, it takes a lot of hard work,” she says.