“My relationship with Cyber is like when you have your first love, you lose contact with that person for a few years, and then one day, in a city, you find her at the train station, a little bit different, but with the same smile on her face that made your heart beat so fast. You start to talk with her and from that day you restart with a passionate and never-ending love story.”
Introducing Ivan Salter, a Managing Security Consultant with a breadth of knowledge and experience in all things spanning the vast Cyber industry. This month, I had the pleasure of interviewing him, gleaning valuable insights into how he got to where he is today, his experiences within the different cyber pathways, and his tips for those looking to break into cyber.
I can imagine every day is different, but what does a day in the life of a Managing Security Consultant look like for you?
Each project is a new experience. Of course, the structure and standardisation are provided by a well-developed and designed service catalogue and all the procedures and global practices we have in place. However, NCC Group is always improving and innovating so you must be prepared to learn new skills, which is why it’s important for me to always look towards upskilling. That’s why companies like yours play a key role in the cyber security training and cyber awareness process by providing external services and supporting companies in the development of their employees. In Cyber, you cannot be passive or be a conformist. The cyber threat landscape is constantly changing so you must be prepared to respond to those changes. In a nutshell, a Managing Security Consultant needs to have a solid foundation, soft skills, and technical expertise but also be able to juggle unforeseen changes.
You’ve had a range of different roles within the industry. Which role did you enjoy the most and for what reasons?
I cannot say that I prefer one role over another, but my preference is to make my own decisions; in cyber security you must have a clear, straightforward, strategic mind. Beside my preferences, I have enjoyed every single role. Some of these roles required more technical skills and hands-on experience, others more managerial skills, project management, etc. To summarise, I simply like to be in a cycle of continuous improvement.
Working in Cyber Security Governance and Risk Management gave me the opportunity to see things from the inside, from a second-line perspective, with that level of independence that’s needed to guarantee that your risk assessment isn’t biased or there’s any conflict of interest.
Now, as a Managing Security Consultant I enjoy seeing things as an “external” but inwards for the client.
In Cyber Security Management you must focus on delivery and resource management. People management can be tricky and time consuming but also enjoyable.
There is no perfect role. I enjoy the roles where you get dirty, where you get the pure hands-on, the technical stuff. But I also enjoy those where you see cyber security as a top-down-bottom-up function; you have to deal with governance and compliance, evaluating efficacy and efficiency of the security controls.
Can you tell me a bit about how you got into/found your interest in IT/Cyber?
Perhaps I could explain this with an allegory. My relationship with Cyber / Information Security is like when you have your first love (the one that was so special for you), you lose contact with that person for a few years of your life because your duties and circumstances pull you apart, and then, after you have matured and endured a few challenges, one day, in a city, you find her at the train station, a little bit different, but with the same smile on her face that made your heart beat so fast. You start to talk with her and from that day you restart with a passionate and never-ending love story.
My love story started back in 2004, when I did my first Pen Test for a local TV network as an IT Security Consultant. This was when everyone had a 4-to-6-character password which was a dictionary word, birthday, or pet name. This is when you could find software firewalls, when nobody would give a penny for a cyber security strategy. However, me, as a technical person, with computers from the age of 12, loved this side of the story. The software revolution and small-size PCs arriving at our homes were the golden hen. Security was more a concern for a Department of Defence or a few big financial institutions. But for me, it was love at first sight.
Everything changed when I moved to Scotland in 2009. This is when I really got into the IT world working for Sun Microsystem (then Oracle). Even if it was not a pure cyber role, security was implicit in everything we did. I continued working until I had the chance to be an IT manager at Edinburgh University. This is when I decided to get an academic title: an Information Security MSc in Advanced Security and Digital Forensics. Obviously, this master’s degree not only helped me to evidence the knowledge that I already had but improved it and provided me with new skills. The jump to a pure Information Security role was when I started at Royal London as an Information Security and Risk Manager. Then, my professional life continued along the same path.
What would you recommend to people who’d like to enter the cyber industry but don’t want to go down the university route?
I always say the same, love what you do, love what you study. Do not do it because somebody told you that there is a lot of demand for Cyber Security experts, and they pay well. You may last a few years earning a significant amount of money, but you will be frustrated because you’re not doing something you love.
If you love it but don’t want to take the university route, I simply recommend going and receiving good advice from a company such as yours. You know exactly what the trends are and the industry demand for professional certifications. If you want to follow the more technical route, you have CompTIA, CEH, AWS, Google, or Microsoft (security certifications). If you want to lead projects, be part of governance and so on, CISM, CISSP, CRISC. If you are keener to be on the audit line, CISA, ISO 27001 Lead Auditor. If like me, you have a passion for Information Security, take as many of these courses as you can – not just because you get a title, but you also refresh your knowledge add new skills to your toolkit.
Industry-recognised certifications are the best way to break into the industry. I believe strongly that due to the overall importance of cyber security, and the rise of global cyber threats, governments should fund and support those looking to switch their careers to cyber security.
About Ivan
Ivan Salter (CISM, CISSP, CIPP/E, ISMS LI and SLA, Scrum Master)
I am an Information Security Expert working currently as a Managing Security Consultant but formerly being a Local Information Security Officer, Information Security and Risk Manager, IT Manager, Cyber Security Project Director, etc. In a nutshell always overseen Information Security and supported ISMS Implementation and manage its controls.
Beyond my expertise and regarding knowledge, I have MSc studies in Advanced Security and Digital Forensics and CISSP, CISM which allows me to evidence my expertise on ISMS implementation, risk assessment and control evaluation. My CIPP/E provides me an extra expertise on privacy and ISO 27001 Lead Implementer and Senior Lead Auditor gives me a holistically view on how to implement and evaluate an ISMS when I am managing it and when I am the auditing it.
I am committed to providing a high-quality standard information security service to NCC Group clients as well as helping to enhance their services portfolio. I have dedicated part of my professional time to focus on my passion which is Information Security and its Governance.
NCC Group, Manpower Group, Emetel, Royal London Group, Edinburgh Napier University and The Cyber Academy, have given me the opportunity to evidence my expertise on the field.
Started in security back in 2004, my IT career has evolved towards IT Systems and above all Information Governance and Security. In my early professional years, when security was not yet a concern too many companies, I started as an IT Security Consultant and Penetration Tester. I audited dozens of private and public companies, Government institutions, hospitals, and local TV. I supported them with data protection governance, and the structures, policies and procedures to ensure DPA compliance.
During all these years I have not only gained a lot of experience in Security but have achieved many other IT and complementary skills in related areas: System Administration (Windows, UNIX, Solaris, Linux), Networking (CISCO, HP), DBA (Oracle and MySQL), Network Storage (SAN, NAS), Virtualization (VMware, Citrix, AWS), Scripting and Programming.
Specialties: ITIL certified, IT Consultant, IT Security & Digital Forensics, Penetration Tester, ISO 27001, COBIT, RDM, DPA, CISSP certified, Risk Assessment, Project management, Auditor, System Administrator, DBA, Programmer, DATA Analysis, EMEA IT Support, and Customer Services.
As a Psychologist: HR Psychologist and Special Education Technician.
Based on your expertise as a Managing Security Consultant, what are the central skills and knowledge that are crucial to your role?
I do not want to discourage those with non-technical backgrounds, but it is necessary to have a foundational understanding of ICT systems, technology, and security controls. Understand what a SIEM is, what an Active Directory is, what the Cloud is etc. If not, you will be asked about things that you do not understand. In a nutshell, a Security Consultant must be technically savvy. I do not expect somebody to immediately become a Cloud Architect, but you need to have a basic understanding of what an Azure VNET is.
You need to have a holistic understanding of security, that is, the technical side of it, as well as the governance, risk, compliance, regulatory and physical side of it. You need to have the “T” profile, have general knowledge of everything, but be outstanding in one of these areas. Above all, you need to have a passion for Security. It’s a tough job when things go wrong, and only if you love something with passion can you overcome these situations with success.
What are the behaviours and soft skills you find are often useful to have as a Managing Security Consultant?
Strong people management skills are something you’ll need if you have people reporting to you or if you lead a group of consultants within a project. You need to have good social skills and a good level of emotional intelligence. On many occasions in your professional career, you will be facing different kinds of clients, colleagues, managers, who require different answers, questions, and tones. You should always be able to get the job done without losing your direction and remember that you need to be a good team player but also self-governing.
Finally, I would say that you need to be self-confident but humble above all. You may succeed in a company by making your voice heard and throwing around a lot of jargon, but you won’t endure if you only talk and don’t show results. Be a person of action rather than words. Always respect your colleagues and keep your ego under control.
What are your main pieces of advice and tips for those wanting to break into the industry?
As I said earlier, love what you do. Read about cyber security, buy a bunch of books, watch a few videos, and if you feel satisfied and enjoyed the experience without your attention drifting, it’s because you heard Sargent Cyber Security calling you to help this world to be a more secure place.
Then, with all that passion go and start looking for courses, certifications, sources of knowledge which can certify what you know. Be patient, do not expect to start with a senior role. It is better to start from the bottom of the ladder because that will help you gain a broader, holistic view of security. Of course, if you are a genius, shine bright and show the world what you are capable of.
About Ivan
Ivan (CISM, CISSP, CIPP/E, ISMS LI and SLA, Scrum Master) Salter
I am an Information Security Expert working currently as a Managing Security Consultant but formerly being a Local Information Security Officer, Information Security and Risk Manager, IT Manager, Cyber Security Project Director, etc. In a nutshell always overseen Information Security and supported ISMS Implementation and manage its controls.
Beyond my expertise and regarding knowledge, I have MSc studies in Advanced Security and Digital Forensics and CISSP, CISM which allows me to evidence my expertise on ISMS implementation, risk assessment and control evaluation. My CIPP/E provides me an extra expertise on privacy and ISO 27001 Lead Implementer and Senior Lead Auditor gives me a holistically view on how to implement and evaluate an ISMS when I am managing it and when I am the auditing it.
I am committed to providing a high-quality standard information security service to NCC Group clients as well as helping to enhance their services portfolio. I have dedicated part of my professional time to focus on my passion which is Information Security and its Governance.
NCC Group, Manpower Group, Emetel, Royal London Group, Edinburgh Napier University and The Cyber Academy, have given me the opportunity to evidence my expertise on the field.
Started in security back in 2004, my IT career has evolved towards IT Systems and above all Information Governance and Security. In my early professional years, when security was not yet a concern too many companies, I started as an IT Security Consultant and Penetration Tester. I audited dozens of private and public companies, Government institutions, hospitals, and local TV. I supported them with data protection governance, and the structures, policies and procedures to ensure DPA compliance.
During all these years I have not only gained a lot of experience in Security but have achieved many other IT and complementary skills in related areas: System Administration (Windows, UNIX, Solaris, Linux), Networking (CISCO, HP), DBA (Oracle and MySQL), Network Storage (SAN, NAS), Virtualization (VMware, Citrix, AWS), Scripting and Programming.
Specialties: ITIL certified, IT Consultant, IT Security & Digital Forensics, Penetration Tester, ISO 27001, COBIT, RDM, DPA, CISSP certified, Risk Assessment, Project management, Auditor, System Administrator, DBA, Programmer, DATA Analysis, EMEA IT Support, and Customer Services.
As a Psychologist: HR Psychologist and Special Education Technician.