Share This Article
Sign up to stay
Despite common perceptions, cybersecurity professionals come from all different walks of life.
From Eagle Scouts to Wall Street refugees, the cybersecurity space is bursting with people from all different backgrounds. Even forestry professionals like Sunil Mallik have found their way into the space.
Head of Data, Application and Platform Security at Discover, Sunil’s journey to cybersecurity has spanned across the world from the rugged woodlands of West Africa to the halls of Deloitte. But how exactly did a chemistry major and former timber specialist make it into cybersecurity? And how has his outlook on the industry changed since he first joined cybersecurity?
Find out below in our conversation with Sunil.
FROM THE FOREST TO A FIRST JOB IN CYBER
Although some cybersecurity professionals follow a straight line from cybersecurity education directly into a cybersecurity career, there is a huge segment of the cybersecurity workforce that have entered the area from other fields. Some, like Sunil, even find their way into cyber almost unintentionally.
“I always liked things that are tied to cybersecurity – like technology and gaming – but in the beginning cyber wasn’t the initial path I chose to go down,” said Sunil. “Instead, I got my undergrad in chemistry, then I did my master’s in forestry. From there, I spent a year in Liberia and worked for a timber logging company in West Africa but I knew I wanted to eventually transition into a different career path. So, to further my studies I came to the US and attended Virginia Tech, where I got my MBA and I also got my master’s in accounting and information systems. With that background I got into one of the big four accounting firms, Deloitte. That’s where I started to transition a bit into cybersecurity.”
“At Deloitte, I started my career in the technology risk area and then segued into cybersecurity given that cyber risk is an integral part of technology risk. For example, in technology risk, you are looking at how an organization is managing the risk related to confidentiality, integrity, and availability of data. Then most of the advisory work is tied to how well the organizations’ apply the IT general controls to manage the risk. To just bring some relevance to cybersecurity, risk professionals assess how well the entity manages their cybersecurity risks related to network security, availability, application security, and so on. This just kind of happened naturally and was something that I was really interested in.”
BECOMING A CYBER EXECUTIVE AND GROWING AS A LEADER
Following his initial foray into cybersecurity work, Sunil worked in a variety of roles and job functions at Deloitte including spending several years of his decade-long tenure designing cybersecurity programs, controls, and implementing technologies related to cybersecurity for federal and civilian agencies as part of Deloitte’s cyber risk services team. However, after 10 years at Deloitte, Sunil left the company to take on a more senior role at Freddie Mac.
“At Deloitte I got to really do a lot of different things and build different skills,” said Sunil. “But after 10 years I decided to leave Deloitte to grow my career and I came to Freddie Mac where I was the Business Information Security Officer (BISO). Becoming a BISO is a great way to take on more responsibilities because a BISO is kind of a mini-CISO for a particular line of business that does a lot of the same things a CISO does just without some of the external-facing tasks. For example, as a BISO, you are basically translating security risk to the business, telling them where they need to focus and help them address weaknesses in their environment. So, it gives you the ability to gain new hands-on skills while also taking on responsibilities across all Cyber Domains.”
In addition to added responsibilities in terms of day-to-day work, Sunil’s role as a BISO gave him his first true opportunity to lead a team of cybersecurity professionals – something he had always looked forward to.
Few years into the BISO role, he got the added responsibility lead and manage the Security Architecture, Assurance and Advisory role and unique and enjoyable experience to manage a large cyber team,” said Sunil. “Managing a team really shows you how many different types of skillsets and personality types exist in cybersecurity. So, one of the biggest challenges as a leader is finding ways to make sure that everyone is participating in the discussions and breaking down any barriers that exist so that everyone can share information and feel comfortable. This was one of the best lessons I’ve picked up thus far and I may not have gotten it if I hadn’t had the chance to lead a team.”
WORKING TO CLOSE THE TALENT GAP
As Sunil has become more entrenched in cybersecurity, he has worked hard to change perceptions that exist around the industry. Most specifically, he has tried to highlight the current oversights that exist in recruiting individuals to the cybersecurity field as well as working to dispel myths about what it takes to be a cybersecurity professional.
“There are a lot of misperceptions about what it is like working in cyber and the skills you need,” said Sunil. “And as I began to work in the space, I began to get a deeper understanding of what skill sets are actually required and what makes you really successful in cyber versus what the perception is. I think I really started to get an understanding when I started managing teams. I could see who the top performers were and what attributes they had and how it matched up with what the perception is.”
“One of the biggest of these myths is that you need to have a cybersecurity or technical degree. For example, if you look at it, cybersecurity degrees have evolved in the last, I would say four to five years. Prior to that, it didn’t even exist as a dedicated or a focused area where you could go and get a college degree – but still we ask for it in recruiting just out of habit.”
“Within cyber, there is the governance risk and compliance domain, there is the vulnerability management domain, there is application security domain. And not all of them require you to even have a technical degree. I mean, we have programs that just do outreach and awareness training. For those, you need to understand the users more than the technical areas. So you definitely should not let a technical degree prevent you from pursuing a career in cybersecurity.”
Sunil also noted that while certifications and other formalized benchmarks are helpful in learning they should not serve as the end all, be all.
“Certifications certainly help to give affirmation and validation that you have knowledge in a certain domain area, but that should not stop you from applying and that should not be a hard requirement for certain positions in cyber,” said Sunil. “Pursuing certifications can be very time consuming, and people have busy lives. Therefore, just because someone doesn’t have a certain certification doesn’t mean they don’t have the knowledge, skills or dedication to be a cybersecurity professional.”
LOOKING FORWARD TO WHAT IS NEXT IN CYBER
Cybersecurity is one of the fastest growing and exciting industries today. And despite some ongoing growing pains, Sunil is eagerly looking to see what is next for the industry.
“Cyber has changed in so many ways over the last couple of several years, and will continue to do so,” said Sunil. “Cyber is an active part of boardroom discussion these days and it is getting more intertwined with our daily lives. A lot of the lessons we use to protect the businesses also apply in our personal lives. The cybersecurity community is young and enthusiastic, and the space is as collaborative as ever. Therefore, if we can get some of the wrinkles ironed out in terms of recruitment, the future is looking very bright. I would encourage anyone with an interest in the cybersecurity space to consider joining it.”