Skip to content

Cyber security spotlight on... Sarah Kingham, recently qualified security consultant

Joining the profession

08:00 Wednesday, 27 October 2021

UK Cyber Security Council

After completing a Forensic Computing and Security degree in 2020, Sarah Kingham began a training program with cyber security consultancy NCC Group. Following six months of training, she qualified five months ago as a junior security consultant – and, as part of our “Cyber Spotlight” series of interviews, sat down with us to tell us more about how she got here and what she’s doing now.

How did you begin your career in cyber security?

I took a very traditional route to get into cyber. My degree was focused on computer security, and I had a clear idea and mind-set of wanting to get into the sector on graduating. By getting involved in community events, such as notable conferences and Defcon chapter meets, I grew my network and met new and amazing people who already worked in the industry. I also got involved in our university cyber security society, starting out as an attendee and later building weekly workshops as a committee member. The society attended CTF [Capture The Flag] events all over the UK, which was great to learn more about the types of issues found in technical security assessments.

I applied for roles with companies that specialised in penetration testing or cyber security in general, and was fortunate to fall into my place at NCC Group during my final year of university.

Which individual has had the biggest impact on your cyber security career, and why?

People that give back to the community, or who are willing to take the time to share and teach others about what they know, stand out to me. Starting your journey and being in cyber isn’t a solo affair. People work together in many different ways.

A student named Sophia McCall was one of the first people I saw speaking at a conference. She had the biggest impact on me and my cyber security career, as she inspired me to get involved in community events and apply to do my own talk the following year. Another notable figure in the industry for me is InsiderPhD; her YouTube videos are great resources to learn from and, quite frankly, she’s smashing it.

What's your advice to anybody considering entering a career in cyber security?

If you’re new to IT in general, I would 100 per cent suggest taking the time to learn about computing from the bottom up. It can be very hard to understand computing concepts such as networking and web protocols. Take time to learn the fundamentals of how things work, rather than just accepting that you can, for example, find X when you run Y tool.

Have fun with cyber: join a CTF team and start participating in challenges with other like-minded people. There are a lot of resources available, for free, online. If you’re interested in a specific area of cyber security, go through labs and training and try and enjoy getting to know your area of interest.
Speak to people in that area, get involved in the community. Although it’s daunting when you first show up to a meeting, more than likely there’s someone else in the same boat as you that you can talk to. Or there will probably be someone there that you talk to, that knows a person that knows a person that specialises in your area of interest.

Summarise your role now, and what's the best part of it?

I am now a penetration tester/ethical hacker, which, on a day to day basis, means I look for vulnerabilities in existing systems. It’s always great finding a juicy critical or high vulnerability in real life scenarios, and also great knowing that you were the one to find it before anyone sinister does. A big part of the job is teaching clients and others how to fix these vulnerabilities.

How would you summarise the UK’s current cyber security capabilities?

Security-oriented and constantly developing, improving and learning.

And what do you think would strengthen cyber security skills within the UK?

NCSC, the Golden Valley Project and CTF competitions all help. Organisations, projects and events like these help the next generation to be aware that cyber security is a career choice and that it’s actually fun to get involved in. Given a platform to learn, students will be able to explore the vast world of the cyber security industry. Having younger people interested in cyber will help massively to strengthen cyber security skills in the long term. For example, CyberFirst hosts CTF events for students to introduce them to the tooling they might need to get to know better later on in life… although I would hope there would be breakthroughs in tooling also.

Actively encouraging diversity in the industry would massively strengthen cyber security skills in the UK. Having people with different backgrounds and experiences will encourage new perspectives and ways of thinking. They always say two heads are better than one, and you definitely need two people that think differently to tackle problems, sometimes!

What are the three most important issues currently facing the sector in the UK?

First, the growing landscape of IoT devices. Security is expected to keep up with the rate of change and development and that means new technologies can lack security. Following on from this, technology is more readily available and used by the general population. A security mindset does not come to everyone, and users of these new IoT devices may be subjecting themselves to additional risk by using it.

With new areas of cyber security comes a need for new skillsets. We need more people involved in niche areas of security to ensure that we can keep up with the demand and need for penetration testers.

What’s the most common misconception people have about working in cyber security?

That we are all people in hoodies hacking in dark rooms… I mean, yes, we do wear hoodies sometimes, but for the most part we work in offices or - in this day and age - from home, or in corporate settings. Even the 1337-est [most elite] security researcher has to face corporate people from time to time and you need to be able to talk to them. Soft skills are just as important as technical skills and it is important to keep that in mind when applying to work for any kind of security company.

What is the single most frustrating part of your job?

None! Perhaps I’m too new to have any bug bears yet?

NCC Group is a cyber security consultancy covering areas such as software escrow and verification, cyber security consultancy and managed services.