What's your job about?

As an associate security engineer at Xero, I’m supporting the development and fine-tuning of rules that we use for detecting suspicious activity in our environment and building out automations for security processes. Every week I receive a threat intelligence report for Xero which contains information on the tactics, techniques, and procedures that hackers, which we call threat actors, utilise in their attacks. I run through this information with the team to discuss actions we can take to improve our security posture and explore methods for automating this process to enable immediate action against threats. Now and then each member of the team will also run an incident simulation to highlight potential attack vectors at Xero - a favourite day of mine involved leading my team through an incident simulation where an attacker had social-engineered their way into Xero and was wreaking havoc.

What's your background?

I grew up in Perth, WA, moving to Melbourne for university at the age of 17 with no real idea of what I wanted to do. Changing careers from Physics to Psychology, planning for a future in medicine and then recognising I was pursuing that career for the wrong reasons, once I’d scraped through my Bachelor’s I decided to take the year off instead of doing Honours to figure out what I wanted to do.

Eventually, after hearing from a few friends working in IT, I decided to take a chance on that career. I did a Udemy course in web development and security and then started applying everywhere. Xero ran an office tour during the application process where I decided I had to get this job; I put my heart and soul into the interviews and assessment centre, practicing interviews with anyone I could and running through my presentation about a million times. I’ve been in the job for 13 months now - in February I “ungraduated” from the graduate program as an Associate in my official team.

Could someone with a different background do your job?

1. Absolutely! I come from a Psychology background so of course they could! And it was scary at first, taking a leap of faith into a career I was very unfamiliar with and constantly feeling as if I didn’t know enough, but it is the best decision I’ve ever made.
2. Characteristics/skills for the job:
   1. Don’t do this job just because its good money or it sounds cool (though both are true). Having a passion for your work will make you brilliant at it because you will invest yourself into learning and pushing the limits of what already exists, inevitably leading to a much more rewarding career.
   2. The ability to refocus - in security, we are required to evolve. We need to constantly adapt our approach to our attackers and always be willing to either improve or completely destroy and rebuild something.
   3. Friendliness and approachability - it really goes a long way in making the work environment far more enjoyable and encourages people to ask questions and learn together.

What's the coolest thing about your job?

For me, it's our opponents - learning about our attackers’ methods and malware and applying this knowledge in the development of protections that will prevent them from accessing our systems. I love games and thoroughly enjoy the challenge of tailoring your offensive and defensive strategies to your enemy. There are also the moments where you hear of breaches in other companies and the resulting fallout, reminding us of how significant our work is to our customers and business.

Limitations of your job?

I do feel the weight of ensuring we are on top of everything as it’s so easy for a breach to happen. It could be not realising a vulnerability in an old system, not having the detection for a specific attack vector, or attackers developing an entirely new method. Additionally, since security has many different career paths in itself, there are areas you may not like at all. Its important to be aware of the various paths available, else you might not enjoy a particular type of work and assume that the entire sector is like that, which is absolutely not the case.