'The best security people are self-taught'
What Johann van der Merwe, director and lead security architect at Telic Consulting, loves about information security is the need to learn new things on a daily basis.
He became interested in electronic and computer engineering as far back as high school. During his undergraduate studies he stumbled upon a security analysis of a communication protocol and started to read a bit more on the security from third year.
"By coincidence there was a post-graduate research and development project the Natal University ran in partnership with Armscor and they were looking for someone to do the security on the project. From there the information security journey started for me and it was a natural progression into the IT sector when I moved from the research and development environment to corporate."
He did a few years' security research and development work while doing his PhD part-time, and then moved to the Deloitte information security advisory team as a junior consultant in 2006.
"In 2008 I reached manager level and then moved to PwC. Here I completed my PhD in electronic engineering, specialising in information security, while working and got to senior manager level. I was also the information security competency lead and travelled around Africa working mostly on telecommunications networks."
Deciding to spend a few years in a corporate role, Van der Merwe joined De Beers as the global head of information security/CISO. "My role was mostly focused on establishing the information security capability integrated into the global physical security team. My team made significant security improvements mostly on the plant control and physical security systems."
Following his time at De Beers, Van der Merwe decided to return to consulting and joined Accenture where he became the information security practice lead.
"I always had the objective of being part of a smaller, highly specialised information security company. I then made my last move to join Telic Consulting last year where we focus on security architecture, engineering and analytics. We do very interesting work aimed at solving hard security problems and helping our clients to deliver complex technology-enabled business solutions securely."
Speaking of what he enjoys about his work, Van der Merwe says security is an exceptionally broad field. "For example, you can spend your entire life specialising in network security specifically. In addition, over and above the security aspects, you also need to have a good understanding of a lot of technologies."
The other side of the coin is that the value of good security is not always understood by business leaders. "In many cases something bad needs to happen for them to get a wake-up call and drive security improvements. Second to that is the frustration that some people think you can tag security on at the end of a project or solution design. This almost never works."
Speaking of the advice he would give students wanting to become involved in the IT security field, Van der Merwe says: "You have to be really passionate about security to succeed. The best security people are mostly self-taught. They make a significant investment in educating themselves. Don't expect to learn what you need to know at university."
He adds besides technical skills, soft skills, such as the ability to write good reports, good communication skills, and the ability to sell your ideas, are also critical for success. "Take every opportunity to work on those skills."
Lastly, he advises to start actively building a network of fellow security practitioners from day one. "By this I mean establishing real, mutually beneficial relationships. You will thank me later for this advice."
Talking about the events and developments in SA's security arena that stand out for him, he says he has seen much growth over the last 10 years. "As cyber security incidents (locally and internationally) make headlines, the awareness is increasing and organisations are investing to make security improvements. A major development is the resulting increase in demand for security skills. Globally and in SA it is hard to find really good security people."
Would van der Merwe have done anything differently? "One mistake I made was not to invest in my software programming skills over the years. A lot of technical security problems can be solved, and are caused by code. The root cause for this mistake was when I did my PhD part-time. It consumed me completely from 2006 to 2010. In hindsight I would rather have spent that time coding. At least it is never too late to recover."