"Blending creative insights into security and risk while unlocking sustainable value for clients" is how Mai Moodley, head of department for financial systems and processes at the State Information Technology Agency, would describe his career in one sentence.
Moodley, who will be presenting at the ITWeb Security Summit 2016 at Vodaworld from 17 to 19 May, describes IT security as a fluid field. "IT security combines both a solid technical grasp as well as requiring an understanding of the risks associated with how people, processes and technology interoperate."
Speaking of how he became involved in the IT sector, Moodley said his undergraduate degree was in business information systems and information systems technology. "While completing my studies, I was fortunate enough to start working with the University's IT department in student LAN support."
Since then, he has had a diverse career, including having served as a senior systems auditor, a security architect with a leading retail bank, supervising IT LAN support services, to being a panellist and examiner on the IT programme of a national tertiary institution.
"Other posts that I have held include serving as a trainee accountant, a senior risk consultant, a principal consultant to managing a security advisory services function and serving as an acting chief risk officer.
"My articles, extensive speaking and teaching engagements presented and published both locally and internationally in India, Kenya, Ghana, Botswana, Tanzania, Zimbabwe, and Zambia, span a wide range of industries and topics such as auditing, fraud, security and risk management to unlocking the strategic value of technology."
IT security
On getting involved in the IT security space, Moodley says his dissertation for his MBA was based on the security measures which banks adopt in online banking. "At the time that I was working on my dissertation, I was involved in systems auditing and found that many of the risks which I was evaluating had security implications. As a result of trying to contextualise these security implications and how they affected the organisation, I found myself gravitating towards a career in the IT security sphere."
He adds that while he has moved in and out of an IT security role over his career, he has found that the insights and skills which he acquired always served him well. "For example, understanding security is often about understanding how people will respond to the controls which are implemented and how (and whether) they will modify their behaviour to bypass these controls. Having this insight is just as useful in a security role as it was when I was an acting chief risk officer."
Future security professionals
Anyone wishing to become involved in the IT security field must understand their own strengths, and to use this as the basis for entry, he says. "Strong technical skills may provide a valuable entry for candidates wanting to get involved in securing IT infrastructure.
"However, for balanced career progression, these candidates will need to develop skills in (for example) policy analysis, development and implementation. Moving from purely technology to mainly dealing with people requires a sense of adaptability to understand how a policy which may work in one organisation can be difficult to implement in another. The opposite also applies. My own approach has been to alternate the positions which I have taken between the technical and management streams."
Moodley cites the example of how he went from being a principal consultant with a multinational vendor overseeing a major identity management rollout to writing the SOA security patterns for the rollout of a system for a national government department. "In this way, it is possible to retain and improve both the management and the required technical competencies."
He adds that candidates should also focus on obtaining a solid education. "The IT security field is incredibly competitive, and candidates need to ensure that they are able to not only differentiate themselves, but that they can offer tangible value to prospective employers. Obtaining a solid education, coupled with the right experience, also allows you to be able to be more in control of selecting where and with which organisations you want to work. In the absence of adopting this approach, the challenge is that the candidates may find that they are unable to make the most of opportunities."
Underpinning all of this would be knowing yourself, explains Moodley. "By understanding which aspects of the IT security field interest you the most and what you want to do, it is easier to channel your efforts. While this may sound straightforward, there is often a tendency to focus on obtaining skills or experience based on what is currently in the headlines. By the time, these skills or experience are obtained, the market could (and probably would) have shifted. Notwithstanding the need to have a balance of technical and non-technical skills, these efforts should be built on understanding and leveraging your own natural strengths."