Zalando’s Conor Murray shares his experience of the security industry and gives some advice to those starting out in their tech careers.
Conor Murray always had an interest in computers. “I come from the generation that owned a Commodore 64, that knows what a ZX Spectrum is and remembers playing Centipede. My first ‘PC’ was an 8086 computer with a 5.25-inch floppy drive and a 20MB hard disk,” he said.
Murray studied science in University College Dublin because computer science was not a separate degree at the time. “Funny enough, I wasn’t too passionate about the programming aspects of my studies, but I loved the networking,” he said.
After college, Murray worked as an IT auditor for four years, which he said was useful to be able to understand and translate IT risk to business risk.
After a few years, he moved into the security response department with a major anti-virus company and stayed there for 15 years. Now, Murray is the security operations engineering team lead at Zalando Ireland.
‘It’s harder now to protect our company’s assets than it’s ever been before’
– CONOR MURRAY
Has a job in security changed over the course of your time in the industry?
Back in the mid-2000s was when we had a huge increase in adware – those toolbars that would suddenly appear on your browser, or the pop-up ads – spyware and worms. I can very much recall regular situations where companies we supported were being hit with a worm or a file infector, causing all sorts of destruction.
The idea of virtualisation or cloud computing had not really started yet and we were working with physical machines. AWS, Google and Azure simply didn’t exist in the way they do now for deploying our applications and services and the threat landscape has changed as a result.
Supply chain attacks and ransomware attacks are a regular occurrence now. There’s financial gain to be had by stealing information and then holding companies to ransom. That threat has existed well before the internet, it just seems to be more common now.
I do feel that with cloud computing, we’re less comfortable knowing exactly where our systems and data actually are. The boundaries are not so clear any more. It was simpler when you had a firewall and that was the only point through which information and data could flow to/from your network.
I feel it’s harder now to protect our company’s assets than it’s ever been before. And it’s not getting any easier. I could go on, but one more thing I’d say is automation, automation, automation. We’ve got to be automating what we do.
What trends do you see taking precedence in product and information security in 2022?
We’re still coming out the other side of a pandemic where we have all had to move to a work-from-home model, and this presents unique challenges in terms of protecting both employees and businesses.
Unfortunately, given that companies have had to transform to operate in a mostly digital mode, it has created more targets for the bad guys. I still see ransomware being the big hit item, especially since cryptocurrencies can be used in these types of attacks, making them much harder to trace.
I’m also concerned about the supply chain attack vector; why try to compromise our company’s code or infrastructure when I can compromise a less secure environment that our company uses.
What roles will become increasingly important in the security field this year?
We’re getting to the stage where we’re dealing with so much data that it’s impossible to handle it all in any manual manner, so I believe automation is the way forward.
There’s an increasing requirement for strong programmers, so roles like an application security engineer or simply a security engineer are ones I see as becoming increasingly required.
It’s not enough any more to be someone who can look at a security information and event management (SIEM) system and respond to incidents. With the advent of security orchestration and response (SOAR) capabilities in systems, we’re moving in a direction where response can be automated.
I say ‘can’ because the idea that I’m going to allow our SOAR to respond automatically to an incident where it quarantines the checkout application of our website without any human involved would not be a wise move.
Based on the current needs of the security industry, which skills would you tell professionals to focus on right now?
My advice would be to work towards ensuring you’re looking to upskill on the cloud computing areas. It’s likely that wherever you end up working, they will have a presence on the cloud so skills in AWS, Google or Azure are going to become a standard requirement.
For example, I’d like to think that someone coming to work with me would have AWS-related knowledge with a view to pursuing the AWS-certified security specialty. Also, I think certification is important and CISSP still holds merit.
If you’re looking at getting into penetration testing then the OSCP (Offensive Security Certified Professional) is still the one to beat.
I mentioned earlier that we need to automate. Therefore I’d recommend that anyone entering our industry have a working knowledge of at least one programming language – I know I said I wasn’t great but I’ve had to adapt! I work a lot with Python, Ruby, and shell scripting languages.
What advice would you give people just starting out in their tech careers?
You can read all the books and tutorials you want, but the real learning comes from doing. So, I’d encourage people to be inquisitive.
It’s not too hard to go and set up environments to play around with on the likes of AWS. That’s how you learn, by experimenting. I’d also encourage them to set up a home lab. They can gain invaluable experience by setting up their own systems, and bear in mind even home labs can be cloud-based.
I think this will really set them apart from their peers. I know when I’m interviewing, it’s one of my go-to questions.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
