Yahoo’s Ndidi Opute discusses her role as a third-party security risk analyst and offers advice to anyone considering a career in cybersecurity.
Ndidi Opute is a third-party security risk analyst working with the cybersecurity team (also known as the paranoids) at Yahoo. With extensive experience in project management, financial accounting, retail and healthcare, Opute became interested in cybersecurity after she began working as an IT risk and compliance analyst.
In her current role working with the third-party risk management team, Opute conducts new and ongoing third-party risk assessments on behalf of all Yahoo business units. As an analyst, she collects and reviews documentation to assess compliance with Yahoo security standards, and legal and regulatory requirements.
‘The rapid growth and evolution of the cybersecurity sector was borne out of the need to protect sensitive data and the ongoing complexity and sophistication of cyberthreats’
If there is such a thing, can you describe a typical day in the job?
My day starts with looking at our tasks queue for new third-party review requests assigned to me by the team lead. This could be for new third-party engagements or existing third-party engagements with an updated scope.
I start by understanding what type of third party I will be dealing with because it drives the direction of the review and my tasks for the day. Then I move on to check my emails and internal messaging tool.
I then start working on the initial security risk assessment of any new third-party review requests or a review of scope changes. This involves working with both internal stakeholders and vendors, using both questionnaires and interviews.
My responsibilities also include establishing and maintaining compliance audit schedules and processes; and actively researching and analysing current security trends, methodologies, issues, technologies and regulatory requirements.
What types of cybersecurity projects do you work on?
In my current role and as a part of the third-party risk management team, our main focus is third-party security risk reviews. As simple as this may seem, the workload is important, because Yahoo is a global organisation and it engages a large number of third-party partners globally. All Yahoo business units, subsidiaries and affiliates engage with third parties, and every third-party engagement passes through our team for the initial and subsequent security risk reviews.
My role is very exciting. I enjoy everything about my work, because I gain new knowledge and ideas in every assessment. Some assessments are easy and straightforward, while some are complex; this makes the job less monotonous. I enjoy the variety of use cases because of the opportunity to learn about risks, threats and vulnerabilities.
What skills do you use on a daily basis that are specifically helpful in cybersecurity?
I make daily use of technical knowledge, collaborative skills, communication skills, problem-solving and analytical skills, presentation skills, attention to details, continual learning and knowledge of cybersecurity frameworks.
From time to time, I draw on my analytical skills, communication skills and risk assessment skills in a new and unique way, mainly because Yahoo is a large and global organisation compared to my previous workplace. In my first few months of joining Yahoo, I had to constantly remind myself that I am in a bigger ocean, resulting in a big shift in my mindset.
What are the biggest challenges when working in cybersecurity?
Work-life balance in cybersecurity, just like any other field, can be challenging. Personally, I believe it is important to stay productive at work and still be able to maintain and meet personal life obligations outside of work. I accomplish this balance by organising my workload and prioritising my tasks, taking breaks on workdays, taking short holidays away from work and making time for self-care and family members.
Communication can be a barrier in cybersecurity when you consider, for example, the use of acronyms, technical terms and jargons. I overcome these barriers by referring to our security glossary, and by leveraging the knowledge and skills of our cybersecurity team.
Another obvious challenge is the large volume of documentation and digital assets to be managed. Knowing how to collect, review and store these documents is very critical to my role.
The growing threat landscape is a huge problem globally. As technology continues to evolve so does the threat landscape evolve and get ever more complex. To help prevent and detect cybersecurity threats to my organisation within my own remit, I adhere to the organisation’s information security policies, complete cybersecurity awareness training, and inculcate cybersecurity best practices.
Do you have any productivity tips that help you through the day?
I have my own personal task planner for managing my workload, which allows me to organise and prioritise my daily tasks. The risk assessment process can be overwhelming. Organising my workload reduces stress and helps me to stay productive. My task planner also serves as my monitoring tool to ensure all tasks are adequately managed from initiation to completion, especially important tasks.
Following up with teammates and team leads on tasks and assessments cannot be overemphasised. For instance, some use cases or assessments can be very sensitive and/or complex in nature, such that any wrong decision or recommendation can have a serious backlash or cause the system to crash. Referring matters like that back to the team or the team lead for internal discussion helps me stay on track.
How has this role changed as the cybersecurity sector has grown and evolved?
The rapid growth and evolution of the cybersecurity sector was borne out of the need to protect sensitive data and the ongoing complexity and sophistication of cyberthreats. As a third-party risk analyst, this has caused me to be thorough in identifying potential threat issues, vulnerabilities, gaps in security controls, analysing the likelihood and impact of occurrence, and developing strategies to mitigate the threats. The growth in the cybersecurity sector has also led to more complex and stringent cybersecurity regulations. Hence, I keep up to date with regulatory changes and I also read articles about trends in cybersecurity.
The emergence of artificial intelligence and machine learning has resulted in the establishment of new roles and responsibilities in the cybersecurity sector. New training and awareness programmes are developed to fulfill learning and development needs and gaps in cybersecurity knowledge. In network groups that I belong to, I pay special attention to the group discussions and contributions on cybersecurity matters.
What do you enjoy most about working in cybersecurity?
Personally, I enjoy the dynamic nature of every day, and the uniqueness of every third-party review that I perform. Most times, I work on something different, and this makes every day different and exciting. As a result, I am exposed to different challenges, which gives me a great opportunity to hone my skills in cybersecurity risk analysis and explore a lot of new areas with the support and mentorship of my team members.
What advice would you give to someone who wants to work in cybersecurity?
It is important for them to have a fundamental knowledge and understanding of computing such as programming, networking, database management, network security, cloud security, cryptography, network security tools, etc.
Having soft skills is very essential in cybersecurity roles as well. Strong communication skills, problem-solving skills and people management skills top the list.
There are many valuable resources available in cyberspace that can help anyone get on board this sector, such as bootcamp training, internship programmes, joining professional networks, keeping up with the latest trends in technology and cybersecurity.
It is important to note that cybersecurity roles require continuous learning and development.
Overall, cybersecurity is a rewarding career and with the right skillset and mindset, a person can excel in cybersecurity.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.