Zalando’s Conor Murray shares his experience in the security industry and gives some advice to those just starting their tech careers.
Conor Murray always had an interest in computers. “I come from the generation that had a Commodore 64, that knows what a ZX Spectrum is and remembers playing Centipede. My first ‘PC’ was an 8086 computer with a 5.25-inch floppy drive and a 20MB hard drive,” he said.
Murray studied science at University College Dublin because computer science was not an independent degree at the time. “Oddly enough, I wasn’t too passionate about the programming aspects of my studios, but I loved networking,” he said.
After college, Murray worked as an IT auditor for four years, which he said was helpful in understanding and translating IT risk into business risk.
After a few years, he moved to the security response department of a major antivirus company and stayed there for 15 years. Murray is now the leader of the security operations engineering team working with Zalando Ireland.
“It is more difficult now to protect our company’s assets than ever before”
– CONOR MURRAY
Has a job in security changed over your time in the industry?
The mid-2000s is when we had a big increase in adware, those toolbars that pop up in your browser, or pop-up ads, spyware, and worms. I can remember regular situations where the companies we support were being attacked by a worm or a file infector, causing all kinds of destruction.
The idea of virtualization or cloud computing hadn’t really started yet and we were working with physical machines. AWS, Google, and Azure simply didn’t exist the way they do now to deploy our applications and services, and the threat landscape has changed as a result.
Supply chain attacks and ransomware attacks are now commonplace. Financial gain can be made by stealing information and then holding companies for ransom. That threat has been around long before the internet, but now it seems to be more common.
I feel like with cloud computing, we feel less comfortable knowing exactly where our systems and data really is. The limits are no longer so clear. It was easier when you had a firewall and that was the only point through which information and data could flow to/from your network.
I feel that it is now more difficult to protect our company’s assets than ever before. And it’s not getting any easier. I could go on, but one more thing I would say is automation, automation, automation. We have to be automating what we do.
What trends do you think will take precedence in product and information security in 2022?
We are still coming out the other side of a pandemic where we have all had to move to a work-from-home model, and this presents unique challenges in terms of protecting both employees and businesses.
Unfortunately, as businesses have had to transform to operate in a mostly digital mode, it has created more targets for the bad guys. I still see ransomware as the big hit, especially since cryptocurrencies can be used in these types of attacks, making them much harder to track.
I’m also concerned about the supply chain attack vector; Why try to compromise our company’s code or infrastructure when I can compromise a less secure environment that our company uses?
Which roles will become increasingly important in the field of security this year?
We’re getting to a stage where we’re handling so much data that it’s impossible to handle all of it manually, so I think automation is the way to go.
There is a growing need for strong programmers, which is why I see roles like an application security engineer or just a security engineer becoming more and more necessary.
It’s no longer enough to be someone who can see a security information and event management (SIEM) system and respond to incidents. With the advent of security orchestration and response (SOAR) capabilities in systems, we are moving in a direction where response can be automated.
I say ‘can’ because the idea that I’m going to allow our SOAR to automatically respond to an incident where it quarantines our website’s Checkout application without any humans involved would not be a smart move.
Based on the current needs of the security industry, what skills would you tell professionals to focus on right now?
My advice would be to work on making sure that you are looking to improve your skills in the areas of cloud computing. Chances are wherever you end up working they will have a cloud presence so skills in AWS, Google or Azure will become a standard requirement.
For example, I would like to think that someone who comes to work with me has AWS-related knowledge with a view to pursuing the AWS Certified Security Specialty. Also, I think certification is important and CISP still has merit.
If you are looking to get into penetration testing then OSCP is still the best.
I mentioned earlier that we need to automate. Therefore, I would recommend that anyone entering our industry have a working knowledge of at least one programming language. I know I said it wasn’t great, but I had to adjust! I work a lot with Python, Ruby and Shell programming languages.
What advice would you give to people just starting out in their tech careers?
You can read all the books and tutorials you want, but the real learning comes from doing. Therefore, I encourage people to be curious.
It’s not too hard to go and set up environments to play with the likes of AWS. This is how you learn by experimenting. I also encourage you to set up a home lab. They can gain invaluable experience by setting up their own systems, keeping in mind that even home labs can be cloud-based.
I think this will really set them apart from their peers. I know when I’m interviewing, it’s one of my favorite questions.
10 things you need to know delivered straight to your inbox every day of the week. Sign up for the Daily summarySilicon Republic’s roundup of essential science and technology news.