From University to a Security Engineer at Atlassian

View Show Notes and Transcript

Episode Description

What We Discuss with Kaif Ahsan:

  • 00:00 Introduction
  • 05:24 Why Cybersecurity?
  • 08:32 Pathway into Cybersecurity
  • 13:11 Resources for transition into Cybersecurity
  • 19:09 Cybersecurity Role Interviews
  • 22:43 Cybersecurity Certifications
  • 36:27 Soft Skills required for Cybersecurity Engineer
  • 45:54 Choosing your niche in Cybersecurity
  • 50:29 A day in the life of a Cybersecurity Engineer
  • 53:43 The Fun Section
  • And much more…

THANKS, Kaif Ahsan!

If you enjoyed this session with Kaif Ahsan, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Kaif Ahsan at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

  • Tools & services, discussed during the Interview

Ashish Rajan: Hey Kaif!, how’s it going, man?

Kaif Ahsan: Hello, goodbye morning. Good morning. Thanks. A lot Ashish for having me and good morning to all the audience.

Ashish Rajan: No problem. Now. For people I know you for some time , but for people who may not know a few what’s I guess tell me a bit about yourself.

Kaif Ahsan: Yes, absolutely. Absolutely. So first of all a big hello to everyone from the beautiful city of Melbourne I’m a migrant to Melbourne and it’s been exactly four years.

Two days ago was our for four years anniversary of our family moving here. So and I studied computer science and software engineering at the university of Melbourne. And then worked in the aerospace industry as a software engineer while I was instilled in uni. And I’m a big proponent of education and tech and throughout my uni degree.

And even now I’m quite involved in the community, which to bring more accessibility to students and help them enter the industry, help them better get. Trained. I think that my proudest moment would be working with Microsoft for the student programs, which we run across last [00:01:00] year. And I’m very happy to say that and very fortunate to be able to help thousands of students get access to the industry or get certifications, get that very much needed industry exposure.

But apart from that my love and passion resides in cybersecurity, even though my background isn’t I have been self-teaching myself for a while now, and I’m very happy to say that finally landed a role in the industry and currently working as a security engineer where me and my team are continuously working to protect 10 million plus people who use Atlassian products everyday.

Ashish Rajan: That’s awesome, man. In a way I’m really happy as well that a non-security person is passionate about security, but also I was curious why.

Kaif Ahsan: It is very interesting question. It isn’t something I fell in love in first glance. Right. So , it’s a very interesting story. So I’ll tell it.

And if some people can take some morals or takeaways from it. Sure. When I started uni, I was I was a keen being, I wanted to get involved with something I’m not sure with what, so I got [00:02:00] involved in in information security club. And after a few days there was an opening of an education officer and , me just to have a high school kid fresh out of like F and then trying to do something.

I applied for the role without looking much into the job description and , luckily for me, I knew programming from a bit before. So some of the questions they asked was okay, I managed to deal with it. And they said, okay, you have the role welcome aboard. And I’m like, cool, what do I do? And they were like, oh, you need to teach university students cybersecurity and ethical hacking on weekly workshops and go, what the hell did I get myself into?

So I was this close to quitting and saying that, okay, I’m not qualified for this, but I was like, okay, I need to save my face. So I stopped. Googling and YouTube being basic concepts of cyber security. Put everything I have learned on a piece of PowerPoint and go up there and pray that someone doesn’t ask a question because the thing I knew back then was basically on the slides.

So yeah, that’s how I slowly started getting into the concepts. And as I did more and more, I [00:03:00] slowly fell in love with it more. The main reason being, I always wanted to make some impacts the impact, the positive impact of the work is very important to me. And I saw cybersecurity’s where I mean, apart from just the cutting edge the high amount of new things coming on, which I’m sure is more or less every industry, right.

But something that really came in that I had the direct ability to help people I loved and cared about. And in the sense of protecting. So that was one of the main I would say incentives or inspirations behind me getting into cybersecurity .

Ashish Rajan: It’s an interesting way to corner yourself into an industry, I guess,

Kaif Ahsan: now that I’m here, I don’t thinkim leaving

Ashish Rajan: Vineet loved your journey by the way. So I think it’s a interesting way. to definitely get into cybersecurity So you kind of just stumbled upon it in a lot of ways just by being by the nature of being a keen bean. So , maybe the question question that I have then is cause I would just not your job at that point.

And so you kind of became a job and after that is you, did you go downthe internship path or did you go straight into Atlassian? Like what was the pathway after that? So [00:04:00] you became an education person. You’re teaching security then.

Kaif Ahsan: So, I guess it is a journey and in the sense that I knew that I wanted to work in cyber.

So I started to look I mean, obviously I was doing all this other stuff we’ll, I’ll touch upon and they played a really key part. But I guess in terms of talking about a career in cyber, I knew that I wanted to work in cyber, but it’s something I wasn’t sure how I guess. One of the biggest challenges I’ve faced is there’s so much content out there regarding security.

Like cloud security is a very big part, but it’s just one part, right? There’s so many aspects of cybersecurity. Many people I talk to who are new to cybersecurity, have a very one dimensional view of cybersecurity where it is just hackers and they are trying to hack into the system, but , it’s just a fraction of that, right?

It is a big part, but there’s so many aspects to it. So I struggled a lot initially with what I wanted to do. And then I guess I had this conversation with a lot of people friends slash mentors, who basically said that coming from a non-security background [00:05:00] actually can be a benefit to you.

And then I should play that developer background, card well and leverage on it and build my skills on it. So I guess, security engineers, one of those roles I felt. Was suited. Very nice. So I Googled people who were in LinkedIn who are security engineers. I said, Google in LinkedIn, but whatever you get to test that and see, okay, what sort of stuff they did and try to do some of those learnings, but the other things I’ve done, I think slowly made me a more.

I would say absorbed in cybersecurity, which was like, I’m listening to amazing podcasts. Like this one, I’m going to lots of meetups back when we could go to meet ups. I remember I managed to like get a student ticket for the Australian information security, the ICER conference of 2017 that had a big impact on me that the whole culture, the community just going there, talking to all these people, I knew this was like super fun.

And the student club as well. Apart from all of those, I used to do a lot of [00:06:00] self-education like books. This was part of the role and part of the curiosity , part, not that I’m a man of sheer willpower and , just pushing my way through content.

It’s not like that. It was a little bit of necessity as well. So yeah, a combination of all those led into further into the journey and just going back to the initial question which was did I start with internships or full-time and last year, I guess for me as a student, the internship route seemed more lucrative because that is the role I was most qualified for.

And unfortunately there isn’t lots going on in the Australian scene. I can say apart from Atlassian only a handful of tech companies have entry-level security roles. And there’s also the consultancies, the big four, some boutique consultancy firms, the security companies, they have it.

So even though there’s another lot going on in entry level, there’s a huge sort of activity in after one or two years if we have the industry. So even though I took the internship route, I see a lot of people work in another industry a [00:07:00] soft engineering for say for a few years and then transitioned into cyber which is very, very common.

Yeah.

Ashish Rajan: Interesting. And I think too I guess coming from a development background, it’s also interesting because what would do, I mean, I’m just thinking from a perspective that someone listening in and this is the common road for any, I guess a lot of people where everyone would go to meet up.

Everyone thought everyone would say, Hey, you should network with people and do that. But I imagine coming from development, which I guess, I don’t think they’d be cyber cybersecurity there at all. I don’t remember. I was security. So what was the biggest hurdle to come from that into cybersecurity? And I imagine because if you can answer from a perspective that people who may not have done the education thing that you were talking about, where you were teaching other people, I imagine that the hurdle a little bit more, I guess, a larger as well, I imagine.

Kaif Ahsan: Yeah. I guess I have sort of touched on it. I’m just trying to think. For me, what was the biggest challenge apart from, and I’ve touched on the content expert. Like there’s so many things people can get it. Large portion of the people I interact with are developers, right?

Because my university not that I didn’t like cybersecurity, I didn’t have the option of cybersecurity. It does just [00:08:00] does not have any cybersecurity degree at all. So everyone I talked to in the club or in the community, who’s interested in cybersecurity are developers or data scientists or whatever, but have genuinely keen interest in security, I guess the biggest hurdle then, first of all, it’s the content.

Because like, if you even think of development, right? There’s so many areas of development. There’s like web web technologies, there’s machine learning. There’s DevOps. How do people figure themselves out? Right. They start. Exploring the content, they, something like more, something less.

And they venture towards it, I guess, , with security, , if you’re not having that structured learning, which our university or even a lot of people struggle with, it’s hard to get that sort of structured learning early on. But now I think it is much more or less resolved with so many different platforms out there.

Like you have try hack me. Which is fantastic. There’s lots of CTFs, like. I like a few days ago, I saw crypto hack, which provides you like a pathway. So before hack the box and other stuff, fantastic [00:09:00] content you have over the wire and all those war games and CTFs. Right. But they expect some amount of security background or learning while doing it.

Right. Which is very, very hard. Whereas you have so many platforms these days which can really help look. My favorite is hack me. I’m not hands-on, I don’t, I’m not getting paid from them in case anyone is curious, but I just totally loved them and used them. So that structured learning is something I think we can now be a point people towards to that.

If you want to learn, let’s see get the basics and then based on the basics, divert into incident response, security engineering, malware analysis, you can now. So yeah, , that was my take on it.

Ashish Rajan: So to your point, then if there are structured, learning available. So if I’m a university student right now who wants to get into cybersecurity, I can go try hack me that will give me some basic understanding where to go of basics like networking or I dunno.

Kaif Ahsan: Yeah. All the stuff, networking basics of some programming languages. So [00:10:00] they really took a holistic approach on people not just coming from tech background. I come from a non-tech background and getting slowly adjusting to tech.

That’s also there, you have people who are very, very, very experienced in development and soft engineering. How do you. Transitioned them without feeling bored. Apart from try hack pentester lab , is again an awesome resource. The only difference from them from try hack in my opinion, is pentester lab is much more offensive focused.

The things offensive lab is a hundred percent useful as a pen tester. No surprises in there, a security engineer, red team, those kinds of things, but I’m also a security engineer. So a huge part of our roles are also the blue team and the defensive side of things.

So that also try hack me me provides. And apart from try hack me, I definitely recommend Exploring different books. I know you, you are familiar with Tanya, Tanya Janca and she has a very fantastic book. Alison Bob learns application security.

I’m a big fan of that [00:11:00] book. So , similar books can really help give a holistic picture of security and

Ashish Rajan: Ive got Tanya coming in end of the month as well. , but the reason I, dug into their tri hack pieces, because a lot of questions that are asked by people is around I’m from a non-technical background.

And I think the first couple of episodes we had this year, I think for this month was around. Someone coming from a legal background in cybersecurity, someone who was an executive assistant coming into cybersecurity. And I’ll be curious to know from others who are in the crowds, butthey have tried Try Hack Me , or what else have they worked with?

Actually tom just mentioned blue team lab is also a great resource for tests and practical certification. Oh, thanks for that, Tom. Yeah, that’s pretty awesome. So it seems to be a lot of resources that are available for folks to start at least start going down that journey. And I guess not be disheartened by the fact that, Hey, I’m not from a technology background or I’m not from a, I guess, a development or, or cybersecurity university or degree background.

So , if people are able to go down that part and say do try hack me or blue team labs or whatever, do you [00:12:00] find that that gives them enough skills to say, I guess to I was going to say pass the internship interview, I don’t imagine it would help you pass the analyst interview or.

Kaif Ahsan: It depends.

Right. And it really depends on how in-depth you have gone with the content. I mean, obviously those contents replicate the actual work only to some degree, , not entirely. So obviously there would be some limitations. I think lots of people have made into. Even professional roles with those, because you can actually go quite deep with that.

And the reason I mentioned try hack me because it is a starting point. You’re obviously not going to stay there. I mean, you can, if you want to, but obviously you’re going to start looking into different, , more things. A lot of people venture towards certifications, a lot of people start doing to get practical experience like bounty hunting.

If people are not familiar with what bounty hunting is, we can maybe touch on that. Afterwards a lot of way to get practical experience. I had a friend who. Very interesting. She wanted to do GRC and those kinds of roles. So [00:13:00] what she did is after learning the basics, he started writing mock sort of frameworks and reports for companies.

So she would have like , like Microsoft has this imaginary company called Contoso. And when you learning about different Microsoft technologies, they use a lot. So she came up with an imaginary company and she wrote a whole report. And whenever she applies, points to those projects like, Hey, , I have done these projects.

So that’s an example of how you can mimic some of that experience. So you can definitely go for senior roles based on them. Maybe not like principal security engineer or something, but More than enough for internships, a hundred percent. And even for inches beloved roles if you’re transitioning from another background or just getting started, that they a hundred percent will will.

Yeah,

Ashish Rajan: that’s awesome. And I think it also points out the obvious as well. Cause you’ve touched on this earlier about the interaction with developers, depending on the company people are going into, there would be a lot of interaction with developers. I mean, I guess you can choose how that interaction as well.

You can totally go down the path where you just do defense and security and not talking much, but I love the fact that you brought [00:14:00] up that it’s almost that there are a lot of options in cyber security that people want to, I guess, if they want to take down on the part of you can go red team, pen testing, you can go application security.

That book that you mentioned from Tanya, you can go a system engineer or security engineer as well. I find it really interesting that, , like I love what your friend did with the GRC part as well. Like this is really interesting. She went above and beyond, and I think you stand out because a lot of people, the way I, at least the questions that I guess get asked by a lot of people that I’m helping who maybe university or try and transition is more around the fact that I don’t get interview calls

and I think it’s more around the fact sometimes because they are from a non-technology background and that becomes a barrier. They’re not getting it because I haven’t done that. Now. Certificates is usually a pod that people have taken, where if I got a certificate, if its in the resume, a recruiter would see it.

And then you get qualified to the next round, I guess, for lack of a better word. Are there any certificates like that you feel are handy or were helpful for you?

Kaif Ahsan: Look with certificates, it’s a really [00:15:00] mixed bag. Thanks to my involvement with the university clubs. I had to interact with recruiters quite a bit of a lot of the times the recruiters are the people who are handling the university recruitment sites.

And I didn’t necessarily get always the best vibes from them regarding certifications. Right. Obviously please take any, any opinion about certification. It’s a grain of salt, including mine. So the I’ve seen some certain recruiters prefer certain certificates more than the other. It can vary a lot.

And and again, this is not particularly calling out on any certificate, but if I had to use a concrete example, like CEH a lot of people do CEH I haven’t personally done it. I have nothing against CEH but some recruiters I have spoken to feel that it’s not necessarily as In industry relevant in their experience.

Whereas I, I still see lots of people getting CEH and using it and even getting jobs. Right. So there’s obviously a wide spectrum regarding what to do and what not to do. I guess if you’re really interested in certificates, I think , [00:16:00] the incentive really needs to be you want to have a structured learning experience rather than just having that certificate and that’s not going to magically land you a role.

Right. Just having that certificate itself , it’s not a guarantee of any sort. I definitely want to have that message across before I give , any other advice. That being said, I personally pursued like lots of certificates myself and there’s , two ways of going about this. I think as university students who not necessarily have, might have the best financial support available the bigger certificates you, when you have OSCP always OSWE ,A lot of the SANS courses thousands of dollars sometimes.

I think that those I wouldn’t recommend people at the early stage of the career to pay by themselves. There are lots of things you can demonstrate instead. For example platforms like pen, test a lab, or try hack me when you complete certain challenges, they give you a certification, right?

And these certifications or these certificates don’t come at any cost, but you [00:17:00] still can use them. For example this is a very practical example. When I applied to Atlassian, they really preferred some Linux or some other background or FMLA familiarity with it. And pentester lab had this section called Linux fundamentals and I was like, why not?

So I had that, I did that. It took me like a day or two, and then I had that certification Linux fundamentals. And obviously in the grand scheme of things, , it might not be the most impactful certificate, but these are the small, small wins you can get. And as a student, these can really set you apart.

And apart from that and I’m not saying this because we are on the cloud security podcast, but the different clouds provider certificates are very, very useful, I wouldn’t generalize, but most of the cases you would work in a. Company or if, even if you start your own company, whatever your journey is, you will most likely end up using cloud.

And these cloud certificates are not only very cheap, but they also can give you essential knowledge. So you have Azure, AWS, those certifications. I’m pretty sure some people use Google [00:18:00] cloud too, although I haven’t come across any yet. So those kinds of certifications the Azure fundamental, so AWS cloud practitioner are very useful, wants to get into not just as a cybersecurity person, but also as a developer.

If you have that certification , you have that common lingo to speak with them. Just understand the basics from there on, you can just take on if you like it, and you like the structured learning, you can take the certification further and further. I guess , when doing the certifications.

Especially the beginner ones , there is a tendency to deviate from practical learning and sometimes be a bit more like bookish learning. I kind of felt that with the beginner cloud certifications that all you’re doing is just like yeah. Watching videos, taking notes and not actually very hands-on.

Right. So there, there is a trap of that a hundred percent be more mindful of it. I think we got a very interesting comment from Tom which which talks about home labs and practicing things. A hundred percent [00:19:00] recommend that if you can again, this is taking I would like to point out that this is Often people start offensive, but offensive side of things, learning the basics of offensive might be useful later down the track, whatever you do.

So , I’m not discouraging people from learning the basics of, you can start obviously start with that and then venture out. Later in the track, whatever you want to do, there is a certification for that.

If you want to be a pen tester or OSCP is quite good for security engineers. OSWE , is a good one.

Ashish Rajan: Think when I’m trying to get to is also the fact that the certificates are really interesting from our perspective that it helps you I guess, had that conversation and I’m going to touch on Tom’s foreign as well.

Cause he raised an interesting point about the home lab. I think having conversations with recruiters interesting is so important because how do you stand out? Like they could be 10 Toms and 10 Kaif and 10 Vineets and it could be one was to find the mix as well. And then you are like how do I stand out because there is only one role

yeah, you stand out and I think one way could be that you have relevant certificate, like in your case, [00:20:00] you they asked for Linux qualification, you went down the path of doing the Linux fundamental, which is a great strategy as well, but maybe I can, run it through a hiring manager light on the side.

It’s really? Yeah. I don’t think it’s been spoken about enough. And so I think it’s probably a great time to bring it in. , everyone’s been recruiting for a position it’s sort of, everyone’s looking for a broad role, even for an analyst. There might be a certain thing that they would have had in their mind for.

Okay. So I would bring in this analyst to help me with. I’m expecting them to learn about fake cloud or cloud security. So , not that they should be already qualified in it, but maybe if they have inclined towards cloud, I can definitely take them , to that journey of making them a cloud security engineer, secure engineer.

And I would encourage people who are applying for a job to find out, Hey, what is a gap? That’s. Because then you can answer your questions accordingly. You can honestly do some of those certificates accordingly as well. Like kind of like what you did with Linux fundamental. And if you already have an AWS one and you can actually put some meat on the bone for lack of a better word, as they would say, just by having [00:21:00] a couple of services that, , you may have tested or done that a home lab with, as Tom mentioned, I think that combination it’ll be perfect for you to qualify any job, because then it’s just a matter of, Hey, if someone has more experience than you do, then maybe that’s probably the only , other factor.

But outside of that, if you already have boxes that are being ticked off, because that’s the kind of role they’re looking for, it will be an easy win at that point. It just would be a no-brainer for any hiring manager to go, oh my God. Yes. That totally makes sense. This is exactly what I was looking for.

It’s not saying that there’s a bias because there could be a misunderstanding that, Hey, if someone says analyst that could be any kind of analyst that could be a practiced analyst, that could be. So then the way I would recommend people do this is the job that you’re applying for as an analyst, whether it’s whatever the company may be, just have a look at what kind of team does it already have in LinkedIn, which is a great information to have these days.

, I’m curious to know from your part now, we’ve spoke about I guess your development journey on to secure engineer and what was the biggest hurdle we spoke [00:22:00] about certification as well, other and I guess kind of from a skillset perspective, we touched on talking to developers as well. I’ve got a few more examples here. Vineet mentioned deploy services in Cloud. Tom mentioned that the free way to learn his podcast definitely learn the lingo. Oh my God. Yes. Actually, that’s a great point, Tom, because lingo as terminal industry is so important, so that you’re able to have the tech speak as I love it because a lot of times you go to the interview and you’re just standing out as, oh yeah.

I’ve heard of that. I don’t know where, but I think it reminds me of something. So be able to at least go. Yeah, I know that. And I’m grateful to people who listened to cloud security and are probably in university at the moment because these conversations, when they listen to this and they hear about, oh, can you talk to the developer?

So when they give us good option of developing course, I get asked the question in an interview about, would you be talking to a developer? Would you be okay with it? Oh yeah, totally. Because this is how you would fold it. So I’m kind of bringing it back to your current roles. In terms of the skillset for a security engineer, what are you kind of, where do you think are the skill set that makes a security engineer successful, I guess?

[00:23:00] And what can we

Kaif Ahsan: do? Yeah. Just before on that, I wanted to very quickly touch on the podcast thing. And I suddenly feel that podcasts have been really, really important in my journey. Like I’ve learned so much and it’s the other side of the coin or not other side of the coin, more like the missing half right of recruitment that I I’ve seen, even if you don’t have necessarily the best technical skills, if you can show your passion and your into CS, into CA.

Is, this is some of the ways you can talk about. I listened to this, podcast. I will go to these kinds of events. I do all this by myself. It’s not just showing the recruiters from a positive light, but from yourself, it is a massive, massive advantage. Like I wanted to give thanks to Ashish and the cloud security podcast.

Like my cloud journey actually began with Ashish’s podcast a lot. I didn’t know that much of structure learning a lot of the lingo, especially about Kubernetes and AWS infrastructure. How do you scale all those things, those conversations? I absolutely loved it. And we have a dedicated team at Atlassian [00:24:00] called platform security, and I was very surprised how much.

Relate to the lingo. When I listened to cloud security podcast, go back into the actual industry and I can actually get relate to them. So I get lots of value out of , this podcast. I just wanted to say on that. And, yeah, I definitely recommend this podcast to anyone I’ll continue to do so.

So that’s,

Ashish Rajan: I’ll slip you a hundred dollar bill later on.

Kaif Ahsan: Thanks.

Ashish Rajan: I appreciate that, man. I think to Tom’s point into your point it always makes me. Free grateful when I a lot of people who have gotten jobs actually were asked about how do you keep up to date? Like, it’s a very common question to ask about how do you keep up with what’s happening in cyber security?

And a lot of people have used cloud security podcast as a way , that’s, how they were getting lingo. And again, what the industry and the amount of times that the recruiter or the hiring manager knew what the podcast that and I don’t know if it has played a part in it, but I feel it did pay some part in them getting the roles.

So I, I definitely really grateful every time someone mentioned that because to what both you and Tom just mentioned, right. Even if it’s a conversation off topic that you’ve never heard, but it’s like talking to people, [00:25:00] it’s like being part of a room in a talk. You hear someone talk about, oh, what is this thing?

And then you kind of start listening. Why people use it. Yeah, what’s the point of using it? Do I even need it? Like I think I, it always through osmosis, for lack of a better word, you get to know of terms and when you ever face it, you go, oh my God. Yes. I heard about this. And then you’re like, oh, I need for my job so that you can come back to the episode or you can actually go and explore yourself as well.

So it made, it makes me really happy when that happens then. So coming back to is a soft skill. What, what would you say are some of the skills that you require as successful for our security?

Kaif Ahsan: I think you touched on it, obviously it is not just as a security engineer, any role.

I think soft skills is very, very important and I hate calling it soft skills because it’s not soft at all. It’s very hard to get

the tech side of things. I honestly think most people can get it because , , it’s black and white. You either know it or you don’t know it. And I think this is something people naturally develop or developing Gradually, when you go to all these meetups have conversation with other people and stuff.

I think as a security engineer, it is , very [00:26:00] important because I’m a huge chunk of my role is security is not isolation, right? Security is never in isolation. If it’s being done in isolation, it’s being done wrong. So it’s always interacting with a lot of stakeholders and , our prime stakeholders and customers are our developers and our engineers.

So I have to speak a lot in lot with them. So for example, when I’m doing a security review, I need to have the ability to break down. Let’s say security concept and speak with them. Like they are developers. They don’t wake up in the morning and they think, oh, I’m going to make a super secure software there.

Their goal is different, right. So I need to somehow translate my priority to their priority and sort of show that why it is important, why they should care. And that is a skill no matter , where you are, it’s going to be super important. Even if you think you’re on the offensive side, right? Yeah.

Yeah, you think, okay, I’m going to be a pen tester, red teamer. I don’t need any soft skillsthat is far from the [00:27:00] truth. Like Atlassian has an in-house red team. They do a fantastic job. , give us lots of trouble all the time. But a big part of their role is I’ve seen obviously.

Laying out the operation , in a proper way and then speak with, let’s say the CISO or speak with the CTO and getting it done B after the operation is done, they need to produce a report. What was vulnerable, how it was vulnerable having that good communication written and spoken is , very important.

You need to be able to answer a lot of developers and security engineers. Why did you do this? How did you do this? And , if you can’t explain it, it doesn’t matter, right? Like if you have I guess a , very good thing. My manager always says that it doesn’t matter if you have conquered the world in your own little corner.

If the world doesn’t know about it, if you can’t release it to the world, something like that. Right. And I a hundred percent agree on it, like, cause. Those are the skills you definitely need and need to foster. I understand that it might not come as naturally in the beginning. It did not come naturally to me.

It sort of [00:28:00] came through practice and more interacting with it, like everything else, the more you do it, the better a very basic piece of advice , I can give is when meet up, start happening again. Hopefully very soon definitely go to meetups. Talk with a lot of people.

Don’t be , that person it’s very easy to be that person I used to be that like, just stay in the corner and not talk about. I had this strategy that, okay, I’m going to always go for the guest speaker. Everyone goes for the guest speaker, how do I get him them to talk? So I would go to the guest speaker and then say, Hey, I’m from university of Melbourne information security club.

I really loved your talk. Would you want to come and give us a talk here instead and nine out of 10 times because the guests, because obviously love sharing the information, right? There’ll be like, yeah, sure. I want to come. And they would then start talking and, and expressing themselves more. So this was my strategy of how to have.

Have more visibility around people and talk with people. People can think of some ways to themselves. So TLDR I would say communication skills obviously soft skills, but [00:29:00] communication skills is , very important written or verbal. Both are very important. , in your meeting, you’ll have stand-ups you need to communicate with colleagues.

You will you’ll never work in isolation, so a hundred percent try your best. Another thing is I see lots of people shy away from group projects in a uni. They’re all there most of the time. They’re very difficult. I agree. But these difficult conversations and experiences are building , you up for the journey in the future.

Ashish Rajan: And I don’t know if you guys had this, but during the pandemic, I took an opportunity to attend, meet us from not just Australia, but from all over the world. Like we are in an online world now, and everyone else was being forced to go online, but why am I limiting myself to say, meet up in Melbourne?

Or why am I limiting myself to my meetups just in the UK or just in America? I want to know what’s happening in in the UK. I want to work know what’s happening in for cloud in the U S or in Israel, like as long as we master time zone. And it just means one day once a month or whatever, you kind of have to wake up at all [00:30:00] time to match the timezone

but you get to hear from speakers from, I guess, in my context with just English speaking countries, I couldn’t go for non-English speaking ones, but if you can, go for non speaking ones, go for that as well. And you get to kind of hear. Their perspective on this side.

And I think if when you mentioned you started all by saying you’re an immigrant to Australia. And I think a lot of people are and I think I put myself in there as well, but so we are, I guess, fortunate enough to know multiple languages. You can tune in to some of those languages as well.

Those conversations going on these days. I think a lot of people are on applications like clubhouse as well as Facebook has their new coming in, has one coming in for audio. So sky’s the limit for, how do you want to expose yourself to conversations about what’s happening in cybersecurity or cloud security?

But the reason I kind of went down that rabbit hole was for one particular thing. Right. Do you find that you knew exactly where you wanted to go and even with cybersecurity , like, oh, I’m going to be a cybersecurity engineer because a lot of people would just be like I want cyber security. And I get that question quite [00:31:00] often, but I’m like, which one, like, sort of like as a title, so cyber security and you get that title.

So how do you normally answer that question? And I guess, is there something that you found helpful for identifying those different kinds? In the context of know how cybersecurity could have, you could be an application security person. You could be a pen tester. Like you touched on a few topics that, Hey, you could be this you could be that is there an easy way to identify.

What are these different types? I guess, first of all, that you’ve got, because you would have gone on the journey where, Hey, do I want to get pen test or do I need a blue team? Or do we want to be red team? Like, what was that like for you? Like, what was that thought process like?

Kaif Ahsan: This is something you sort of learn more as you absorb more and more content. , I didn’t know. There is a whole industry about cloud security and cloud security engineering right before. Tuned into this podcast more so there’s a few other podcasts, like risky business Darknet Diaries fantastic one hacking into security, which talks about a lot of those careers. I really recommend hacking into security because they take [00:32:00] different roles and have that whole journey laid out. And then , you can see which journey you relate to the most. When I started it did not have so many things.

I would say again, this is just a lot of the exploration, right? I remember there was a phase. I’m sure everyone has this phase where everyone when I wanted to be a malware analyst and reverse engineer, like everyone has this phase . Like I said, I, I bought

Ashish Rajan: finding a bug.

Kaif Ahsan: Yeah, I bought the book like what was it, the art of hacking or art of exploitation data exploitation.

Yes, that one. And , I read through it a little bit and I was like, Nope, this isn’t about me. I signed up that malware unicorn course. So as you can see, this was a little bit of exploration without explanation. You cannot find out, you obviously start with somewhere and then pretty much venture out.

A lot of it is speaking with people like speaking with people about what they do in their role. Like, is that something that I find really interesting. So , even TV shows I sorta got like. There is a TV show called Mr. Robot. It is , based on hacking and that whole concept. [00:33:00] I don’t think there is a one single source people can learn.

There’s so many streams and I always feel that the role we eventually, or the area we decide to go with , is often influenced by the media we consume. And I’m using media as a very broad term. Right. I’m talking about social media platforms educational platforms, podcasts, many different things.

So for me, that was how I found out about different things and different roles. I guess fortunately, I wanted to tell people the message that. Cybersecurity is very broad. , it’s not one size that needs to fit all. If, no matter what your background interests are, it is very likely that you can get a role.

For example, I had a friend who was , very interested in cybersecurity and interested in training side of things, right. They not necessarily wanted to be the hacker themselves, but more sort of training and that sort of things. And now she’s working in a reputed from as a developer awareness and leading the awareness program.

[00:34:00] So that’s just one example. She learns technical stuff, but she’s not necessarily as technical. I wouldn’t say she’s the most technical, but she obviously has significant of amount of knowledge and passion on how to share that knowledge from others. Right. You not always need to be the one.

Well, who knows everything to teach others, you just need to find the right sources and how you can amplify those sources. So that’s just one example of how, , even if you’re a non-technical background, you can still make it in cybersecurity. So that, yeah, I hope that answers it

Ashish Rajan: does. And I think it makes me do anything.

I should make a video on this as well. Cause I think it definitely, if there is a single source for this, it’s definitely worthwhile calling out. Cause it’s like a certain kind of person may like a certain kind of job versus another person as well. So I, your malware analysts, it reminds me of my first job as well.

I tried being a pen test show and I think that the first month I left the job because I just could not make money making manual. I like is not something I want to do for the rest of my life. I definitely would say explore different. And as you find them, you’re going to realize what works, what doesn’t work.

So [00:35:00] just quickly I know we have we’ve been talking about different kind of topics around getting a job getting qualified for it, but I’m also curious, you mentioned skills, but what does a day look like for you as a security engineer?

Kaif Ahsan: Yeah, sure. Quite fun. I might add not that I’m biased.

, it is amazing. And I think it’s partially due to the fact that that Atlassian is culture is simply amazing. Cannot get over it. For me, if, if I’m trying to say it concisely, I think 50 to 60% of the time is behind different security related activities. So I’m doing security reviews. And when I say security views, this can be threat modeling, code reviews, design reviews penetration tests even either by myself or in collaboration with other engineers and and speaking with developers or to how to fix certain bugs in their products security vulnerabilities.

So a lot of my time goes into that and I didn’t like this side of things and the other I’d say 40 to 50% of the time is, is projects. I [00:36:00] absolutely love this because I can do a wide variety of projects. Like I started Atlassian with the more research based project that when doing the internship.

And after that I did a very coding heavy project. And then again, some more processes related project and internal tooling. And now the current project I’m working is how do I say improving internal. Plays and guides. So for example, I’m now working on , how we can do threat modeling better.

So , what we have been doing with threat modeling? How can we make that better? And I worked on a various , other of our processes as well. Like how can we do a certain type of tests, like graph QL tests better? What are the tools do and create a comprehensive guide, which other security engineers can follow?

So the project I do is very broad and it’s like a wide variety, which keeps me quite engaged. And yeah, that’s how, just how we operate at Atlassian. There’s also this 10% of time, which is every four or five weeks I get an entire week to do whatever. Like personal [00:37:00] research, any kind of training.

I really love that because I do a lot of the cloud based learning in those weeks, like certifications or just doing some hands-on labs or even work on, I dunno writing something. Right. , so that’s how a typical day in the life of the security engineer?

Ashish Rajan: thanks for sharing that , man.

I would love to keep talking about the secure engineer part, but I only have limited time with you . So I wouldn’t do with help to get people know you a bit more as well. So what my fun section towards the end, I think we have answered all the questions that came in as well.

So three questions, not too many. First one, what do you spend most time on when you’re not working on being a, a security.

Kaif Ahsan: Yeah, absolutely. It really varies. Look when it comes to non non security stuff, it’s a Jack of all trades master of none kind of thing.

I do juggle a lot of things like uni work if people doesn’t know, like I still study part-time so the story goes, like I finished my internship. And last year my manager was very nice, very kind. He basically said, Hey you like, whatever you have done so far is awesome. Do you just want to continue doing it [00:38:00] until you graduate and work part-time and I’m like, yeah, sure.

Sign me up. So that, and I also different I’m involved with different clubs that takes a lot of time. So I’m just trying to think. So apart from that, I guess the majority portion goes with me spending time with family and friends. So that’s the huge chunk I have recently developed a very pet peeve regarding investing and the personal finance side of things since the beginning of this year.

So I do spend a lot of times on watching videos learning, consuming content regarding personal finance, investing, and trading a little bit. Yeah. So I guess that’s, it

Ashish Rajan: sounds good. Bye bye. There you go. So it sounds like you’re not going to have more constantly

I can tell you about how I grow this

Kaif Ahsan: yeah, I saw you. You are like an early stage investor now, so, which is yeah, yeah. I can

Ashish Rajan: definitely talk about that as well. But the next question that I have is what is something that you’re proud of, but not only social media

Kaif Ahsan: proud, often, not on social media. I guess just developing a very good friend circle , in Australia.

Like like I mentioned, similar to you, I was in my migrant myself. I had to leave my entire social circle behind and just venture [00:39:00] into a new country. I was , very scared, very nervous, but I definitely had a lot of people support me along the way. And , I always try my best to not get out of touch.

So I would proactively reach out, talk to them, the people who and develop a friendship. So I’m really happy with my, let’s say the friend circles I have. And that’s something I’m very proud of.

Ashish Rajan: Awesome. And and yeah, definitely , some people to keep close to your thoughts. Yes. Cool. All right.

Last question. What’s your favorite cuisine or restaurant that again?

Kaif Ahsan: Cuisine or restaurant roof. Oh, no, this is so hard. This is so hard as someone who eats out a lot I would, I would lean towards Japanese. I tried Japanese food a lot, I guess Japanese is my favorite dish. And no, you cannot use that to social engineer.

Me. It’s not any of my password prompts. But yeah, I do tend to lean towards Japanese food a lot up. I have a, like I just mentioned my mates. We have some, I have some mates who were really looking forward to the borders opening and we can go to Japan and actually probably have proper I mean, we already have good Japanese [00:40:00] food here, but actually experienced the Japanese cuisine in Japan.

So that’s something looking forward to.

Ashish Rajan: Yeah, that’s pretty awesome then. I, thanks for sharing that as well, man.Mine changes. So I think at the moment currently, what I’m missing the most with the lockdown is Somalia.

Kaif Ahsan: Somalian food. Yeah.

Ashish Rajan: I definitely got last year. Funny enough. Cause you’re in Melbourne too.

Yeah, I’ll definitely. Yeah, so I think for, for me particularly, I’m kind of like foodie like yourself. So my food changes like I think last week I was definitely cleaning a lot of Japanese this week. A lot of Somalian food is what I’m is what I’m. Yeah. Yeah. So the week before that, cause I was talking to one of our guests who wasn’t Ethiopian guests, so certainly craving it Ethiopian food I was also going to ask the people who may be listening in maybe have follow up questions of things may be, may not have covered.

We can, the.

Kaif Ahsan: The best would be LinkedIn. Other than that I have recently started being a bit more active on Twitter cause I found out a lot of the news. I’m not too IVIG to the user, but I see a lot of the news to come out of today. So just to follow the news mostly, but I would prefer LinkedIn.

I definitely try to [00:41:00] be as proactive as I can there. So that would be the best two mediums. Yeah. And feel free to reach out if you have a, just want to say hi or any conversation or if you have any questions or anything I can help with more than happy to do

Ashish Rajan: so. Awesome. And I’ll put the links in the show notes as lots of people can reach out.

I can say thank you for coming in on the show, but thanks so much, man. I really appreciate you hanging out with us. And I think it, I feel. A lot of questions that I was being asked by. People are being answered over here as well. So I’m hoping they can come back to this and fantastic I guess come back and have a look at what they could be doing.

And I appreciate Tom, we need to find other people who hung out with us as well and ask questions and shared that insight. So thanks everyone. And yeah man, hopefully I can, bring you back on again. But for everyone else, I will talk to you all next weekend.

Next weekend, this Friday or Thursday, you’ll see. I kind of have to keep developing the mystery of the podcast who’s coming in. I’ll talk to you guys next time. You’re talking about SOC and treadmill analysts people. So getting inspired by a malware conversation the next person in line is a threat analyst or a SOC [00:42:00] analyst.

So let’s see how that one goes, man, but thanks there has been a lot of learnings from here, so I appreciate you coming in, man. And for everyone else, I will see you soon and hopefully I can have Kaif again.

Thanks everyone. Thanks for having me.Bye