Pooja Shimpi

from Women In Security Magazine Issue 10

Lessons from the AWSN Leader Forums

Business Information Security Officer at Citibank Singapore

Pooja Shimpi is Business Information Security Officer with Citi, based in Singapore, responsible for monitoring and implementing compliance with information security policy and controls across APAC. She has come a long way from her childhood in a small town in India.

“We didn’t have access to computers in India when I was in school. The first time I got to touch and feel a computer was in 2001,” she recalls.

And a career in IT was not on Pooja’s parents’ roadmap for her. In fact, no career of any kind was. “Career aspirations were not talked about much. Parents usually wanted their children to study and finish graduation, but being from a small town, and a girl, I was expected to get married and settle down as soon as I had completed my studies rather than focus on a job or think about career aspirations,” she says.

“I did my Master’s degree in Computer Science just to escape getting married. I really enjoyed studying about computers, but career aspirations were too farfetched at that time.” From a Master’s in Computer Science to a career in cybersecurity was a serendipitous step for Pooja.

“When I studied Computer Science in my Bachelor’s and Master’s degrees, cybersecurity was pretty much non-existent as a domain specialisation. Hence, when I got an opportunity to work on a project at ANZ Bank in India that touched upon areas of security, I grabbed it excitedly. And from then, it has been a very interesting and fulfilling journey. Once I completed that project, there was no looking back. I had found my true calling in the field of cybersecurity.”

Despite her qualifications, Pooja Shimpi believes passion to be “the single most important trait” for a successful career in cybersecurity. “The ‘business as usual’ world of cybersecurity throws new challenges at you every day and, similarly, the governance of cybersecurity keeps you on your toes. While qualifications can take you to a certain level, nothing beats the real-life industry experience.

LEARNING BY DOING

“So, I would suggest everyone should be ready to get their hands dirty. If you have a qualification, excellent, but if you don’t, let it not deter you from entering

this exciting space. Even though I hold a Master’s degree in Computer Science, with no specialisation in information security, I picked up the nuances along the way, and so can anyone. It’s a gradual process where you learn in a more practical way. Over the years I got myself certified as Certified Data Steward, Certified Information Systems Security Professional.

“For new entrants, I would recommend LinkedIn learnings such as cybersecurity foundation courses and exploring certifications such as ISC2 and Systems Security Certified Practitioner (SSCP), which is a great way to start and display your passion in cybersecurity. It also helps you gain a quick insight into the latest and greatest terminology, understand the job functions and learn about cybersecurity.

“It’s also important for new entrants to know information security offers many roles that can suit different personality types. A few examples are cybersecurity analyst, penetration tester, security specialist, digital forensics and incident response, governance, risk and compliance, and information security manager.”

OPPORTUNITIES FOR WOMEN

She says there are opportunities aplenty for people, especially women, aspiring to careers in cybersecurity. “Women in information security made up only 11 percent of the workforce in 2013. This number has since increased to 25 percent. However, women make up 47 percent of STEM workers overall, so cybersecurity still has a long way to go.

“Security is a field that has something for everyone. A wide array of security jobs is available for women to choose from. Even if you don’t have a security background, you can easily self-study, get certified and be market ready. “Corporates are facing severe shortages and are inviting professionals for interviews even if they have no prior experience. Once in security, you can then branch off to other verticals within the security domain.

“And last but not the least, don’t let anyone deter you from joining the security field because it’s too stressful. There could be some bad days as in any other job, but the security industry is full of great people who share the passion for this field and are extremely helpful. “

She says getting into security rather than software development was one of the most important decisions of her career. “I have always enjoyed working and engaging with a lot of people rather than cracking code behind a screen all day. Information security gave me that opportunity and hence, I would not change anything.”

OVERCOMING HURDLES

However, as well as having to overcome the stereotyped life journey for a young Indian woman, Pooja has had to tackle a few other hurdles in her career. “I have encountered strong biases, both on the personal and professional front,” she says.

“When I decided to choose the information security field, people discouraged me by saying ‘Oh, it’s a very stressful job,’ ‘there’s hardly any women in this field, it’s not suited for you,’ etc. Moreover, when I started my career in 2008, IT was not a very respected role. It was considered more as a support function and a cost centre to the overall business or industry. Things have drastically changed since then.”

Fortunately Pooja has enjoyed some good support from the people in her life. “My first and foremost

strength has been my partner, who has supported me in all my decisions,” she says. “Being senior in the IT industry, even though from a completely different area of expertise, his objective guidance on topics and issues has made me a more mature professional.

“I have also been lucky enough to get guidance and support from my mentors, some of whom were at work and others I connected with over LinkedIn. I feel blessed to be part of this huge community of like-minded cybersecurity professionals who are more like a close-knit family, always ready to open their arms to anyone who is remotely interested in cybersecurity. Some of the groups I am part of are Cyber Risk Meetup, ISC2 Singapore, Cyber EdBoard, Cyber Leadership Program, and cybersecurity/CISO groups on social media.”

And she adds: “I am a subscriber and regular reader of LinkedIn posts, ISC2 material, ACS, AISA, etc that provide a deep insight into developments in cybersecurity and give a clear view of the current threat landscape.

“A knowledge of the happenings around the world in terms of cyber-attacks opens your mind to the wide array of possibilities. This is extremely helpful when I attend conferences or participate as a panelist in cybersecurity discussions. Moreover, it gives me crucial talking points in board and risk meetings at work and helps me suggest improvements.”

COVID-INDUCED MENTORING

Pooja has achieved much in her career but says her most satisfying achievement was outside any formal role.

“After working for almost a decade, during COVID-19 I realised I had done nothing much for the community. There could be many people just like me who want to enter the exciting field of cybersecurity, but do not get the right guidance. “I used to travel extensively. I had interacted with many people across the globe who loved computers but were not sure how to start a career. COVID-19 put a stop to my travels. Hence, during the COVID-19 induced circuit breaker in Singapore, I came up with a mentoring program focused on helping anyone interested in information security or cybersecurity.

“I conceived and ran a program called Global Mentoring for Cyber Security (GMFC), which received an overwhelming response. The program ran for eight weeks in 10 countries and involved 20 mentors who volunteered to help 20 mentees.

“The volunteer mentors, who held leadership positions across the cybersecurity industry globally, connected regularly with their mentees to guide them on how to kickstart or grow their careers in cybersecurity. I consider this as my biggest achievement.”

HER NEXT GOAL

Pooja says she still wants to “grow into a more rounded cybersecurity professional,” and will be focussing on this goal over the next few years.

“The sophistication of cyber-attacks demands that you know the latest and greatest around the world in this field, be it the types of cyber-attacks, development of security products, government regulations for different industries, threat landscape, etc.

“Another important aspect is to gain substantial knowhow on this topic to be able to explain the threat landscape and related solutions to the board, in a simple straightforward way.”

www.linkedin.com/in/poojashimpi