6 minute read
Jenna Salvesen
Manager - Advanced Security Centre at EY
Jenna Salvesen had a nonconforming journey into cybersecurity. Starting at EY as an Executive Assistant she is a pioneer in the technical world; breaking barriers, challenging prejudice and successfully paving a new pathway into the Offensive Security sector of Cyber, proving that with determination and perseverance you can create a successful career in one of the most highly technical areas of cyber, as she is now managing one of the largest teams of Penetration Testers in the Advanced Security Centre at EY.
As an Executive Assistant Jenna supported two leaders of the cybersecurity team. “I was bright-eyed and bushy-tailed and ready to learn anything that was thrown at me. The more I began to learn about cyber, the more the fascination grew, and the more I wanted to know. Everything from building cyber road maps to facilitating threat intelligence simulations. I couldn’t believe I had not discovered this industry earlier. Once I had I knew it was something I had to be a part of, especially offensive security and red teaming.”
With the full support of the cyber leader at EY, she dedicated herself to self-study and on-the-job learning to build a solid foundation in cybersecurity that enabled her to move across to the cybersecurity team.
“It was during this time mapping out my transition that I became aware of a newly-created role in the Advanced Security Centre (ASC), the offensive security team, which is a sub-team within the cybersecurity practice specialising in red teaming and penetration testing,” she recalls.
“This team never had a non-penetration testing role before. It was such a rare opportunity. I knew it was exactly what I wanted to do, and where I wanted to be. I approached the leaders of the Sydney team to learn more about the role and express my interest.”
DRIVEN BY DETERMINATION
Jenna went further than expressing her interest. “I was so excited and so determined to get this role, I basically didn’t take no for an answer,” she recalls. “I knew I had the skills they needed to really do the job well and had so much to contribute to make their high-performing team even better, and I wanted to learn everything about the world of offensive security from the inside out.”
This, she says, marked the turning point and launch pad of her career into cybersecurity. She had joined EY in 2015 and made the transition in 2017, working her way up from roles as a consultant, senior consultant and then Manager which she is today in the centre. She says it is a career path largely self-created.
“I had a clear vision of the role I wanted, and I was a woman on a mission. As my role was the first of its kind in my team the role itself and the career progression pathway were not predefined. It took a combination of leveraging my current skillset against the needs of the team and our clients, an immense amount of on-the-job and self-study learning and a lot of resilience to break down barriers and challenge the cookie cutter mould to create my own pathway and continually reinvent my role to be what myself and the team never knew they needed.”
Her determination culminated in her first red team engagement that enabled her to combine her innate soft skills with the technical knowledge she had gained: a red team engagement that succeeded in breaching the client’s physical and cyber security.
SUCCESSFUL RED TEAM EXERCISE
“It came after five years of experience in the team and the blood sweat and tears of determination in building those skills,” she says. “I had built up my technical knowledge to combine with my existing skillset to qualify for the opportunity to be put on a red team engagement.
“I naturally have a strong EQ and I’m a big people person. I love conversation and building rapport with people and am good at quick thinking on my feet. The engagement was a complete success, achieving every objective given by the client, such as persistent access to the building by cloning staff security cards, remote access to their internal network, even physical access into their server room. Achieving this and proving to myself that I could do it will always be one of my greatest career highlights.” To build the cybersecurity knowledge needed to enable her to reach her goals, she completed a full time cybersecurity course at The University of Sydney which had a major focus on the technical aspects of cybersecurity. It was a night course that consisted of classes in the evenings and assignments completed on the weekends which enabled her to accomplish this whilst also working full time. Other instructional sources that helped her included Security+, The Web Application Hacker’s Handbook, PortSwigger— developer of the Burp Suite web application security testing software, which also offers free online web security training—and Hack The Box.
STUDY WITH PURPOSE
Jenna is a big believer in studying with purpose, finding courses, certifications or learning materials that are specifically going to fill the gaps and get her to where she wants to be, but adds, “On the job training and experience are also priceless, where you learn the bulk of the necessities, and more than you realise. The secret is to find your true interest and passion, look at the skills you have and find the courses or learning opportunities that are going to give you the skills you need to complete your skillset, and find leaders who will support you in your endeavours for success in the role you want to be in.”
In her current role at EY, and in addition to her internal management responsibilities, she manages two major client accounts, running two streams of pentesting engagements for both: a periodical, business-as-usual pentesting program and a projects pentesting program.
“The periodical program is a predetermined list of critical applications that are required to be end-to-end tested annually, mainly to meet regulatory compliance requirements,” she says. “The projects program is the organisation-wide pipeline of applications that require pentesting before they release brand new applications, or updates, changes or new implementations to existing applications. Between the two clients, on average, I run upwards of 200 pentests per year.
“My day to day consists of running these pentest engagements on the ground with our team of testers from the beginning—initial contact with stakeholder— to scoping, getting them started, gathering and testing entry criteria, overseeing fieldwork, provide QA on the final reports, to the close-out meetings with our clients.”
Her role as a Manager is “chaotic by nature” she says as it involves “troubleshooting issues and crisis management, both internally and on the client side when unexpected problems arise in current pentest engagements.”
On a higher level she also meets with major client account stakeholders to plan future programs of work, strategise and continually improve pentest programs as well as managing the financial engagement lifecycle and account as a whole.
The role and her team also gives back as she notes the most rewarding part is “the learning opportunities and the experiences I get to have within my team. It is one of the most challenging teams I’ve been a part of and requires you to be out of your comfort zone more than you are in it, as it pushes you to continually learn complex technical concepts and be humbled by the infinite amount of information there is to possibly learn.
With this comes a great sense of achievement as you look back and realise just how much you have learned time and time again, and with that learning and experience comes privileges and opportunities that wouldn’t be possible without it.” She encourages everyone to “Be bold and take the leap out of your comfort zone and into challenges. Although it might be daunting, it’s the only way you will prove to yourself the great things you are capable of!”
www.linkedin.com/in/jennasalvesen
