Conversations with Juhi Ramireddi

My profession does not entail 9am-5pm working hours. I would describe my day to day activities as replicating what cyber criminals would typically try to do. The central tenant of cybersecurity is to think like an unethical hacker and stay ahead of the curve before criminals’ attack or damage the systems we seek to protect. I like to draw a parallel between my work in the cybersecurity industry and the medical industry. You get your immunization, which is meant to prepare your body for a possible pathogen. What we do as ethical hackers is very similar. By performing hacks or simulated attacks, we reveal our clients’ vulnerabilities and associated risks so that they can take precautions to safeguard their organizations.

As of now, I build strategies to protect critical infrastructure in Singapore. Some examples of critical infrastructure include infrastructure supporting utilities (power, water etc.), aviation, maritime etc. The needs of these various industries that I work with, and the associated projects would change my working hours accordingly. A part of my work involves physically meeting clients and internal team and of course, [plant] site visits and data center expeditions. *laughs*

I chose Computer Engineering partly because math was one of my strong subjects in school…or so I felt until I took Engineering as a major. *laughs* One barrier to joining this field in Singapore, however, is a dearth of computer education; you don’t see computer science in the secondary and pre-university curriculum. That is slowly changing, but in my time, there was almost nothing.

One great push factor towards the field, despite the lack of exposure available here, was the influence of my cousins in India who were very interested in computers and logic. I like to think that the cyber-crime shows that I used to binge watch also influenced my choice of profession in some way. *laughs* But on a serious note, hacking or any security work is nothing like how pop culture depicts it to be. 

Until recently, there was no specific Information Security major in NUS. My choices were limited to Computer Science or Computer Engineering. I chose Engineering because it gave me a holistic understanding of computers and not just the software component of the field. However, if you know that you interest lies purely in software or firmware, it would be wise to go with Computer Science curriculums. I had no prior inclination towards hardware, firmware or software hence my choice. 

Upon choosing Engineering, I went on to take modules in Security and that’s how I landed up at this line of work. 

This is not my first job. I used to work at PricewaterhouseCoopers as a Digital Risk consultant. I My foray into a cybersecurity career started with penetration testing. Penetration testing in layman terms is equivalent to “hacking”. Penetration testing is often confused with QA (Quality Assurance). The objective of a pen test is to ensure a given system (application, device or network etc.) are secure (Is the personal user data protected? Can databases be breached?). In contrast, a QA assessment ensures that a system works in accordance to its functional stipulations (for example, submitting a form on a website successfully).   

After about 2 years, I moved to Accenture Security. Accenture had recently initiated a security vertical and were hiring actively. The opportunities were tempting and abundant and I’m having a lot of fun learning and growing here. 

Most of my peers from my course went into some form of software development work. Also, my chosen profession is one that is not very well-liked by most other computer professional because I make their life harder. *laughs* I find ways to crack their application or make businesses spend money on security. 

In this field of work, there isn’t great female participation. I’m not just referring to the information security and computer security sectors – engineering and computing in general. In Singapore, I would estimate that maybe one in three are female. 

Aside from being one of the few women in this field, I find it greatly rewarding to be working in cybersecurity. You’re not just protecting people’s data. A lot of the time people think cybersecurity is about protecting data and ensuring privacy but you’re doing much more than that – you are also protecting systems and devices. With the example of critical infrastructure, you’re looking at planes’ navigation systems, train signaling systems, oil rigs and plants etc. With driverless trains for example, it is much easier for a hacker to remotely derail a train – this puts lives at risk. This is not just about data – yes data is precious, but security is much bigger than information security alone – it’s about securing systems that if left unsecured, can lead to loss of human life or heavy loss in revenue for businesses.  

Web development, web design and software engineering are all very different. Design is more about the aesthetics. You’re making something look beautiful; you would benefit from having a design or art degree. It’s about application design and user experience and there’s an entire field of study regarding that. Web designers care about what you feel when you look at or use a product and there’s a lot of detail that goes into it. They understand aesthetics and why users like certain things. If I change one thing about an application, you might want to stop using it. For example, Steve Jobs pioneered the iPhone. He’s an expert on user experience – his genius lead to the commoditization of smartphones. 

Web developers design and build applications for the web. Instead of the aesthetics, they focus on the functionality of the application. Software engineers, on the other hand, develop software for different platforms – not just the web. Nowadays, the term web developer, software developer and software engineer are used quite interchangeably, much to the chagrin of the experts.  

Information or computer security engineers/consultants like myself serve yet another function. We look at securing various systems, which includes software applications as well the hardware and firmware of systems. 

The main highlight for me is that you get to amaze people a lot. It’s not too difficult to impress clients because not a lot of business users are well-versed in cybersecurity. *laughs* When you show them a demo on how to potentially break into a given system, they are usually amazed and impressed by it. For example, some of my colleagues had once shown an oil & gas client how they managed to traverse their network and reach a critical system that could be used to blow up a part of the rig. 

One of the other highlights delving deeper into the mechanisms of commonplace systems that most people wouldn’t know about in much depth. I don’t just work with web applications or mobile apps but also, for example, signaling and communication systems. One starts to see how devices and systems are built with only functionality in mind, but not necessarily security. That’s where we come in. But that also means that you study and understand some really commonplace processes/systems in greater depth than a common man, and that makes for a fun conversation starter more often than you’d think. 

I think one thing that people really underestimate in an engineering line of work is the importance of communication skills. Often you are working on your project which would require you to explain something to a client or another non-security professional in simple and clear terms. They don’t work in our industry, so they are not usually well-versed in the terminology, tools and the processes that we use. It’s important to communicate these clearly to them so they understand the value we add to their business and to ultimately ensure their goal of becoming a more secure organization is achieved. 

Also, I would say writing well is important. You could say writing is a form of communication too, so I am repeating myself here.  I think I’ve written more reports at work than I have written at school. Reports in a professional setting are critical because they capture the product of months of effort by a team of engineers or consultants. If the report fails to capture the essence of results and processes, any prior practical effort is meaningless. 

It’s important to be good at writing and communicating in general. I wish I knew that earlier – I would have taken my language teachers more seriously at school. 

Besides the importance of communication skills, having an eye for detail is important in my life of work. In (critical infrastructure) security, overlooking the small details is what causes real damage. The Stuxnet attack is a popular example – hackers meddled with the human-machine interface connected to the Iranian nuclear reactors through means of a USB device. In that era, USB ports were not considered to be critical for hardening and securing – they were considered insignificant interfaces of computer systems. See? It’s the smallest things that people tend to overlook the most. Everyone’s going to protect their crown jewels – they’re going to put them in safe guards around them. Then there are things that organizations typically don’t consider important enough and don’t protect and monitor as proactively – that is what hackers use to reach precious assets. Hence, attention to detail is crucial in my line of work. 

I would say tenacity is key too because there’s always a way to hack something no matter how secure you build systems – it just depends on how tenacious you are as a hacker. This is why projects we take on usually run for a few months because it takes time and patience to build a security strategy/solution or hack into a system.  

Saving the best for the last and I think it’s prevalent and readily-offered advice – ability to continuously learn is key to surviving in tech – not just cybersecurity. In my domain specifically, I need to keep learning and understanding technologies in various industries to build strategies or solutions to secure them. For example, the types of networks and systems in the Maritime sector is very different from those used in Manufacturing and I’ve got to understand them to help secure them. 

I think…I prefer working with my team. When you single-handedly ideate a security strategy (solutioning) or try hacking into a system, you have your own way of doing it. It’s like solving a math problem, you have a way of solving it and arriving at the right answer and that’s great. But when you watch someone else work their way, you realize that they might have a different way of thinking, which might be more efficient than yours. You learn a lot by working with someone. However, sometimes you do need solitude to focus too.

It’s hard to say with all the things going on in the industry lately, but I am looking to specialize in Network Security and OT Security Strategy. The next wave is likely to be 5G technology – so that’s one of my side interests as of now.

A computer architect in the field of engineering and technology is someone who designs a system from top down. This could be an application, a network, a signaling system. For a lot of the things you take for granted, such as electronic devices being able to communicate to each other, someone who had to go really deep into it (e.g. designing the signaling between different nodes) to make the system fast, efficient and, in my case, secure. 

Usually, architects are subject-matter specialists who work in teams to build a system. Someone in the team would be good at signaling, whilst others would have expertise in security, databases etc.

I would say don’t be daunted by computers. Don’t think of it as a “boy thing” to do, girls can do it too. I know that a lot of the times boys grow up playing computer games, which could be a reason why they could be more exposed to the computers at a young age. This was especially true in my time when we didn’t have laptops or tablets readily available to us.  

If you feel daunted and like it is not something you’re getting along with, I’d like to say that most of the things that you’re going to take up in university or later on in life are going to seem difficult anyway. It’s not because you’re a girl, but because things simply get harder and you just have to push through. Once you bridge that gap of learning, you realize that acquiring skills in the field of computers (or anything else) really is not too different from learning at school. It’s not like you had learned to multiply and divide in one day. Most people go at it for a while. Again, it’s not about gender. Just like learning arithmetic skills, you have to keep pushing yourself to learn computing until you get better at it.  

I observe that girls very often drop out of technical roles in the 1st year of their careers. In my experience, that the first year is always going to be most challenging but if you can bridge that learning gap, things get easier. The tech industry is a very rewarding place to be! Tech jobs are one of the highest paying ones, comparable to our peers in law and medicine. If women are missing out on this industry, they’re missing out on many opportunities. I believe that as women like myself join the sector and better the female representation in the industry, other girls are likely to feel that they can do it too.