Security Expert Interview Series: Adam King

We had the opportunity to interview Adam King, Director and Co-Founder of Sentrium Security where he and his team are helping businesses protect their technology, information, and people with a bespoke range of cyber security services. Adam is an information security professional, with a background in penetration testing, cyber threat analysis, and digital forensics. In this interview, Adam touches on a few areas like the trends he expects to see in information security in 2021.

Security Expert Interview Series #10: Adam King

1. Can you give us an introduction about yourself, Adam? How you ventured into the information security world?

I started my journey into cyber security at a very young age with an almost obsessive interest in technology. I would spend countless hours taking apart computers, learning programming languages and quizzing everyone I knew with a technical background on all sorts of topics from networks to operating systems and beyond. During my nerdy teenage years, I met a nice chap called James whilst playing computer games online, only to discover he “got paid to hack stuff”. Upon learning the meaning of the phrase “penetration testing”, I was hooked and applied for a cyber security degree programme as soon as I could. James offered me my first job in the industry as a summer intern for a start-up security consultancy, and with my foot firmly planted to the first rung of the ladder, I was off!

2. What motivates you to keep pushing ahead every day in the security field?

I love the diversity and complexity of the field. Every customer I have worked with over the years has unique challenges, as there are no two identical organisations in terms of their technical ecosystems and operational processes. This means that cyber security consultants must consider the wider context of the organisation which brings exciting new problems to solve each day.

The field also accelerates my technical development as I am frequently introduced to new technologies and, of course, the experts who build and maintain those technologies. Whilst it is impossible to be an expert in every aspect of IT, I feel that my career has given me a strong professional understanding of many areas and I relish the opportunity to keep improving each day when I switch on my laptop.

3. We know that you are proficient at application penetration testing and building cyber threat analysis capability. What are your favourite accomplishments in penetration testing?

If I told you I’d have to kill you get you to sign a Non-Disclosure Agreement. As a penetration tester, you quickly learn that a surprising number of highly valuable, widely used, systems and applications have skeletons in the closet. The most rewarding projects are those where the customer is very receptive of your findings and you have the opportunity to work with them closely to resolve the problems, returning at a future date to find those skeletons have been buried.

4. What are your 2 most important pieces of advice to our readers to improve their pentesting skills?

Spend almost as much time improving your functional technical skills as you do improve your pentesting skills. The best way to understand the deeper workings of a certain technology is to actively engage with it rather than jumping to the common pentesting techniques that you have learned from books and Capture The Flag (CTF) exercises. Do you want to improve your web application pentesting skills? Develop some small web applications, both using common frameworks and from scratch using enterprise languages like ASP.NET and Node.js, then figure out how to break your own applications and fix the vulnerabilities in your code. Are you trying to get a deeper understanding of pentesting Windows domains? Try setting up a Domain Controller with a small Active Directory environment then break it and fix it as many times as you can.

Starting a career in pentesting, like all areas of IT, is a commitment to embracing change. There are countless tools, techniques, and technologies that are much less common than they were five years ago, and just as many new ones. Continually educating yourself on these changes can be a challenge, but it is important to stay current with the evolution of technology. Take a look at the explosive adoption of cloud computing over the last decade and the growing need for cloud security knowledge across the industry. Do you feel that the resources you have been using to improve your pentesting skills have provided enough content on this topic? What other topics, such as IPv6, might you be able to improve your knowledge of? We have come a long way from attacking Windows XP systems with Metasploit modules (for the most part).

5. What security challenges did you face as a Senior Security Consultant while working with large companies?

Firstly, I believe that every organisation has unique challenges to overcome in terms of security, however, there are general themes that are appropriate to companies of a certain size. These include the obvious challenges, such as a greater quantity of systems and data to govern, but also some less obvious ones. I would like to focus on the two less obvious challenges that I believe to be common:

Visibility – The larger an organisation becomes, the harder it is to maintain visibility of every piece of the puzzle. This is not just computer systems, but people, processes, suppliers, etcetera. The security team is often small in relation to the size of the organisation, so they must be somewhat reliant on data and communication from others. It can be very challenging for a large organisation to confidently determine whether they have enough visibility of their environment. In my time working as a security consultant, I have seen this issue time and time again, for example, by identifying significant failures in monitoring solutions, or finding old, unpatched systems that were not documented.

Agility – It can be challenging for large organisations to make changes, especially when those changes may appear minor but have a potentially significant impact on users or operations. We all understand that technology evolves quickly, but it is very difficult to implement “This Year’s Top 10 Security Features” if that change might require a training session (or worse, a support ticket) for thousands of users.

6. Could you explain your role as Director at Sentrium Security Ltd, and what you do at this company?

I co-founded Sentrium in 2018 with an ambition to build a cyber security consultancy that first and foremost understood the challenges and needs of our clients. The company started with a small client portfolio that was managed by myself and my co-founder, Tim. We have grown significantly over the last two years and my role today is more focused on leading business development and operations.

I am still actively engaged with the technical work and spend a significant amount of time working on our key accounts. I am surrounded by a fantastic team that is beginning to take over technical projects which I shall certainly miss as the company continues to grow. I must say that I am incredibly excited about the future and proud of the great work we do every day.

7. Could you please tell us what was the most important cyber security lesson you learned in 2020?

The cyber skills shortage may not be what it seems.

We interviewed a lot of great people looking to expand our technical team in 2020, however, almost all the juniors I spoke to were facing the same problems. They were finding it difficult to get interviews with constant feedback that they did not have enough experience and/or qualifications. I found this very surprising as the roles they were applying for were all advertised as “junior” positions.

My theory is, there may well be a cyber security skills gap but this is largely a gap at the mid-to-senior level. There has been a huge effort by the industry (and governments) to “fill the gap” in recent years with the invention of apprenticeships, degree programs, online courses, and a multitude of qualifications. Has there been a large influx of people trying to break into the industry using these routes, filling the junior positions, and leaving a void that has organisations crying out for experienced candidates to re-balance their security teams? If my theory holds some truth, what could this mean for the future as those juniors become more experienced?

8. What trends do you expect to see in information security in 2021?

I would expect to see further discussion around the security of remote working and hopefully even greater development of solutions and awareness of the challenges that remote working brings. This may come in many forms but “cloud”, “identity” and “zero-trust” are probably going to be terms we see this year more than ever. Whilst these technologies are matured and in use by many organisations, my concern is that the barrier to entry is incredibly high given the widely reported lack of expertise within smaller organisations and the significant cost of outsourcing the required skills to adopt and maintain them.

9. Anything additional you would like to add here which extends value to young information security enthusiasts?

Research as many roles within the cyber security industry as you can before you pick a certain area to commit to. You could end up working in security operations, penetration testing, information assurance, incident response, forensics, threat hunting, DevSecOps, or engineering roles across many disciplines such as cloud, endpoint protection, or firewalls, and then specialise all the way down to a certain vendor ecosystem. The industry has so much to offer and you will enjoy your career more if you find an area of cyber security that fuels your enthusiasm to learn. Make sure you take the time to find out what that is for you.

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.