Student Stories

“Try something different, get out of your comfort zone.” – Junhao

Could you share with us about your current role as a Senior Security Analyst in AN Security Pte Ltd?

Let me answer this question with a problem statement. Today, when a user purchases a security product such as a firewall and VPN or even home products such as a smart lock and router, it is assumed that all security functions work properly. However, rationally, there is no basis to this assumption because it has not been verified.

Thus, in my role as a Senior Security Analyst, I apply an international standard for IT product security evaluation, Common Criteria (ISO/IEC 15408), to evaluate the security soundness of an IT product. It is a holistic standard that encompasses evaluation of the design, test plan, user guidance and product life cycle of an IT product.

Being part of a small lab consisting of only three staff, each team member assumes multiple roles on top of their primary roles. I assume the role of a Technical Manager as well, in which I am responsible for building the technical competency of the lab, which comprises personnel training, equipment selection and designing test procedures.

What is one key accomplishment that you have achieved in your job / what is fulfilling about doing your job?

In 2014, I had the privilege of joining UL Transaction Security to become part of the pioneer team that set up Asia’s first EMV Security Evaluation (SE) lab in Singapore. To provide a little background, EMV SE labs perform security evaluation on payment chip cards that conform to EMV specifications such as those of Visa and Mastercard. The main objective of an EMV SE lab is to gain assurance that payment chip cards are resilient against state-of-the-art attacks before they can be purchased by the banks. Globally, there are only ten accredited EMV labs and most of these labs reside in Europe. Hence, in many facets, setting up an EMV SE lab in Asia was unprecedented.

Being the first hardware security evaluator hired, I was tasked to operationalise the Singapore lab and undertake its first project within an 8-week period. In context, there were many things going on for me. First, I was getting married in one month’s time. Right after that, as I did not have prior experience in the security evaluation of payment chip cards, I had to undergo a six-week training in the UK. While undergoing the six-week training, I was arranging the shipment of all test equipment from the UK to Singapore in tandem. With some remote assistance from my mentor then, not discounting time zone difference, I managed to accomplish the task in two weeks. This accomplishment became a cornerstone of building the lab capabilities and processes.

Today, many IT products are exposed to cybersecurity attacks more than ever, but many product developers have little to no skills, knowledge or experience in implementing security by design to safeguard against these threats.

In my current role as a security analyst at An Security, I have the opportunity to interact with clients who are product developers. This gives me the opportunity to educate them about security by design, and hopefully, this will improve the security of their development processes and products. Over the last few years, it is fulfilling to learn that some of our clients are embracing security by design as part of their processes.

Despite your busy schedule, juggling your work, family and new-born, you played an active role as a Mentor in PSB Academy’s Mentoring Programme. What motivates you?

I was fortunate to discover my interest in science at a very young age of around eight and that intrinsically guided me into the engineering field today. In retrospect, through conversations with people around me and reports of staff engagement polls in Singapore, I realised that not many were as fortunate; many were disengaged in their jobs. Considering a typical working life spans over 40 years, I thought that is a long time to be miserable.

The book “Drive” by Daniel Pink has also presented studies which demonstrated that engaged staff yields high performance while disengaged staff is an immense loss of human resource. I believe that if these human resources were mined at their fullest potential, it would be unimaginable how much a civilisation could advance and how much people’s lives could benefit. At least, people, in general, would be happier.

I doubt that I can change the world, but it motivates me that for each mentee who came to me through the PSB Academy Mentoring Programme, it is an opportunity to invoke the process of self-discovery to find his/her own passion and purpose and to be engaged in his/her own lives. Hopefully, this could also have a knock-on effect on the people who interact with these mentees.

Despite the challenges of juggling work and family, Junhao is able to excel in his career while volunteering as a Mentor with PSB Academy.

Why do you think it is important for students to participate in the Mentoring Programme and seek guidance?

The obvious reason is, the mentors, who are people in the thick of their respective industries, are also the people who can offer the students insights on the current industry trends; in turn, the students can find out the expected knowledge, skills and attributes required for the roles in their industries.

The less obvious reason is that the mentees are imparted the skills of self-mentoring, rendering the mentors non-essential, which, in my opinion, is a hallmark of a successful mentoring outcome. The mentees would have acquired the skills to self-discover their own passion and purposes and have the wisdom to adapt that to their own circumstances, whatever it may be.

How do you keep yourself up to date and relevant to the ever-changing technology and hacking techniques?

This question can be addressed in two parts i.e., up-to-date skills and knowledge and relevance to industry, both parts feeding off each other.

Up-to-date skills and knowledge

I am curious by nature; I have an innate desire to understand how the world works. Inadvertently, that leads to lots of recursive reading and experimenting. This process allows me to acquire and deepen my knowledge and skills in a topic quickly. In a way, you can say my curiosity keeps me up to date.

Relevance to industry

I find that reading widely and continually talking to people, especially those outside my social circles, such as vendors, clients, corporate partners, government authorities, educators and fellow volunteers, give me insights on the evolving industry trends. Those insights allow me to conjure a rough plan to groom myself for and manoeuvre myself within the future economy.

What would be your advice for students who are planning a similar career path?

Advice #1: Be curious

Like any career, to be effective as an information security professional, I believe one has to be curious. Be curious about your job. Be curious about the things around you. Curiosity helps to overcome the rational brain’s resistance to hard work. So, always be curious.

Advice #2: Never get comfortable

If you find that you have done all and known all in your job, you are getting comfortable. Being comfortable means that you are no longer learning. So, try something different, get out of your comfort zone.

Advice #3: Network penetration testing is not the only career path

The information security profession is an extremely broad field in terms of the number of domain knowledge involved. In addition, like it or not, the information security field cuts across all known industries, where each industry has its own quirks. In short, there are bountiful opportunities in terms of the variety of roles one can assume in the information security profession; students are not restricted to be a network penetration tester.