Opeoluwa Akinsanya, Governance, Risk and Compliance & Privacy Consultant, IT Governance Ltd, Wiltshire
Tell us about your journey into the industry
I possess a bachelor’s degree in computing, master’s degree in management information system (MIS), and PhD in computing. Other professional qualifications I possess are ISO 27001:2022 Lead Implementer, ISO 27001:2022 Lead Auditor, Certified DPO, and CISM in lieu. The choice of my degrees was entirely based on my interest in the computing field as a teenager, however, I would not say I was aware of the areas within the Computing field prior to my bachelor’s degree which made me struggle with some of the modules during the degree. On the flip side, the degree taught me the areas within the Computing field that I would not want to pursue a career in. Armed with this knowledge, all that was required was to then review the other areas and identify which specific area I would like to specialise in. Undergoing a master’s degree in MIS helped me better streamline my career focus – understanding how technologies could be utilised to optimize business processes. After my master’s degree, I ventured into the academia sector as an assistant lecturer in computing.
My purpose for taking this role was due to my passion for passing on knowledge. In this role, I had to also conduct research which I had not considered with such level of detail. This was one of the several skills I learnt on this role. In order to grow in ranks within the academia, I was required to possess a postgraduate research degree. I chose a PhD in computing with focus on cyber security in health-cloud, this was the beginning of my journey into the cyber security profession. I chose this research focus because I had seen firsthand the effect of lack of security for healthcare records stored in the cloud on patient care. This experience and informed knowledge gained from the research inspired my passion to join the cyber security field. Upon conclusion of my degree, my unrelenting inspiration to optimizing business operations led me back to the industry. I came to realise that the Governance, Risk and Compliance specialism would be best suited for me to achieve my inspiration.
Tell us about your current role
I am presently working as a client facing GRC Consultant who leads and supports a wide range of clients across the public and private sectors in both UK and overseas. My duties include but not limited to support the development, implementation, and maintenance of client security assurance function. Lead security assessments for client engagements. Manage client negotiations and reviewing security requirements through questionnaires. Apply information security frameworks and standards such as ISO27001/2, SOC 2, NHS DSPT, etc. in diverse environments. In my role, I also drive adoption of strategic initiatives and implement change. Act as a champion in ensuring delivery of services to an exceptional standard. Develop and maintain policies inline with the requirements of standards. Examine clients’ information security documentation and initiate amendments in line with business requirements, while maintaining regulatory obligations. Lead and contribute to raising education and awareness campaigns at clients’ organisation. I also train on ISO 27001 foundation, internal auditor, and lead auditor courses.
The impact of my role on the society is that I support organisations to develop robust practices that reduce the likelihood of an event which will result in a significant breach. The need for such protection stretches far beyond hackers. Information security is vital to safeguard all kinds of organisations whether they are storing extremely sensitive data or otherwise. Poor security of data within an organisation can lead to losing or stealing key information, creating a poor customer experience and reputational harm. Data breaches, fraud, and cybersecurity attacks are all getting more frequent as people become more dependent on technology. I presently work for a subsidiary of GRCi Group. The base pay for entry level to the GRC consultancy role would be £52,500.
What does a typical day look like?
A typical day begins at 9.30am due to childcare reasons. If there is an audit to be conducted on a client’s ISMS, then the meeting runs all day until 5pm with intermittent breaks. If I am supporting a client to develop their ISMS and integrate its requirements into the organisation’s practices, then it would be a meeting over 2 hours or more, depending on my availability and the matter being discussed. If I am developing policies or conducting risk assessment, then this would require no meeting, but more time spent on the computer till close of day taking lunch break and standing up often to relieve my back muscles. I get to travel to client sites to conduct these assessments or audits depending on clients’ requests. On days where I am to deliver a training, this would be all day, the delivery could be remote based or require travelling to our centres. One thing is certain, tomorrow is not a replica of the activities of yesterday.
What are your career goals/plans for the future?
Next career step would be moving from a mid-level professional to a security leadership role within Governance, Risk and Compliance.
My ultimate career aim is presently not known. I am not certain there’s an ultimate aim for me, my career aim would keep changing as I evolve in my career. I am aware there is no straight line through my career journey, so I am making myself open to the possibilities of any changes.
What is the best thing about working in the cyber security industry?
The best thing about working in the cyber security industry is that I have a high level of satisfaction from supporting organisations to maintain a strong internal control environment, which minimizes the likelihood of financial losses, regulatory penalties, and reputational damage. In addition, by proactively identifying and mitigating risks, I support strategic decision-making, business continuity, and long-term growth.
What advice would you give to others thinking about pursuing a career in cyber security?
If you are pursuing a career in cybersecurity, first, identify what aspect of cybersecurity you have an interest in. Afterwards, using free resources, gain as much knowledge as possible on the aspect of interest. Apply for volunteering or internship or work experience and training opportunities in the related aspect of interest. Then but your portfolio of experience and certifications for progression. In the cybersecurity industry, it entails a lot of updating your knowledge, re-learning, un-learning, and learning.
What would you say are the 3 most important skills you use in your role, and why?
Strong analytical and problem-solving skills, I must creatively provide advice to clients to address their specific problems. There is no one size fit all when critically analysing peculiar situations and addressing the problems.
A deep understanding of risk and compliance management principles, and knowledge of industry-specific regulations, standards, and frameworks, I must have the right knowledge and adequately to be confident about the solutions I am proffering.
Excellent communication and report-writing abilities, I have to tailor my language to the audience I am speaking with and provide adequate information about the feedback/propositions from the assessment in reports using simple terms.
What do you like to do in your spare time?
I spend time with family, read novels, watch movies, and read about the GRC landscape, to gain oversight about updates.