It was a long and rocky process for me to get into cyber security consulting. Over the years, periods of study and work have overlapped, and technology and security have always been at their core, but it took me time to find that common thread.
Searching for the right place
I studied chemical engineering for one year before going to the army. The military service launched the longest period of studies and employment in my entire career path. On a visit to the National Defence University during the reserve officer course, the recruiting officer's speech convinced me, and I quit my engineering studies and started the cadet course the following autumn.
I think it applies to many things that you can't know until you've tried. What you can learn, at least, is what you don't want. During my military career, I gradually realized that I didn't want to be a conscript trainer, nor did I want to end up leading a unit.
I started looking for a new path through further studies. First, I kind of took a break from work when I studied for my master's degree in military science. My doubts about the future were strengthened when I returned to work, and I came up with the idea of becoming a cyber security expert. My interest in the subject had already been evident in the theses of my officer studies, where I examined network operations in cyber network-centric warfare and cyber threats to a brigade combat unit. I wanted to study for a second degree while working to specialize in cyber security, and I was not planning on leaving the Finnish Defence Forces.
Shortly before graduating from the master's program in cyber security at the University of Jyväskylä, I joined the Army Command as a cyber officer. There I got various tasks involving information security and cyber security. The tasks were spot on and made me feel better. I took part in developing CSOC capability, cyber surveillance, development of its technology and processes, and information security tasks in projects.
I liked my job, but the seeds of doubt sprouted again. I have been interested in various systems since I was young: I have dismantled and studied all kinds of electronics, and playing around with computers, in particular, has developed into a hobby. The difficulty of reconciling an officer's career with my interest in systems and computers became evident. I felt that an officer's career is designed so that one should progress, get promoted, lead in an administrative role, and thereby gradually and inevitably move away from practical work assignments. The future looked like I would not get to do what I wanted to do, be who I am.
Cyber consultation was the answer
My path led to the right place when I came to Insta for cyber security consulting work in the late summer of 2021. I get to do what I love, and I'm not afraid of losing touch with the concrete work in the future either. Depending on the customer and the ordered solution, my work includes, for example, threat modeling, reviewing or building information security management systems, and current state analyses. I also take part in the CISO-as-a-service offering we have.
More and more organizations want to map out the robustness of their systems and train for different threats. For that purpose, we organize workshops in which, under the guidance of a consultant, we get familiar with the structure of the company's system and all the aspects it affects. Why would someone want to go there? What kind of threats would it cause? How would it happen? What would be the consequences? As the outcome, we look at what actions have already been taken against the threats and what remains to be done.
The content of my workday can be anything: working with clients, internal meetings, or studying something that benefits my work. Currently, the work situation does not leave time for direct study of things, but due to the versatile work tasks, ISO27001, GDPR, PiTuKri, and many other documents guiding information security and data protection are becoming familiar. There's no danger of having to repeat the same task every day.
The work environment is very flexible, and I can quite freely decide my working hours according to what suits my work rhythm and what I need to get done during the day. I live in Mikkeli, which hasn't been a problem even though Insta doesn't have an office here. We visit the office or customers as needed.
Even in the current job, I have to think about security classifications: how is something classified, to whom can I talk about it, can I talk about it? However, I can now talk about some things even on the phone. Our conversation culture is otherwise very open; you can talk to everyone, regardless of role or position. I don't have to take things through middle steps, but I can speak with those I need to talk to. We also have very different kinds of people at work, which I think is great.
I have always liked to learn, and at Insta, I have the opportunity to expand and deepen my knowledge in my area of specialization. Another option is to focus on a different area when it's possible. For example, if I don't become a threat modeler, maybe I want to deal with data protection? Here, a specific role and tasks are not as carved in stone as in a line organization: there is room to grow in a suitable direction. One day, I believe I will produce a doctoral dissertation on cyber security, but that is not a short-term goal. Instead, the next goal would be to achieve the necessary capability to perform various audits, and Insta offers many opportunities for this in the form of both courses and certifications.