By Andy Bui
On March 19th, the Center for Long Term Cybersecurity hosted a talk by Shai Dhaliwal, a cybersecurity manager within Accenture’s Technology Services and Digital Transformation team, entitled “Navigating the Cybersecurity Landscape: The Role of Cybersecurity Consulting.” Drawing on more than a decade of experience working with both public- and private-sector organizations, Dhaliwal shared her perspectives on the role of consultants in helping organizations navigate the complex cybersecurity landscape.
The event was presented as part of the CyberMētis Speaker Series, which connects experts and practitioners with UC Berkeley students to discuss the practical skills and acquired intelligence required to succeed in the field of cybersecurity.
“When I started out about eight years ago, ‘cybersecurity consulting’ was a very vague term,” said Dhaliwal, who is a recent graduate of the UC Berkeley School of Information’s Master of Information Management and System (MIMS) program. “My goal for today is to make sure everyone leaves here with an understanding of the field… so that we get a better understanding of what consulting does to help achieve common goals and interests.”
A Path into Cybersecurity Consulting
Dhaliwal explained that she gained an interest in digital security while she was an undergraduate studying computer science at UC Davis. “At the time, there were few courses available related to cybersecurity,” she said. She worked as an intern for Senator Dianne Feinstein in San Francisco, and later interned for the Department of Commerce, where she had an opportunity to interact with professionals from the National Institute of Standards and Technology, or NIST, a leader in shaping cybersecurity standards.
“I highly recommend folks to take an internship with the government,” she said. “If you are interested in security, I think it gives you a good perspective.”
Dhaliwal explained that she later joined Accenture as an analyst, working on cloud security assessments. “My role as an analyst was to use a template,” she explained. “You’re going to notice a lot of big firms have their own templates and frameworks for how they go about running services. A myth of consulting is that everyone’s an expert, but you’re definitely not an expert when you come in. They’re really looking for people that just like to do challenging work, who put themselves out there trying to figure out problems. That’s really all that is expected of you at that level. As you gain experience, that expertise starts to come.”
Dhaliwal stressed that those interested in cybersecurity should consider gaining technical expertise by acquiring certifications, including CompTIA Security+, which provides exposure to diverse domains and disciplines within cybersecurity. “One of the biggest tips I give to people who are looking to enter cybersecurity is to go get certified,” she said.
While enrolled in the I School’s MIMS Program, Dhaliwal won an award at Accenture as “Security Practitioner of the Year at the Manager Level for North America,” which “opened up a ton of doors,” she said. Her work now largely focuses on working with C-suite leaders to help them respond to breaches and prevent them from happening in the future.
The Goals of Cybersecurity
Dhaliwal explained that much of her work focuses on helping clients achieve the a triad of cybersecurity goals, which are often framed as CIA: confidentiality, integrity, and availability. “If you can achieve those three goals, according to many security professionals, you’re on a good path forward for your organization in protecting sensitive data that’s confidential,” she said. “The role of consultants is just one way of executing on these goals for organizations…. Consultants play a vital role in helping organizations achieve greater security posture, and mitigating those risks.”
With cybersecurity becoming a bigger concern and investment, many companies are beginning to rearrange their budgets for security, bringing in third parties and consultants to assess security and compliance with government frameworks like NIST 853 (Security and Privacy Controls for Information Systems and Organizations).
She referenced the recent cyberattack on Change Healthcare, which was newly merged with parent company UnitedHeatlh Group when a Russian hacker group breached the company’s networks with a ransomware attack. The incident led to physicians not being paid for their work or even being able to look at patient records. “As part of a merger, there’s a whole practice around how to secure an organization as you’re acquiring them,” she said. “However, when the business is demanding you to do that quickly, sometimes things are slipped…. Once you feel the impact of what this means to business, you start to realize, we’ve really got to educate the people on the front lines, the people doing non-technical work, on making sure you’re checking the hygiene of your systems and not sending critical data through email.”
Looking Ahead
Dhaliwal emphasized that consultants can help firms play both “offense and defense” when it comes to cybersecurity. Part of this entails navigating data stored in the cloud, and ensuring that “as you start to move your workloads to third-party cloud service providers, you still own your data as an organization, so you’re not offloading all your risks to that cloud organization, they are handling a portion of it.”
She said that consultants will often conduct assessments of organizations’ existing security postures, then help them ramp up adoption of measures such as multi-factor authentication and “zero trust,” which requires a culture and technology infrastructure that requires authentication often due to the assumption of always being at risk.
“Starting to get those controls in place is becoming even more important,” Dhaliwal said. “That’s a lot of what consultants would do for organizations that maybe don’t have the resources today, but they’re trying to train and get their people ramped up. Our goal really is to create outcomes for organizations to help them protect and respond to common threats.”