Breaking in, and through security: Leron Zinatullin

Just over four years ago I received a LinkedIn email from a young man in Russia. It wasn’t too different from emails I occasionally receive. He was someone wanting to build a career in information security and was looking for some advice.

He was on his way to London to start his MSc and wondered if I would be willing to answer a few questions for him.

lz mail

It’s funny how life sometimes comes full circle. It wasn’t that long before then, that I emailed Stephen Bonner (not to be confused with Stephan Bonner)  asking him for career advice.

The difference between Leron and anyone else that has ever asked for advice is his willingness to learn and take on board as much knowledge as possible and then apply it. In a few short years, not only was Leron able to complete his MSc, but he landed a job (while turning down other offers), spoke at events, and wrote a book. Achieving more in 3 years than most people do in 10.

So, the roles are now reversed. I needed to catch up with Leron and pick his brains about his journey and see what I could learn from him.

What made you apply for MSc at UCL?

After several years in in the industry I realised that my education wasn’t complete. I came from a technical background but quickly realised that not all the problems could be solved through technology. I decided to learn more about information security management, culture and usability.

I was attracted to UCL I really liked some of the research staff’s profiles: Angela Sasse, Shamal Faily and David King who was a visiting fellow at that time all helped me a lot during my studies.

I picked modules like “People and Security” to understand the human element of security better and ended up doing some research with Angela on modelling conflicts between security compliance and human behaviour. This involved working with people to understand root causes of poor security culture in organisations.

Do you think it was worthwhile doing it?

Yes, I learned a lot about research techniques, how to come up with a hypothesis and then use qualitative and qualitative methods to prove or disprove it.  I use this knowledge now in my consulting career.

I was always interested in the human aspect of security and this programme combined this with the strong foundation in cryptography and computer security.

You were in Russia when you sent me that first email. What made you get in touch with me?

I remember checking your YouTube channel one evening. The video I was particularly impressed with was called “How do I learn more about infosec?”

Among other good points, you shared your opinion on mentoring and how it works in the real world. I thought since you were talking about it you might well be open to the idea of sharing your knowledge with someone else i.e. me.

I was struggling at the time to see what value I could bring to such a relationship, but decided I would figure it out along the way.

We met several times when you came and we discussed different ideas and also what the industry was like.

What did you find the most useful bit of advice you received?

I found many points useful. I didn’t know what the industry was like in the UK and anywhere outside Russia for that matter. More importantly I wasn’t sure what I wanted to do with my career.

You explained that the security field itself is very broad. It is similar to medicine: there are general practitioners who know a little bit about everything, which is the base level of knowledge. For complex cases they will refer you to specialists in blood, heart, eyes, ears and other specific body parts. The same applies to security: there are broad generalists and technical experts. There are also non-technical security professionals, who understand the business, the risks and how to integrate security into the corporate strategy. Just as you can’t replace a surgeon with a GP, you can’t replace a technical subject-matter expert with a generalist, and vice versa. That made me think about where I see myself adding value to the industry.

I also appreciate your points on personal branding. I started a blog – https://zinatullin.com/ and created my Twitter account @le_rond right after one of our meetings.

After studies you were able to land a job – what advice would you give to anyone looking to land their first job in security?

I would say start with something you like doing. There are many aspects of security and there are different types of work out there. One can easily find something they like.

You gave a talk in the rookie track at BSidesLondon – how was that experience for you?

The experience was very rewarding. I got to know many great people there and I spoke about the convergence of physical and information security. When preparing for the talk, I researched this area thoroughly which also helped a lot with my studies. I got to practice presenting and received valuable feedback from the people in the room. I even managed to get a job offer right after the talk but decided to go for KPMG instead in the end.

I would recommend signing up for the rookie track at BSides to anyone who would like to share their ideas with the community. There is a lot of support provided, in particular from mentors like yourself, to make the experience great.

You also have spoken at universities and other places voluntarily. Why did you do that? How was the experience? Is it something you’d recommend to others?

One thing I didn’t get enough during my studies is industry practitioners coming and sharing their stories. I decided that with some experience here and internationally I could help students and people who are interested in security understand the industry better. I also wanted to give back to the community, and I was sharing some of the tips I’ve learned from you. I help people to work on their soft as well as technical skills and always available to support their efforts. I’m finding it very fulfilling and I would definitively recommend it.

You wrote and published a book earlier in the year. How did you find the process of writing a book? What motivated you to write it? Do you plan on writing more books?

I’m not going to lie – it was hard work. There was a lot of research and re-writing, I took me over three years in total. And this is not a thick book.

As a consultant I help companies develop and implement security strategy and transformation programmes. Working across various industries, I’ve seen some badly implemented security projects which were completely missing the point.

I wrote this book to help security professionals and people who are interested in becoming one to do their job better. I believe that they not only need to ensure that a company is adequately addressing information security risks, but they also have to communicate the value of security appropriately in order to be successful. That’s why it would be also useful for business executives and project managers who would like to get a better understanding of security.

The main goal of this book is to gain insight into information security issues related to human behaviour from both end-users’ and security professionals’ perspectives. It aims to provide a set of recommendations to support the security professional’s decision-making process when implementing controls and communicating these changes within an organisation.

To achieve this, I conducted a number of interviews with UK-based security professionals from various sectors, including financial services, advertising, media, energy and technology. Their views, along with further relevant research, were incorporated into the book, in order to provide a holistic overview of the problem and propose a solution.

The feedback I received so far was very positive and I’m glad I get an opportunity to help people address some of the challenges they face in this area.

I find sharing my knowledge with the community extremely rewarding and I would definitely consider writing more.

Many people will look to you as a success story – someone that achieved a lot in just 4 years… what things do you think best contributed to your success?

 

Thank you Javvad – that’s very kind of you to say that. I think it is always a team effort. Things I’ve achieved are not done just solely on my own. There were many people who helped me with the book, including yourself, for example. People were giving me advice and useful constructive feedback on my early drafts. At work there were also always people willing to help out. I’m very grateful for that. Security is a small world in a good way – get involved and there will always be someone to help you.