As the threat landscape multiplies in sophistication and complexity, new roles in cybersecurity are presenting themselves more frequently than ever before. For example, attack surface management.

These cybersecurity professionals are responsible for identifying, mapping and securing all external digital assets an organization owns or is connected to. This includes servers, domains, cloud assets and any other digital points that could be exploited by cyber criminals. Their role involves continuously monitoring these assets for vulnerabilities, misconfigurations or other potential security risks and implementing measures to mitigate these risks. They also work to reduce the organization’s overall attack surface by eliminating unnecessary access points and ensuring that all remaining ones are properly secured.

In this exclusive and informative Q&A, we spoke with Sara Lipala, lead technologist, attack surface management for Booz Allen Hamilton. Lipala is an accomplished cybersecurity professional with over five years of experience in the manufacturing and consulting industries, with a focus on vulnerability management, patch management and comprehensive attack surface management.

Did you go to college? What did you go to school for? If not, what certifications did you obtain?

I attended Montclair State University, where I completed a Bachelor of Science in Information Technology with a Computer Science minor. On top of my university education, I’ve obtained industry certifications, including the GIAC Enterprise Vulnerability Assessor Certification (GEVA), Harvard’s Managing Risk in the Information Age, ITILv3 Foundations Certificate and vendor-specific certifications including Qualys: VMDR, Scanning Strategies and Best Practices, Vulnerability Management, Web Application Scanning and Container Security.

What was your first role in IT? If it wasn’t in security, what pushed you to pursue security?

My first role in IT was at my university’s IT Service Desk, where I provided tech support to students and staff. My next role was an IT Operations Analyst Intern, where I primarily focused on change management activities. It was within this role that I had the opportunity to shadow and work directly with the cybersecurity team, which really sparked my interest in the field. I was excited by how rapidly things change and the prospect of building a strong defense for an organization, which then led to further excitement about how much information there was to learn!

A blue team defensive role requires a strong understanding of a variety of topics in order to ensure you’re approaching cybersecurity risks from a holistic view while being aware of where exactly the vulnerability lies and how to manage it. I found myself enjoying the challenge of staying ahead of attackers. I completed my internship and then transitioned to working on the cyber team full-time post-graduation.

What is the most valuable skill you learned in your role?

The most valuable skill I’ve learned in my role is risk prioritization. It’s easy to become overwhelmed by the attack surface of an organization — there’s data coming from a multitude of sources that all have “top priority” findings. Due to resource restraints, it’s often impossible to address all top-priority findings at once. Prioritizing vulnerabilities means that you focus on the most critical findings based on risk likelihood and the potential impact of exploitation.

For example, a high-severity internet-facing vulnerability carries a much greater remediation urgency over a high-severity vulnerability on a well-protected sandbox server on the internal network.

Risk prioritization also adds meaningful and impactful context to a vulnerability report. This allows the audience to understand what the vulnerability findings actually mean in terms of risk to the organization rather than a solely quantitative metrics report. Prioritizing security risk also provides visibility to leadership for the effective allocation of resources to mitigate and/or remediate the findings. Developing this skill helps create clarity out of chaos.

What soft skills do you think make a person successful in cybersecurity, and specifically in attack surface management?

A few soft skills I believe are required for success in cybersecurity are determination, organization, levelheadedness, attention to detail and the ability to communicate clearly and confidently.

Cybersecurity, by nature, can present stressful situations in response to threats or attacks. In those circumstances, it’s important to be able to seek out and review a lot of information, summarize it and then deliver findings in a comprehensive, polished way.

Specific to attack surface management, I’d elaborate on the ability to effectively communicate to a variety of teams and levels within the organization. Vulnerability findings may point you to a less technical application owner within the business, and it’s imperative to convey the security risk and next steps in a digestible format. Other times, you’ll need to deliver metric reports to business leaders with a different focus and set of requirements.

Additionally, attack surface management requires working with various remediation teams to address specific findings. You’re also regularly working with different teams within cybersecurity, such as incident response, security architecture and GRC. It’s helpful to learn who’s responsible for specific areas of the business in order to effectively work with appropriate teams.

Any parting thoughts or final advice to someone interested in your type of role?

Attack surface management utilizes a lot of open-source intelligence data that is readily available online. I’d recommend checking out Zero Day Initiative, Internet Storm Center, CISA’s Known Exploited Vulnerabilities Catalog, the OWASP Risk Rating Methodology and the NIST Cybersecurity Framework to learn more about what goes into the role. There are also community editions available from tools like Qualys and Tenable, in addition to forums and online training certificate courses, all for free! It’s crucial to stay on top of industry innovations and cybersecurity news.

I’d also advise someone to not be overwhelmed by the breadth of topics related to attack surface management. Operational knowledge across multiple domains such as cloud computing, penetration testing, security architecture, security compliance, networking, operating system and application level patching and web application security is all very useful, but you don’t need to be an expert in every area when starting out.

I’ve learned a lot from mentors and coworkers on different teams, in addition to seeking out information on my own. Every time you come across something new, there’s an opportunity to learn even more. Don’t be afraid to ask questions or admit that you need additional information to gain a better understanding. We’ve all been there! I’d also advise women to not get discouraged by being the only female at the table, in the room or on the team. The gender disparity in cybersecurity is improving but still very much exists, and it’s important that we continue to challenge it together.