Do you have to follow a conventional path into working in cybersecurity? How useful are internships really? And how can we tackle the dangers of shadow IT without compromising academic freedom?
Joost Gadellaa joined Dutch NREN SURF as a technical product manager in late 2022 after completing an internship there, during which he researched shadow IT in higher education.
Here, Joost shares his experiences to date as a young cybersecurity professional, talking internships, initiative, and the importance of pragmatism.
What made you choose a career in IT, and in cybersecurity specifically?
I rolled into it by accident. While studying economics at university, I got a side job at the IT service desk, and I really liked it there. I found it satisfying to help people, and I liked the puzzle-solving element of fixing IT problems.
I started listening to podcasts on cybersecurity, and realised this might be something I wanted to do. After working at the service desk for a few years I asked the IT security department, “Hey, do you need a student who knows the organisation and can do stuff for you around security?” So they created that role for me.
Then I did a master’s in business informatics, which combines some economics, management and computer science. For my final thesis, I thought, “Okay, I’m going to find something security related, so I can hopefully make a career of that afterwards.”
Based on your own experiences so far, what’s your top advice for anyone considering a career in this sector?
Just get started. Don’t hold back because you think you don’t have all the skills or won’t be a good fit. I saw that among some students from my master’s.
There are always roles you can get started in. And an organisation like SURF, especially, just wants to get somebody on board who they can see has certain skills, who can learn, can communicate, and their brain works. The rest, we can teach them.
I got an internship by approaching somebody at SURF and asking, “Do you have any topics I could research for my master’s thesis?”
And they had some topics. And now I’m here.
Would you recommend an internship as a good way to build experience?
Yes. I took my internship seriously. I’ve seen other interns who are just turning up because they have to do an internship.
But I wanted to be here, and I put in the effort. And I think that’s also why they hired me afterwards.
An NREN is one of the best places to do a research internship. Because the people who work there know how research works. Otherwise, it can be difficult for somebody who wants to write an academic thesis to find an internship, because internship companies don’t always know what research actually entails.
Tell us about your current role at SURF?
I’m a technical product manager. For half of my time, I’m responsible for service delivery of things like the SURF mail filter and certificate services, which we provide to the institutions. A very practical role.
The other half is more free. We have an innovation programme, where we conduct projects that SURF members want around cybersecurity. We have all kinds of initiatives around testing and improving technical cybersecurity resilience. Think of red teaming, vulnerability scanning, and similar endeavours.
What has surprised me is how much opportunity and time I get for learning new things.
Sometimes we need to implement something – say, a new monitoring rule for the mail server. One of my colleagues could do that in 10 minutes.
But they’ll let me figure out how to do it, even though it takes me half a day or more, and I have to ask a lot of questions. So that next time, I can do it on my own.
And that’s nice because it feels like they actually want to invest in me. There’s a focus on the long term.
Which particular skills, experience or qualifications do you think were most important for getting hired in your current role?
I think – and this applies for IT and especially for cybersecurity – the most important factor is curiosity. And puzzle skills, analytic skills.
The people who get good at IT and IT security are the ones who don’t just take a system and start to use it.
They’re the ones who go through all the settings, figuring out what they do, how it all works, thinking, “Hmm, maybe there’s something here I can change.” Even though they don’t have a direct reason to do so.
What are the most rewarding aspects of your current role?
Helping people is a big one. And playing a role in enabling something that feels as intrinsically good as education and research is very satisfying.
On the flip side, what are the biggest challenges?
The beautiful thing about SURF is that we are a cooperative of all the Dutch universities, other schools, and research institutions.
And the downside is that we are a cooperative of all the universities, other schools, and research institutions.
This can make it slow to get projects started, because you have to talk to everybody to get support, build momentum, and demonstrate the value of your initiative. I think this goes for a lot of semi-public or public sector work.
What first got you interested in shadow IT in the higher education and research sector?
I was researching possible topics for my master’s thesis. And I really recognised the problem of shadow IT from when I was working in university IT – that there can be a big gap between how a university thinks the IT infrastructure should work and what people are actually doing.
The fact you need both technical skills and people skills to understand the problem also got me interested.
Does shadow IT show up in a particular way in this sector?
The problems with shadow IT are very similar across sectors. But it can be a bigger issue in the education and research sector because of the culture of academic freedom. Staff and professors feel they can just do whatever they think needs to be done.
And to a certain extent, that’s true. You need a lot of freedom to be able to conduct research and to form your education in a way you think is right.
Also, older universities especially are often very decentralised in their IT. Departments started building their own servers as soon as servers became a thing, far before corporate IT was a thing.
In terms of shadow IT, how does the sector strike a balance between enabling academic freedom while ensuring effective cybersecurity?
It’s a very big challenge. A key thing is understanding the end users and their needs.
You have to realise as a university IT department that you’re not a bank or a supermarket. Users can have very diverse needs and they have this culture of doing what they think is right. Taking that as an assumption from the start in how you design your systems and your IT offerings is very important.
But, on the other hand – we aren’t that special. We still need to implement basic security measures, such as multifactor authentication, proper passwords, network segmentation, virus scanning, and so on.
At the last GÉANT conference, I heard someone say 80% of the incidents we saw last year could have been prevented by something as simple as these.
Yet these basic measures can be more difficult to implement if you’re dealing with a very diverse set of unregistered applications. And if people can do whatever they want on their computer instead of you managing it.
Typically, IT managers like having control, especially for security. But sometimes, and I think especially in the higher education and research sector, you need to give some control away in order to be more secure.
If you try to control things too tightly – for instance, allowing only a very limited set of applications on laptops – then everybody’s just going to find a way to use something else. Departments have the funding to buy a different laptop without involving you.
If you let go of some control, you can keep more people on board with your central IT. And then you can make it more secure.
Accepting that idea is something we can do as a sector to reduce shadow IT and improve security.
So pragmatism is more important than theoretical best practice?
Very much. Although, I’m careful with saying that because I’ve also heard that as an excuse not to do certain things.
For instance, I can safely say it’s unacceptable to not have multifactor authentication implemented at this point in your institution, even if only for the most important systems.
But there are still institutions that say, “Yes, but we are a university, it’s very different here. We cannot just require multifactor authentication.”
During my research, almost everybody I interviewed started with how special their institution is. Big universities, small schools – all said the same.
And although it’s sometimes true, ‘being special’ can too often be used as an excuse to avoid implementing basic security measures.
What’s the biggest lesson you’ve learned so far?
It’s a cliché, but the fact that a lot of people don’t know what they’re doing.
Also, people actually like it when you ask for advice. So, you can always ask for more advice than you think you can.
Except for maybe your thesis supervisor. If you send them three emails a week, your grade might fall a bit.
Joost Gadellaa is a technical product manager at SURF, the Dutch NREN, where he works on improving the technical cyber-resilience of institutions. His master’s thesis, “Cyber Threats of Shadow IT in Dutch Higher Education and Research,” can be found at https://edu.nl/683h9. Joost presented at TNC23 and SURF’s national security and privacy conference on this topic. In his free time you will find him climbing, hiking, or working on home automation in his own house and tinkering with even more IT stuff.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'Become A Cyber Hero'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm23