Mentorship and Capture the Flag: How to nurture cybersecurity talent

Heba Farahat (Senior Cybersecurity Consultant at Liquid C2) was named an IFSEC Global Influencer in 2019, ranking third in the young professionals’ category. In 2020, she received the Top 50 Women in Cybersecurity in Africa Award, and the Rising Star Middle East Award; and in 2022, the Women Ethical Hacker of the Year Award. 

We asked Farahat about the drivers that have helped her build her career so far, and why it’s so important to her to give back through mentorship programs that support other young professionals. 

Here’s what she told us. 

Could you share your career journey so far?

“My journey into cybersecurity began in 2017 through a cybersecurity scholarship at the Information Technology Institute (ITI). Among thousands of applicants, I was fortunate to be selected as one of the cybersecurity students. 

“Grateful for this opportunity, I was determined to share whatever I will learn in the scholarship and generally throughout my path with others. This commitment to sharing knowledge and helping others have become a core part of who I am. I always told myself that even if I could make a small difference, impacting even 1% of the people in my circle, I would be satisfied. 

“Since then, I've been actively involved in delivering talks, sessions, and training on cybersecurity to a diverse range of audiences. This includes educating kids on online safety, introducing teens to cybersecurity fundamentals and concepts, and assisting parents in navigating the cyber threats faced by their children. Additionally, I've conducted cybersecurity sessions for new employees and provided training to existing staff.

“As my passion for cybersecurity grew, I began speaking at public events, universities, and conferences both locally and internationally. I also co-led the organisation of Capture The Flag (CTF) competitions for the MENA region at the WICSME conference for two consecutive years, then supervised it in the third year. 

“I believe that CTFs offer one of the most effective ways to learn about cybersecurity in a gamified manner. For that purpose, I actively participated in CTFs at the start of my career, and my team ranked among the top 5 in several regional competitions. 

“Eventually, I transitioned from the player seat to the driver seat, aiming to help more people enhance their cybersecurity skills. Over the years, the number of participants doubled, attracting players from 15 different countries, with women comprising over 60% of the participants. 

“It's a voluntary commitment; unlike typical work, where the aim is promotion or rewards from superiors. Rather, it is fueled by a sense of responsibility towards the community and an intrinsic motivation to assist and uplift others.”

What does a typical day in your working life look like?

“I work as a senior cybersecurity consultant. I work closely with organisations across various sectors in the MENA region - including banking, telecom, financial, healthcare, insurance, tourism – to help them enhance their cybersecurity posture and support their business operations. 

“I conduct end-to-end security assessments for projects. This process begins with a thorough review of the requirements, ensuring that security requirements are clearly stated. Following this, I conduct threat modelling and risk assessments, and then evaluate the existing security architecture. 

“Moving forward, I perform vulnerability assessments and penetration tests. During one of our work engagements, my colleague Hosam Gemi and I discovered two zero-days in the SD-WAN Cisco product: CVE-2023-20261 and CVE-2023-20254.”

What are the biggest challenges you face in terms of ensuring organisations understand (and act on) the vulnerabilities you've identified for them?  

“Underestimating the possible consequences of security flaws and the assumption that it won't happen to us. Also, sometimes the business team doesn't want to allocate time to mitigate the security flaws – one of the biggest challenges all the time is the conflict between the business team and the security team in any organisation. 

“Sometimes business and security speak different languages, making it challenging to understand each other's perspectives and creating a sense of division. And the technical experts sometimes struggle to communicate the risks effectively in a language that the business can comprehend and act upon. 

“However, the reality contradicts these misconceptions; the security team is here to support and empower the business. Its role is to ensure that the business can continuously perform and operate, protecting it from any external or internal threat that could disrupt its operation or harm the organisation's reputation.”

Why is it important to you to be involved in mentorship programmes and training as well as doing your day-to-day work? 

“Simply because I think this is how this world is designed. Starting from childhood when we rely on our parents to nurture us into adulthood. As we grow older, we become the caregivers for our ageing parents, completing the cycle of support and guidance. So, in this world, we are here to support and guide each other’s way to grow, give people around us all support to write their own chapters and go through their own story. 

“Also, I become personally happy when I witness people become better versions of themselves, excel in their careers, and get promoted. I am honoured to have been invited to serve as a mentor in several regional programs, including the Women in Cyber Mentorship Programme under ITU 2023, The CyberGirls Fellowship 2022 by CyberSafe Foundation, Cybertalents Cybersecurity BootCamp 2022, and Cybertalents Security Scholarship 2021. 

“On the other hand, balancing that alongside our day-to-day work and personal commitments can be challenging and sometimes overwhelming – but mentorship is one of my favourite ways to give back to the community.”

Finally, what was the best thing about Black Hat MEA 2023? 

“The best thing about Black Hat MEA 2023 was its introduction of new topics to the region, particularly medical device hacking. Exploring the vulnerabilities inherent in medical devices was truly eye-opening. For instance, malicious attackers could manipulate device readings, potentially leading doctors to prescribe incorrect medication or even halting the device's operation. It was noteworthy to learn about the vulnerabilities in medical devices and their severe impact on patients' lives.”

Thanks to Heba Farahat at Liquid C2. Register now to attend Black Hat MEA 2024.