October 12, 2023 By Mark Stone 4 min read

As the threat landscape multiplies in sophistication and complexity, new roles in cybersecurity are presenting themselves more frequently than ever before. For example, attack surface management.

These cybersecurity professionals are responsible for identifying, mapping and securing all external digital assets an organization owns or is connected to. This includes servers, domains, cloud assets and any other digital points that could be exploited by cyber criminals. Their role involves continuously monitoring these assets for vulnerabilities, misconfigurations or other potential security risks and implementing measures to mitigate these risks. They also work to reduce the organization’s overall attack surface by eliminating unnecessary access points and ensuring that all remaining ones are properly secured.

In this exclusive and informative Q&A, we spoke with Sara Lipala, lead technologist, attack surface management for Booz Allen Hamilton. Lipala is an accomplished cybersecurity professional with over five years of experience in the manufacturing and consulting industries, with a focus on vulnerability management, patch management and comprehensive attack surface management.

Did you go to college? What did you go to school for? If not, what certifications did you obtain?

I attended Montclair State University, where I completed a Bachelor of Science in Information Technology with a Computer Science minor. On top of my university education, I’ve obtained industry certifications, including the GIAC Enterprise Vulnerability Assessor Certification (GEVA), Harvard’s Managing Risk in the Information Age, ITILv3 Foundations Certificate and vendor-specific certifications including Qualys: VMDR, Scanning Strategies and Best Practices, Vulnerability Management, Web Application Scanning and Container Security.

What was your first role in IT? If it wasn’t in security, what pushed you to pursue security?

My first role in IT was at my university’s IT Service Desk, where I provided tech support to students and staff. My next role was an IT Operations Analyst Intern, where I primarily focused on change management activities. It was within this role that I had the opportunity to shadow and work directly with the cybersecurity team, which really sparked my interest in the field. I was excited by how rapidly things change and the prospect of building a strong defense for an organization, which then led to further excitement about how much information there was to learn!

A blue team defensive role requires a strong understanding of a variety of topics in order to ensure you’re approaching cybersecurity risks from a holistic view while being aware of where exactly the vulnerability lies and how to manage it. I found myself enjoying the challenge of staying ahead of attackers. I completed my internship and then transitioned to working on the cyber team full-time post-graduation.

Explore IBM Randori ASM solutions

What is the most valuable skill you learned in your role?

The most valuable skill I’ve learned in my role is risk prioritization. It’s easy to become overwhelmed by the attack surface of an organization — there’s data coming from a multitude of sources that all have “top priority” findings. Due to resource restraints, it’s often impossible to address all top-priority findings at once. Prioritizing vulnerabilities means that you focus on the most critical findings based on risk likelihood and the potential impact of exploitation.

For example, a high-severity internet-facing vulnerability carries a much greater remediation urgency over a high-severity vulnerability on a well-protected sandbox server on the internal network.

Risk prioritization also adds meaningful and impactful context to a vulnerability report. This allows the audience to understand what the vulnerability findings actually mean in terms of risk to the organization rather than a solely quantitative metrics report. Prioritizing security risk also provides visibility to leadership for the effective allocation of resources to mitigate and/or remediate the findings. Developing this skill helps create clarity out of chaos.

What soft skills do you think make a person successful in cybersecurity, and specifically in attack surface management?

A few soft skills I believe are required for success in cybersecurity are determination, organization, levelheadedness, attention to detail and the ability to communicate clearly and confidently.

Cybersecurity, by nature, can present stressful situations in response to threats or attacks. In those circumstances, it’s important to be able to seek out and review a lot of information, summarize it and then deliver findings in a comprehensive, polished way.

Specific to attack surface management, I’d elaborate on the ability to effectively communicate to a variety of teams and levels within the organization. Vulnerability findings may point you to a less technical application owner within the business, and it’s imperative to convey the security risk and next steps in a digestible format. Other times, you’ll need to deliver metric reports to business leaders with a different focus and set of requirements.

Additionally, attack surface management requires working with various remediation teams to address specific findings. You’re also regularly working with different teams within cybersecurity, such as incident response, security architecture and GRC. It’s helpful to learn who’s responsible for specific areas of the business in order to effectively work with appropriate teams.

Any parting thoughts or final advice to someone interested in your type of role?

Attack surface management utilizes a lot of open-source intelligence data that is readily available online. I’d recommend checking out Zero Day Initiative, Internet Storm Center, CISA’s Known Exploited Vulnerabilities Catalog, the OWASP Risk Rating Methodology and the NIST Cybersecurity Framework to learn more about what goes into the role. There are also community editions available from tools like Qualys and Tenable, in addition to forums and online training certificate courses, all for free! It’s crucial to stay on top of industry innovations and cybersecurity news.

I’d also advise someone to not be overwhelmed by the breadth of topics related to attack surface management. Operational knowledge across multiple domains such as cloud computing, penetration testing, security architecture, security compliance, networking, operating system and application level patching and web application security is all very useful, but you don’t need to be an expert in every area when starting out.

I’ve learned a lot from mentors and coworkers on different teams, in addition to seeking out information on my own. Every time you come across something new, there’s an opportunity to learn even more. Don’t be afraid to ask questions or admit that you need additional information to gain a better understanding. We’ve all been there! I’d also advise women to not get discouraged by being the only female at the table, in the room or on the team. The gender disparity in cybersecurity is improving but still very much exists, and it’s important that we continue to challenge it together.

More from Security Services

How a new wave of deepfake-driven cyber crime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit. Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries. Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today