Ong Pee Beng joined the workforce at a time when the IT sector was booming, so you could say he had it a little easier than most. But the security specialist from IBM would readily admit that no one is indispensable in the workplace today.
Ong is a senior security consultant for IBM Global Services in Asean and South Asia.
The Singapore-based Computer Science graduate began contributing to the local economy in 1999 as a systems administrator with Hewlett-Packard (HP).
Now a 30-year-old father of an infant daughter, Ong talks about his career plans and discusses how he keeps himself employable in the current work environment--where "no one is indispensable".
Q: Too often, we hear of one company or another giving out pink slips and cutting staff. Does today's erratic job landscape scare you?
A: No one is indispensable. So you need to continuously upgrade and keep your knowledge in tune with the industry. Like all rat races, there'll always be winners and losers so you must keep learning new things [to stay employable].
You need to be able to change and adapt to the environment and business requirements. IT is such a dynamic field. If you don't change fast enough, you become a dinosaur. It isn't easy but in order to survive, you don't have a choice.
What keeps you going then, especially since it's such a competitive industry? Where are the rewards?
Pay is important to sustain your livelihood. You also look at the experience and intangible benefits you get from the job. Some people also enjoy talking to customers and are happy to see their clients happy! And of course, the 'hygiene' part of the job is important, such as staff welfare and career development.
There needs to be a basket of elements. So far, I'm pretty contended with how things are going, and I still have time for my family which is especially important since I have a 10-month-old child. IBM is pro-family. That's why we have so much flexibility as mobile workers… not many organizations today provide that.
So were you thinking about these factors when you decided to enter the IT industry?
I don't think you start off knowing what you want to do. I entered the National University of Singapore's School of Computing because the IT industry was booming at the time, and I liked playing computer games. But of course, the syllabus was all about programming.
I graduated in 1999, and IT jobs were hot at that time because of Y2K (millennium bug). My first job was at HP where I was a systems administrator, managing production servers that supported the company's customers in the Asia-Pacific region. I was roped into a security role during my second year, and was part of a team that was responsible for HP's internal security. One of the things I did was to monitor and reinforce the security policies that we had implemented. I had to go around telling people, 'You can't do this, and you can't do that'… so I probably annoyed people quite a bit!
The challenging part about being in an IT security role is having to educate users and finding the balance between the company's business and IT security needs. Usually, business requirements would turn out to be the overriding factor…I have to admit that it was tough, and sometimes, the business managers would want to do things their way. But eventually, the management staff would realize at some point that security is equally important. Business and IT must be aligned because if something goes wrong [as a result of a lapse in security], the brand name of your company will be tarnished and this can affect the number of customer deals.
You spent about four years at HP before moving on as an IT auditor with consulting firm KPMG. How was that experience?
The transition was enriching because I moved from looking after internal operations to external (customer's IT operations). I also looked at issues from a compliance perspective and gained new insights on how things were addressed at the management level.
You start thinking more about how IT affects the entire organization. For example, if a financial company has an IT system with weak internal and security controls, this can lead to broader issues where people outside can manipulate its data and impact its financial status.
If you stick to internal operations without getting any experience from the business side, you tend to have a tunnel vision and want to set a system configuration in a certain way. So if you understood the business side and have a more holistic view, you'll think of other alternatives when you address an issue.
After 18 months at KPMG, you assumed this current position as a security consultant with IBM in 2005. What's your current job like?
The job is somewhat similar to what I did in KPMG, except that it's now more focused on security work rather than auditing. In my current role at IBM, I coordinate security activities and work with the security team to provide support to their customers. One of my team's tasks also includes helping to drive the company's security business in Asean and to provide consulting services to our customers.
But security is a really hot seat to be in now, what with all the security issues that have been cropping up. How are you coping?
New viruses are created every day, so yes, it can be hard to keep up. I've joined various security-related mailing lists and underground online chatrooms. I've subscribed to the portals and newsletters of security vendors so I can get the latest updates.
Getting hackers to chat with you online is easy, but getting real information about what new critical attacks can be tough if you're not part of the network or community. IBM has a dedicated team that sits in the United States. It goes around collecting intelligence and identifying what the latest threats are.
Covering the security segment is like IT, you must continue to update yourself, like how you would for other IT products and developments in the market.
Would training and obtaining certifications help?
Sure, but it depends on what field you plan to specialize in. As a security specialist, there are credentials you'll need to have such as the CISSP (Certified Information Systems Security Professional), which is necessary for those dealing with higher level security issues.
And there is CISA (Certified Information Systems Auditor) which deals with IT compliance and assurance, so it would be relevant for auditors.
For me, I'll probably try and get an MBA (Masters in Business Administration) next to better understand the other side of the business. As you progress in your career, you'll probably want to grow your IT management experience and learn how IT can be better aligned with business. You need to play a more strategic role and progress to the highest level in your professional, which is to become chief information or technology officer.
Which part in your career would you say has been the most fulfilling?
When you're part of the operations team, as I was in HP, you worry about making sure IT systems are up and running to support the business. Availability was my main concern. Now, it's about adding value for IBM's customers and giving recommendations that are feasible for their business.
Every stage of my career was necessary to what I'm doing now, and each phase was a learning process that that I needed to go through in order to move up. Without any of them, it would be tough to do what I'm doing now at IBM.