Spirit Managed Services is now branded Infotrust.
Cyber Emergency Number:
IT Support Number:
Security Spotlight

Security Spotlight - Cheeryl Abne, Senior Security Consultant

China Zamora
July 14, 2026
Home

Let's Get STARTED

In this edition of Security Spotlight, we speak with Cheeryl, Senior Cyber Security Consultant about the experiences that led them from IT and audit into governance, risk and compliance. We also explore how diverse experiences across IT, audit, and GRC have helped shape a practical consulting approach, along with insights into AI, emerging threats and advice for those looking to build a career in cyber.

Can you please briefly introduce yourself?

I'm a Senior Cyber Security Consultant in the GRC team at Infotrust, with a long-standing background across IT, audit and cyber security. My work focuses on governance, risk and compliance, helping organisations strengthen their security through frameworks such as ISO 27001, ISO 27017/27018, ISO 27701, NIST CSF, SOC 2 and third-party risk management, along with incident response and business continuity planning. Most of my day-to-day work involves getting to know how a client's organisation actually operates, then helping them build security practices that are practical and realistic for their business, rather than generic best-practice on paper. I've also picked up a number of certifications along the way, including Certified Crypto Auditor (CCA™), Certified Enterprise Blockchain Professional, PECB ISO/IEC 42001 Lead Implementer and Certified Ransomware Protection Officer (CRPO).

What first sparked your interest in cyber security, and what path led you into a technical leadership role?

I don't think my career followed a traditional path, and looking back, I'm actually grateful for that. I studied Electronics Engineering at university, but I never had the opportunity to work in that field. Instead, I started my career in IT. One of my early projects involved helping reconcile and validate large volumes of client data using analytics and web scraping. That project went well, and it opened the door to something completely different. I was offered a spot on a royalty audit team, even though I had no prior audit experience.

That role taught me something I've carried with me ever since and that you don't always need to know everything before taking on a new challenge. If you're willing to learn, stay curious and put in the effort, opportunities tend to follow.

From there, I moved into IT audit, then governance, risk and compliance, and eventually cyber security consulting. It wasn't something I planned from day one, but each role built on the last, and over time I found the area where I felt I could contribute the most.

What experiences most shaped your approach to security today?

Working across both audit and consulting has probably shaped my approach more than anything else.

Audit taught me the importance of evidence, governance and understanding whether controls are actually working. Consulting taught me that every organisation is different, and recommendations need to fit the client's environment, priorities and level of maturity.

I've also been fortunate to work with organisations across APAC, Europe and North America, as well as here in Australia, which gave me exposure to different regulatory environments and different ways of approaching similar audit and security challenges. Perhaps more importantly, I've learned a great deal from the people I've worked with. Colleagues, mentors and clients have all challenged my thinking over the years, and those conversations have helped me become more practical in my approach.

How has the threat landscape evolved since you started, and how have you adapted?

The pace of change has been remarkable. When I first started, organisations were largely focused on traditional infrastructure risks. Today, ransomware, supply chain attacks, identity-based attacks and cloud security IT/OT are everyday concerns, and AI has introduced a whole new set of opportunities and risks alongside them.

AI is a good example. It can genuinely improve productivity, but it also brings challenges organisations are still learning to manage. Most people are already familiar with prompt injection attacks, but there are other emerging concerns too. Through hands-on use of everyday AI tools, I've started noticing a pattern I'd personally call prompt bleeding, which is a term I use to describe situations where information from earlier prompts or contextual memory seems to unintentionally carry through and influence later outputs. It's loosely similar to data leakage, though not the same thing, and it's one of the areas I expect to become more relevant as generative AI becomes more embedded in everyday work.

To keep up with this pace of change, I try to make continuous learning a priority, and staying engaged with the wider cyber security community is just as important as any certification.

What is the most rewarding part of your role? What are you passionate about?

For me, it's knowing I've made a positive difference, even if it's only a small one. Sometimes that's helping a client improve an important security process. Sometimes it's simply giving someone the confidence to tackle a challenge they weren't sure about. Sometimes it's just supporting the team quietly in the background, without needing to be the one out in front. Those moments are rewarding because they remind me that meaningful progress doesn't always come from big changes, often it starts with small improvements that build overtime.

Cyber security can feel complex from the outside, so I enjoy breaking things down into something that's easier to understand, with the right level of granularity and context, and pitched to what the audience actually needs and expects, so it's genuinely useful for the people making decisions. As iron sharpens iron, emerging technologies and the risks that come with them give me the opportunity to sharpen my thinking, revisit my assumptions and keep improving my understanding along the way.

What advice would you have for students looking to get into cyber or individuals who want to shift their career towards cyber?

Don't worry too much about having the perfect degree or following the perfect career path. As I mentioned earlier, mine certainly didn't, I moved from Electronics Engineering into IT, then audit, and eventually GRC then cyber security, largely through opportunities I never expected. What mattered most wasn't the degree I had but the willingness to learn, being proactive, asking questions and saying yes to things that pushed me outside my comfort zone.

Cyber security is such a broad industry that there isn't one right way into it. Technical skills and certifications are valuable, and you'll keep building those throughout your career, but curiosity, a willingness to learn and a positive attitude will often take you further than trying to have everything figured out before you begin.

I don't think where you end up in this field is ever really by accident. Our past decisions do carry outcomes and consequences, but wherever you find yourself right now in your career, whether that's a help desk, an audit team, or a role that has nothing to do with security yet, there's usually a reason for it, and it's often more relevant to cyber than it first seems. Make the most of your situation rather than waiting for the "right" security role to come along, because those small beginnings are often exactly where the real growth starts. My advice would simply be to start where you are, learn and stay open to opportunities. Sometimes the career you're meant to have isn't the one you planned, it's the one you grow into.