Our new Security Spotlight series is all about the people behind the scenes, and how they bring cyber security to life in practice. This month, we’re introducing one of our Principal GRC Consultants, Sheena who’s been working in cyber for the past 10 years.
I’m a Principal GRC Consultant at Infotrust, and I’ve been working in cyber for 10 years now. My core focus is helping organisations make sense of complex security and compliance requirements whether that’s PCI DSS, ISO 27001, or broader risk frameworks like NIST.
What I really do day to day is bridge the gap between theory and reality. It’s one thing to have a framework on paper, and another to make it actually work in a live environment with real constraints, stakeholders, and competing priorities.
A big part of my role is also translating technical risk into something business leaders can understand and act on. Because at the end of the day, if security doesn’t influence decisions, it doesn’t really create value.
I didn’t start out thinking I’d end up in cyber. What pulled me in was the problem solving aspect. You’re constantly dealing with ambiguity, figuring out how systems interact, where risks actually sit, and what really matters versus what just looks good on paper.
As I got more exposure, I realised cyber sits at a really interesting intersection of technology, business, and human behaviour. That made it a lot more engaging than a purely technical role.
Over time, I found myself leaning more into the advisory side not just identifying issues but shaping how organisations respond to them. That naturally led to more leadership responsibilities, where it’s less about doing everything yourself and more about guiding direction, mentoring teams, and helping clients make confident decisions.
Working across different clients and seeing how the same framework can land very differently depending on the organisation has been a big influence. It really shows you that there’s no one size that fits all approach.
Early on, I realised security can’t be a checkbox exercise. You can technically meet every requirement and still be exposed if the controls don’t fit the environment or if people don’t actually follow them.
Now my approach is always grounded in practicality. What actually reduces risk here, for this organisation, with their people and systems. I also spend a lot more time thinking about sustainability, because a control that works for three months but fails after that isn’t really a control.
The biggest shift is how fast things move now. Threats are more dynamic, more targeted, and often tied to business processes rather than just technical vulnerabilities. Attackers are not just looking for weak systems, they’re looking for weak points in how organisations operate.
There’s also been a noticeable shift towards identity, cloud environments, and third party ecosystems, which has expanded the attack surface significantly.
To adapt, I’ve had to stay close to both sides. Understanding the technical changes, but also how attackers think in terms of business impact. It’s less about reacting to individual threats and more about building resilience into systems, processes, and decision making so organisations can handle whatever comes next.
The most rewarding part is when things finally click for a client. When they move from seeing security as a compliance burden to actually understanding how it supports their business and reduces real risk.
I’m passionate about simplifying complexity. A lot of what we do in cyber can feel overwhelming, and if people don’t understand it, they won’t engage with it or prioritise it.
I also really enjoy helping teams build capability. Not just delivering a framework or assessment but leaving them in a better position to manage security themselves. That shift from dependency to ownership is something I find genuinely satisfying.
Don’t get too caught up trying to learn everything at once. Cyber is huge, and it’s easy to feel overwhelmed. Start with one area that interests you and go deep enough to understand how it works in practice, not just in theory.
Also, focus on thinking, not just tools. Tools change all the time, but the ability to break down problems, understand risk, and ask the right questions is what will set you apart long term.
And finally, get comfortable with ambiguity. You won’t always have perfect information, and that’s normal in this field. The ability to make sound decisions despite that uncertainty is what really defines strong professionals in cyber.
If you can build that mindset early, you’ll progress much faster than just chasing certifications or trends.