This month, we’re excited to feature Amna Pasha, a Senior Manager at Capital One, serving within the Technology & Data Risk Management organization. In her current role, Amna leads efforts in the Abstracted Compute security domain, with a focus on cloud-native technologies such as containers and serverless functions. She provides strategic guidance on compute security risks and maintains oversight of teams leveraging these modern cloud capabilities.

Throughout her career, Amna has played a pivotal role in designing, implementing, and operationalizing enterprise-wide Application Security programs. She brings deep expertise in integrating scalable, automated security solutions into the software development lifecycle (SDLC), with a focus on enhancing both security posture and developer experience.

Beyond her technical work, Amna is passionate about mentoring emerging professionals and is deeply committed to fostering an inclusive, empowering environment for women pursuing careers in cybersecurity.

‍

1. What sparked your interest in cybersecurity, and how did your degree in Management Information Systems shape the path you've taken?

At the University of Georgia (UGA), I studied Management Information Systems, which is a major that easily leads into cybersecurity as it bridges computer science and general business courses. In one of my cybersecurity classes, we worked on real-world case studies of cybersecurity at different companies each week. Our job was to act like consultants, find weaknesses in the company’s cybersecurity program, and suggest ways to make it stronger.

That class helped me understand the basics of cybersecurity, taught me how to think like a consultant, and showed me how to spot problems in a company’s digital security. I also got to meet and learn from professionals working in many different roles and companies. Seeing how fast and creative the cybersecurity field is really sparked my interest and made me want to learn more.

‍

2. During your undergraduate years, you participated in multiple programs and internships with several top consulting firms - PwC, KPMG, Deloitte, and Protiviti. How did you find those opportunities and how did they contribute to your career path? What do you recommend for current college students who are interested in a career in cybersecurity? 

The Terry College of Business at UGA did a great job in giving students hands-on opportunities to learn about consulting. If I could give one piece of advice, it would be to get involved in clubs, committees, or organizations that connect to the career or field you want to pursue. For example, at UGA, the Society for Management Information Systems hosted weekly events where company representatives came to campus to talk with and network with students. I was also an ambassador for the business school, which helped me meet professionals and learn about different career paths. Getting involved on campus is one of the best ways to build connections and figure out what kind of work you enjoy. My internships in consulting also helped me see what I liked - and didn’t like - about different jobs.

‍

3. Can you walk us through how you transitioned from building application security programs for Fortune 500 clients as a consultant to your current management role in technology risk at Capital One?

Application Security (AppSec), at its core, is about building security into each step of the System Development Lifecycle (SDLC) when developing an application, with a focus on the code layer of technology. As a consultant, I helped my clients assess software risk and establish programs and solutions that enabled them to develop and release secure applications. It was a natural transition to my current role, where I am still assessing risk and integrating security into the development process, but now focused on the cloud container, or infrastructure, layer of the technology stack. Containers are a way to package and run software consistently in the cloud.

Many of the same security principles apply from the code layer to the infrastructure layer, such as scanning for vulnerabilities, providing secure development guidance, and monitoring for risks. At Capital One, this means working with our in-house cloud runtime, cybersecurity, and developer experience teams to ensure containers are built, deployed, and run as securely as possible.

The key to transitioning to this role was having a strong understanding of the SDLC and DevSecOps, which means integrating security into every stage of software development and operations.

‍

4. How does application security contribute to the overall safety of a product or organization?

Application security is extremely important for keeping both companies and their customers safe. For example, think about a hospital application that stores patient records. The code that runs that application needs to be rigorously tested from both a security and functionality perspective to operate effectively. Gaps in code security can contribute to major hacks and data breaches which compromise sensitive data that include names, address, and medical details. These hacks and breaches disrupt business operations. When that happens, it can cause huge problems: businesses can lose money, their reputation can be damaged, and they lose the trust of their customers. Because hacks have become very sophisticated over the years, it’s really important for software engineers to have a strong understanding of code security principles and controls in building applications and managing systems. This includes getting developer training, regularly testing their code through security testing processes, and monitoring their applications for suspicious behavior.

‍

5. What skills or experiences do you believe are most important for the next generation of cybersecurity professionals to focus on?

I believe the next generation of cybersecurity professionals should focus on building both technical expertise and people skills. In my own career, I’ve learned that it’s not just about knowing how cybersecurity works - it’s also about being able to lead a team, work well with others, and explain technical ideas in a way that anyone can understand, including company executives who have limited time and must very quickly process high-level information. These soft skills, combined with technical cybersecurity concepts, will make you a strong and well-rounded professional.

A lot of people think you have to be an engineer or know how to code to work in cybersecurity, but that’s not the case and should not keep you from trying to pursue this field. There are many paths in cybersecurity. As a woman  without a software engineering background, I’ve built my career by combining my technical understanding with strong communication and leadership skills.