Kelly Onu is an award-winning cybersecurity consultant at Ernst & Young, where she leads secure-by-design and AI-driven threat detection strategies for global clients.
She has been recognised as one of IEEE’s Top 30 Early Career Professionals. Kelly actively mentors emerging talent and serves on non-profit boards advancing diversity in cybersecurity.
How did you land your current role? Was it planned?
My journey into cybersecurity wasn’t exactly mapped out—it was ignited by a pivotal course I took during my third year at university: Ethical Hacking. That class was my first real introduction to the world of offensive security and the intricate ways systems and networks communicate. It lit a spark that hasn’t gone out since. I found myself staying up late, experimenting with open-source lab environments, exploring penetration testing tools, and devouring knowledge beyond the classroom curriculum.
After earning my undergraduate degree in Information Technology, I was intentional about gaining a broad base of experience across the cybersecurity spectrum. I gravitated toward consulting, where I was fortunate to work on projects involving application security, cloud security, and vulnerability management. My goal was always to understand how different security domains fit together before specializing. Today, as a Senior Cybersecurity Consultant at a Big Four firm, I help organizations design secure software development pipelines that are secure by design and secure by default. Getting to this point took years of hands-on experience, continuous upskilling, and a willingness to say yes to challenges that initially intimidated me.
What are the key roles in cybersecurity, and why did you choose your current specialisation?
Cybersecurity is an incredibly broad field, encompassing everything from risk management and compliance to penetration testing, security engineering, data privacy, and threat intelligence. When I first entered consulting, I didn’t have a clear sense of which specialty I wanted to pursue. That ambiguity actually became an advantage as it allowed me to explore different areas and gain hands-on exposure to various aspects of the security ecosystem.
One of my earliest projects involved quality assurance (QA) automation within a development team. Initially, I was focused on writing test scripts, but then I was invited to participate in an application security testing task. That was my first real encounter with secure code analysis, and it immediately caught my interest. I began diving into the OWASP Top 10, earned my Security+
certification, and became increasingly fascinated by how secure coding practices could be embedded into the development lifecycle.
Over time, this evolved into a clear passion for DevSecOps—an approach that integrates security into every phase of software development. I ultimately chose DevSecOps because I experienced firsthand the tangible impact of proactively embedding security, helping some of the world’s largest organisations prevent data breaches before they ever occur.
What are you most proud of in your career so far?
Being named one of IEEE Computer Society’s Top 30 Early Career Professionals in 2024 was a major milestone for me. It represented more than just an accolade—it was recognition of years of hard work, continuous learning, and resilience. The contributions I’ve made in secure software development and the application of AI to detect emerging threats have had tangible, real-world impact, and that’s something I’m deeply proud of.
Equally fulfilling has been my commitment to mentoring the next generation of cybersecurity professionals. I’ve had the privilege of guiding students into their first internships and supporting career switchers as they navigate their entry into security roles. Knowing that my journey can inspire and enable others, especially those from underrepresented communities, is incredibly rewarding. Today, only about 20% of the cybersecurity workforce is made up of women, and increasing that number is part of my personal mission. I’m dedicated to helping others see
themselves in this field and thrive in it.
What does an average workday look like for you?
As a consultant, no two days are exactly alike which is one of the things I love most about my job. Mornings usually begin with client calls to align on project milestones, review progress, or tackle any blockers. From there, I focus on technical tasks like defining security requirements, facilitating proof-of-concept implementations, or integrating tools for secure software delivery.
Afternoons are typically reserved for deep technical work like analysing vulnerability reports, or preparing executive-level project status briefings. I also spend time documenting our processes,
creating runbooks and guides to ensure clients can maintain their security posture long after our engagement ends. Since my role is client-facing, I wear multiple hats: engineer, advisor, project
manager, and sometimes coach. I work in a dynamic, fast-paced environment that constantly stretches me to grow both technically and professionally.
Are there specific skills or traits companies look for in your field?
A strong foundation in security concepts is essential, which is why I always recommend entry-level certifications like the ISC2 Certified in Cybersecurity (CC) or CompTIA Security+ for those starting out. These certifications help you build credibility and give employers confidence in your baseline knowledge.
But beyond certifications, companies are increasingly looking for initiative and hands-on experience. Demonstrating your skills and projects you’ve worked on on GitHub, technical blog posts, or walkthroughs of labs you’ve completed shows that you’re applying knowledge in real-world scenarios. I always advise aspiring professionals to build home labs, experiment with tools like Kali Linux, and participate in Capture the Flag (CTF) competitions or hackathons to gain real-world experience.
Has the tech sector supported your growth, or have you faced resistance?
I’ve been fortunate to work in environments that value growth and invest in their people. My company has supported my attendance at multiple industry conferences, provided access to cutting-edge training programs, and encouraged me to explore my interest in the intersection of AI and cybersecurity. These opportunities have accelerated my career development and positioned me to contribute to the cybersecurity field at a higher level.
I’ve also benefited greatly from the broader cybersecurity community. Organizations like Women in CyberSecurity (WiCyS), Women in Cloud, and ISC2 have provided invaluable resources like mentorship programs, learning series & workshops and scholarships. These communities create spaces where women and other underrepresented professionals can learn, collaborate, and feel
supported.
Have you faced insecurities or imposter syndrome in your career?
Yes. In the early stages of my career, I often found myself in rooms where I was the only woman. Despite having the qualifications and a strong work ethic, I constantly questioned whether I truly belonged. That internal doubt, known as imposter syndrome, was something I battled regularly.
What helped me overcome it was building a strong network of mentors who affirmed my value and encouraged me to stay the course. I also focused on skill-building because there’s power in
knowing that you know your stuff. Over time, I learned to own my voice, stop minimising my contributions, and show up with confidence.
What advice would you give someone feeling overwhelmed as they enter the tech industry?
First and foremost: breathe. The tech industry moves very fast, and it’s easy to feel like you’re constantly playing catch-up. But remember, you don’t need to know everything at once. This journey is about steady growth, not instant mastery. I’ve learned that ambition is a beautiful thing, but ambition without balance can lead to burnout.
You can start small and remain consistent. Take on side projects that excite you. Join local or online communities, attend industry networking events, and don’t be afraid to ask for help. Every
expert you admire was once a beginner. You have time to grow, and there’s space in this industry for you to make your mark.
What advice would you give other women wanting to reach their goals in tech?
Don’t let anyone place limits on what you can achieve. Early in my career, a manager told me I wouldn’t make it in cybersecurity because I didn’t have prior experience in the field. If I had internalised that, I wouldn’t be where I am today. Your path is your own—and your lived experiences are assets, not obstacles.
Surround yourself with people who see your potential and want to see you succeed. Seek out mentors and allies who are invested in your growth. Community is one of the most powerful
tools in tech that can open doors of opportunities and help you push through moments of doubt.
