In addition to her stellar work to ensure application and cloud security for clients across industries, Kelly Onu works to secure technology’s future by mentoring ambitious students and young professionals from all walks of life.
Onu’s own experiences as a mentee helped her to sharpen her technical expertise, navigate challenges, and develop as a leader.
Today, she pays those benefits forward through active involvement in organizations such as IEEE, Women in Security and Privacy, and the International Information System Security Certification Consortium.
In addition to her work as an AppSec consultant, Onu serves on TechShift’s Board of Directors and is a host of the IEEE WIE STEM podcast. She is also one of Computing’s Top 30 Early Career Professionals for 2024.
In the following Q&A, Onu describes
- How she began her advocacy work for inclusion in STEM early in her education, including serving on the board of Women in Computer Science while a student at Florida International University.
- The proactive measures she implemented at Sage Software to strengthen the company’s immediate security and build long-term resilience.
- How introducing real-time monitoring of exposed secrets on a client’s application-security project significantly reduced data leak risks—and set the client up for a high-profile merger with a global financial services company.
- The surprising source of her biggest career-defining moments and why she continues to learn, adapt, upskill, and pursue certifications.
How did the Student Government Association Residential Scholarship support your academic journey, and what were some key achievements during your time at Florida International University (FIU)?
Receiving that scholarship at FIU was a game-changer for me. As an international student, it helped ease the financial pressure on my parents, allowing me to focus on both academics and extracurriculars.
At FIU, I fully embraced leadership and community-building, particularly in tech spaces. I served on executive boards, including Women in Computer Science, where I worked to create a more inclusive environment for women in STEM. From organizing hackathons to connecting students with industry opportunities, I was passionate about making tech more accessible.
I was also inducted into Upsilon Pi Epsilon (UPE), the computing honor society, in recognition of my academic performance and contributions to the field. More than anything, my time at FIU strengthened my leadership skills, deepened my passion for technology, and reinforced my commitment to advocating for underrepresented groups in STEM.
What contributions led to your team winning the Most Valuable Team (Application Security) award at Sage Software?
While working in application security at Sage Software, I was responsible for securing over 10 products used by small and medium-sized businesses for financial management. It was a fast-paced role that required balancing security with business needs.
One of the defining moments that led to our team receiving the Most Valuable Team award was our response to the Log4j vulnerability. When the Log4j zero-day was disclosed, my team and I quickly assessed our exposure, identified affected products, and led mitigation efforts. I worked closely with developers to implement secure coding practices while ensuring minimal disruption to customers.
Beyond incident response, we also introduced automated security checks in our continuous integration/continuous delivery (CI/CD) pipelines, preventing insecure code from being deployed. These proactive measures not only strengthened Sage’s security posture but also built long-term resilience against future threats.
What projects or initiatives led to your multiple Bravo Awards at Ernst & Young (2022–2024)?
I’ve had the privilege of receiving multiple Bravo Awards at EY, recognizing my contributions to key cybersecurity initiatives that strengthened clients’ security postures and drove long-term change.
One of my most impactful projects was leading the Secure by Design program for a biotechnology company. I helped integrate security into the product development lifecycle—ensuring vulnerabilities were addressed early, rather than patched at the last minute. By collaborating closely with developers, we embedded security controls that protected sensitive research data without slowing down innovation.
Another major initiative was an application security transformation project, where I spearheaded the implementation of automated security vulnerability detection. We introduced real-time monitoring for exposed secrets (e.g., API keys, credentials), significantly reducing the risk of data leaks. This work became even more critical during a high-profile merger, ensuring the organization met the security expectations of its new parent company, a global financial services firm.
Reflecting on your career journey, what key lessons have shaped your approach to cybersecurity?
My academic and professional journeys have taught me several invaluable lessons:
- Mentorship is everything. Learning from experienced professionals has helped me navigate challenges, refine my technical expertise, and develop leadership skills.
- Challenges fuel growth. Some of my biggest career-defining moments came from tackling complex security problems, whether addressing AI governance risks or automating security processes.
- Continuous learning is non-negotiable. Cybersecurity evolves rapidly, and staying ahead means constantly upskilling. I recently completed an LLM security course from EC-Council and am now studying for AWS Certified AI Practitioner—because adapting is key to staying relevant.
- Give back to move forward. Mentoring and volunteering with cybersecurity nonprofits have been some of the most rewarding aspects of my career. Creating opportunities for others—whether through scholarships, career coaching, or advocacy—makes a lasting impact.
What advice would you give to those entering cybersecurity?
When I started in cybersecurity, I thought it was all about hacking and penetration testing. I quickly learned it’s much broader—covering everything from cloud security to risk management to AI governance.
I suggest you consider the following:
- Start with the fundamentals. Build a solid understanding of security principles. Platforms like Cybrary and LinkedIn Learning are great for beginners, and hands-on labs (e.g., Hack The Box, TryHackMe) make learning practical.
- Certifications help. CompTIA Security+ was my first, and it gave me the confidence to break into the field. If you’re just starting, ISC2’s Certified in Cybersecurity (CC) is another great entry-level cert.
- Never stop learning. The industry evolves fast—AI, automation, and cloud security are transforming the landscape. I’ve had to continuously adapt, from taking an LLM security course to pursuing AWS AI certification.
- Network, network, network. Conferences, local meetups, and industry events like the ISC2 and ISACA gatherings have been instrumental in my growth. Relationships matter in cybersecurity—mentorship and community can open doors you never expected.
How have you contributed to developing security frameworks, and why are they essential?</p>
Security frameworks provide a structured approach to managing risks, ensuring compliance, and establishing resilience. Organizations—especially those with lower security maturity—struggle without clear guidelines, making frameworks critical for long-term protection.
One of my most impactful contributions was during my master’s at Georgia Tech, where I developed a software supply chain security framework. Inspired by the SolarWinds attack, I focused on improving third-party risk management and increasing visibility into software dependencies.
More recently, I contributed to AI security frameworks, including the Cloud Security Alliance’s AI Organizational Responsibilities Guide and the Agentic AI Red Teaming Guide. With AI adoption skyrocketing, these frameworks help organizations assess risks, define security responsibilities, and implement red-teaming techniques to mitigate threats before exploitation.
What are the key messages you aim to convey as a speaker at conferences and in training sessions?
I focus on two things: relatability and actionability.
Whether I’m talking about my cybersecurity journey or leading a DevSecOps demo, I want my audience to walk away with practical takeaways. To keep my sessions engaging, I focus on three things:
- Using real-life examples. I make security concepts relatable by tying them to everyday scenarios.
- Fostering two-way conversations. Instead of one-sided lectures, I encourage Q&A, discussions, and interactive polls.
- Staying current. I practice multiple times, incorporate feedback from peers, and refine my presentations to align with industry trends.
How do you stay engaged with cybersecurity communities like ISC2 and ISACA?
Giving back has always been important to me. Through ISC2, ISACA, and Women in Security and Privacy (WISP), I mentor aspiring cybersecurity professionals, advocate for diversity, and help create opportunities for underrepresented groups.
With women making up less than 24% of the cybersecurity workforce, representation and retention are ongoing challenges. I use my platform to push for more inclusive hiring, support scholarships, and provide career development resources.
I’m also involved with IEEE Women in Engineering (WIE), TechShift Alliance, and various cybersecurity nonprofits. My goal is simple: to create pathways for more people to enter and thrive in cybersecurity.
Cybersecurity is about community and, by working together, we can build a more diverse and resilient industry.
Bio: Kelly Onu
Kelly Onu is a cybersecurity engineer with more than seven years of experience securing applications, cloud environments, and software supply chains across industries. She has led high-impact projects that fortify enterprise security, drive automation, and enhance resilience against emerging threats.
Beyond her professional work, Onu is a passionate advocate for cybersecurity education and diversity, actively contributing to organizations such as IEEE, Women in Cybersecurity (WiCyS), ISACA, and International Information System Security Certification Consortium (ISC2). She is committed to mentoring the next generation of security professionals and shaping industry standards.
Onu holds a master’s degree in cybersecurity from the Georgia Institute of Technology and has earned prestigious recognitions for her work in application security, cloud security, and AI security frameworks.
Dig Deeper
To learn more about Onu and her work,
Over the next few months, Tech News will highlight different Top 30 honorees each week. For a full list, see Computing’s Top 30 Early Career Professionals for 2024.
To read more about how IEEE Computer Society supports our world and its innovative thinkers through funding, education, and activities, check out its other contributions to the computing community.
