Wishes

So You Want to be a Cybersecurity Professional? – Redux

At the end of last year I wrote a blog that proved to be my most popular yet, by several orders of magnitude. In So You Want to be a Cybersecurity Professional? I threw together some very high-level thoughts for those wishing to get into the field. However, it’s wasn’t until the last week or so that it occurred to me to question why this blog in particular resonated as it did.

On the assumption that it’s because there are literally thousands of people out there struggling to find their way into security, I figured I’d expand a little on the original.

With the proliferation of both certifications and U”niversity degrees, there are many avenues that attempt to fast-track cybersecurity careers. Add to this a ridiculous number of ‘new’ technologies all claiming to address a rapidly growing number of threats and regulatory compliance regimes, and you have a combination that could not be better planned to lead candidates to a career dead-end.

The new modus operandi for cybersecurity professionals seems to be; University degree > industry certifications > Technology. But if your ultimate goal is CSO/CISO you have derailed yourself even before you start. I do not know one CSO/CISO who is primarily focused on technology …not any good ones anyway. It’s the people and processes that give technology context, not the other way around.

No course on the planet can teach you people and process, that’s something you must to learn for yourself. In security, experience is key.

While technology is an indispensable aspect of security, the majority of the product and security vendors who say they are trying to help are actually causing enormous damage. In their mad rush to stake a claim to a piece of multi-billion $/£/€/¥ security industry (and still growing), they are developing technologies so far removed from the basic principles as to be almost unrecognisable. Not only are these largely inappropriate to most businesses, but far too fleeting and ethereal to ever be rely on as a career foundation.

While I assume most University degrees will cover the ages-old basics of governance, policy & procedure, risk management etc. (like the CISSP’s CBKs do), without a real-world understanding of their implementation you will never be able to put a technology into a context your clients or employer has the right to expect. Basically you will be lost in a never-ending cycle of throwing technology after technology at something that could likely be fixed by adjusting the very business processes you’re trying to protect. Technology can only enhance what’s already working, it cannot fix what’s broken.

So where should new candidates start? I have no issue with University degrees or certifications, but from my own experience it was starting out at the most basic level that gave me the greatest foundation. From firewall and IDS administrator, to a stint in a 24X7 managed security service security operations centre I received an education that has stood the test of time. Networking, protocols, secure architecture, system management, incident response / disaster recovery, and just as important; the power of great paperwork. There is no-one who appreciates a comprehensive set of procedures and standards as someone who has just taken down a client’s firewall.

For the next phase of my career I was, for want of a better word, lucky. PCI was just kicking off and the desperate shortage of QSAs meant it was relatively easy for me to become one and be thrown immediately in front of customers. I learned as much in the next year as I did in the preceding 5. Not technical stuff per se, though that was certainly part of it, but the soft skills necessary to provide a good service.

From that point forward I have stayed in consulting, as I am fully aware of that is where both my interest and skill-set lay. I am not technical, never have been, so I’ll leave that up to others. I have also never wanted to be a high-level executive, that’s too far removed from anything I have ever enjoyed. What this means is, I already know a CISO role is very likely not in my future, and I’m absolutely fine with that.

I have my own thoughts in what a CISO is anyway.

I’m not saying that CSO/CISO need be your goal, if you’re quite happy managing firewalls, that’s great, but you absolutely have to know what your goal is or you’ll flounder around the edges of security missing every boat that comes along.

So:

  1. If you want to be a CISO, remember that the vast majority of the CISO function is just a series of consulting projects designed to help the business meet its goals. The final aspect of a CSO’s job borders of politics, so that had better be what you want.
  2. If you love technology, great, but get an understanding of how your technology(ies) fits into the client’s business goals before trying to shove it down their throats. And jumping straight out of Uni into a technology start-up may seem like a good move, but only 1 in 1,000 companies make any difference. Be prepared to fail many times.
  3. If consulting is your thing, stay high-level and stay with the basics. Be the person that your clients come to to solve their challenges, regardless of who ends up performing the actual remediation. A Trusted Advisor is a very rare thing, and very few ever earn it.

Regardless of your career goal, the basics of security will never change, and you will only be at the top of your game when what you are doing benefits everyone involved.

Finally, a warning: if you think anyone other than those making a career out of it care about security, you are mistaken. Not one, I repeat not ONE of my clients actually cares about security, they care about things ranging from genuine concern for their customers to just money. Security is only, and will only ever be, a means to an end. It enables a business, it does not direct one. It’s these things that you cannot learn from school or from technology alone.

Get a mentor, one who has been where you are and is where you want to be. And never, I mean NEVER follow the money.

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Professional

So You Want to be a Cybersecurity Professional?

Like almost everything else in my life (e.g. marriage, fatherhood), I became a cybersecurity professional with little to no planning. I was happily plodding along with zero direction, and even less qualifications, when an employer required me to get an MCSE in Windows NT.

In a very short time I realised that if I was looking at a computer my boss thought I was working, so being lazy, IT was the career for me! However, I did get bored, so when I received a call about my resume on Monster.com from a start-up cybersecurity company, I jumped at the chance. A little homework showed that security was the place to be in IT, even then, especially when the company consisted almost entirely of incredibly smart ex-NSA types.

This was in 2000.

In the 16 subsequent years I have gone from firewall admin, to managed service manager, to consultant, to manager of consultants, to self-employed. I have loved [almost] every minute of it. The funny thing is though, I have no passion for security per se, I just love helping others fix broken stuff. Especially processes.

There is a LOT of work out there.

So my first piece of advice; decide why you want to be a cybersecurity professional in the first place. If it’s just for the money, move on to something else, you’re not welcome here. Having performed the Keirsey Temperament test on 30-odd security consultants across the globe, it was clear that certain characteristics are dominant in their type (ESTJ). Bottom line; they actually care, and they are:

  • Highly social and community minded;
  • Generous with their time and energy;
  • Hard working; and
  • Friendly and talk easily to others.

That’s not to say others can’t do well (I’m an INTJ for example), but you have to know yourself before you know what aspect of security would suit you best. Follow the money, or choose something for which you are not suited, and you will likely fail.

Then Bear These Things in Mind…

  1. Qualifications: A degree in cybersecurity should not be seen as a pre-requisite, as certifications are almost as much good, and neither of these things can trump experience. Regardless of your qualifications, you will start at the bottom, and there is no better place to learn. Make the most of it.
    o
  2. Specialise or Generalise: You’ll need to decide very quickly which you’re going to be; Specialist, or Generalist. You cannot be both, there are just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.
    o
  3. Learn the Basics: Jumping straight into a career in User and Entity Behavior Analytics (UEBA) or Intelligence-Driven Security Operations Center Orchestration Solutions (whatever the hell that is) may be tempting, but you are not doing your career, or more importantly, your clients, any favours. From Confidentiality, Integrity & Availability, to Risk Assessment, Asset Management, to Policy & Procedure, the basics have never, and will never change. Whenever you find yourself stuck, only the basics can give you a clear way forward.
    o
  4. Choose a Camp: Unfortunately most cybersecurity professionals tend to fall into one of two camps; 1) those focused primarily on Technology, and 2) those focused primarily on People and Process. These are two distinct skill-sets, so know which you are, and make sure you pair up with a counterpart.
    o
  5. Ask for Help: I got where I am without a mentor as such, but I most certainly didn’t get here without a LOT of help. Nor would I be able to stay here without the constant support of my peers. If there’s one thing I love about cybersecurity professionals it’s their generosity and desire to help. So join your local chapter of ISC2, ISACA and / or ISSA and start talking to people.
    Use mentors too if you can, as while I have few regrets in my career path, not having mentor is one of them.

Without question, a career in cybersecurity can be very rewarding, both in personal achievement and financial terms. It can also chew you up and spit you out if you’re not careful.

In the end, cybersecurity will give as much back as you put in, there are no shortcuts.

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Recruiter

Cybersecurity Recruiters, The Gauntlet Is Thrown!

Anyone in the cybersecurity field who spends any time on LinkedIn will see numerous recruiters vying for your attention. You will also see numerous complaints from cybersecurity professionals about how those recruiters conduct their business. Unfortunately recruiting as a profession is becoming a stigma.

But why is this happening? The profession itself is a critical one, and done well is of tremendous value to any professional’s career. These partnerships can, and should, last a lifetime, yet the majority of recruiters I’m come across these days are nothing short of used car salesmen.

But if you can find a good one!… Who else can put so many opportunities in front of you when you’re too busy doing your dayjob? Who else can talk you up to the RIGHT people before they even see your CV? In other words, who else can help you in your career as much as really good recruiter? Even mentors rarely have as much influence.

So What is a ‘Good Recruiter’?

While this is becoming more and more an oxymoron, it’s really quite simple from a candidate’s perspective:

  1. Do not approach me with a job in mind. At least not out of the gate. You have no idea what I’m looking for, or even if I’m open to conversations. The positions you’re trying to fill are your problem, not mine. Instead, approach me with a request to talk. If I’m not willing to talk I’ll let you know, politely, and waste no more of your time. If you don’t start the partnership with MY interests first and foremost, we’ll have little to discuss. Besides, to provide good service to your clients, you need to know if I’ll be a good fit. For example, trying to place me in a position that requires extreme tact and diplomacy will likely not go well.
    o
  2. Do your HOMEWORK! There are few things more irritating than; “I read your LinkedIn profile and think you’d be a perfect fit for…” If you had actually read my profile, you would know that I’m not at the beginning of my career looking for a Security Analyst position in Abu Dhabi starting at AED140K. If you want to start handling more senior placements, don’t treat potential candidates with such discourtesy. You get one shot at this, if that.
    o
  3. Assume you may never place me, but call me anyway. Recruiting, like sales, is all about relationships, and EVERY relationship pays off in some way. Maybe not directly, but going from one ‘kill’ to the next will set you up for eventual failure. Deservedly so. Senior candidates may place infrequently, but they usually know lots of other people. Recruiting is as much about networking as it is direct contact. That’s why I call this a partnership, I can help you too.
    o
  4.  Stay in touch. Any recruiter who stops calling / emailing me just because a job placement falls through, will not get a second chance. And any recruiter (or employer for that matter) who stops calling hoping you’ll ‘get the hint’ is a coward and extraordinarily unprofessional. Communicate, Hell, over-communicate, but keep your candidates in the loop, there’s always a next time.
    o
  5. Be proud of what you do. How many people have you LinkedIn with who have titles like ‘Security Consultant’ who turn out to be recruiters? At least half of the invites I receive from recruiters are hidden behind some other title. In Peter Smith’s; “Why do we hate (our own) sales people?“, he used an excellent phrase; “If a person is worried about having sales in their job title, then they probably do not have the right DNA.” This applies every bit as much to recruiters. Take pride in your profession, you are needed.

The Challenge

I now throw down the gauntlet to all recruiters specialising in senior cybersecurity placements. While I am not actively looking for a move, I am open to any conversation. I have my own business, so short/long-term contract work is best, but I will not disregard full-time gigs if the opportunity is right. Please reach out.

But what I’m really looking for is great recruiters. I have a hard time believing that there is a such a deficit of cybersecurity talent, I just don’t think employers are asking the right questions. There are many junior security folk out there who need help, I am going to make it one of my goals to put them in touch with recruiters I trust and respect.

First I have to find them.

To end this blog on a crappy analogy; In Jerry McGuire there are two types of sports agent; 1) scumbag agent Bob, who cares nothing for anyone and 2) equally slick, but with a heart of gold Jerry.

Be Jerry.

[If you liked this article, please share! Want more like it, subscribe!]

Social Media Is Killing Customer Service

In a truly stunning service provider fail, I was without Internet access at home for 14 straight days. FOURTEEN DAYS!! But at least my service provider responded promptly on social media.

I won’t tell you who my provider is [virgin media cough], but as someone who works from home, not having Internet is a severe liability. I also happen to work in Internet security, so the vast majority of my day is spent faffing around online. At least my data was safe I guess.

It’s not so much that I was without access for so long, bad things happen, it’s that I STILL don’t know why! To be told every day that it’s a “known fault” and that it will be ‘resolved by 2PM tomorrow” makes an utter mockery of customer service. Not once did they update their site with an outage statement, not once did they call us with updates, and not once did they tell us what the issue was.

For God’s sake, my next door neighbour had Internet access from the same provider! Literally, next door, I’m at 45, they’re at 47.

Enough background, now to my real issue; While their actual customer service left a lot to be desired, their social media department was totally on the ball. And no, that’s not a good thing. About 30 seconds after we Tweeted about the disgraceful service their rep was back to us apologetic and full of concern.

What’s wrong with that you might ask? Well…

  1. They had no access to our account, so they could not even speak to the issue;
  2. They had no access to tech support to find out what was actually wrong;
  3. Once they realised they were making things worse they referred me to their utterly pointless Code of Practice;
  4. They kept no record of their previous contact so every subsequent bad Tweet was followed by the exact same conversation, and;
  5. Zero follow-up, zero accountability.

Bottom line; customer service over social media is nothing more than an attempt to protect their online image. At no point was this ever an attempt to actually help.

Customer Service is both an art and a science, and is one of the few competitive advantages left in the digital world. It should be pro-active, an extension of an organisation’s values, and absolutely cannot be faked. Most people I know would stick with a lesser product / service if they believed their provider actually cared.

I have never understood the visceral resistance to admitting that you’ve messed up. It’s akin to one of my favourite lines in The Dark Knight when the Joker says “You know what I’ve noticed? Nobody panics when things go “according to plan.” Even if the plan is horrifying! If, tomorrow, I tell the press that, like, a gang banger will get shot, or a truckload of soldiers will be blown up, nobody panics, because it’s all “part of the plan.

In this case, all my service provider had to do was tell me the minute they knew there was a problem, which was 4 days before the line went down. Then, if they had just keep me pro-actively informed on progress, I would have only been disappointed, not angry. Of course, it would have been great if they had offered to provide a temporary alternative, like a MiFi for example, but this was not necessary. They would have made a loss on the month, but they would have earned years of my loyalty.

As things are today, I will not only leave my current provider as soon as there is a viable alternative, but I will actively dissuade anyone from using them.

Social media is a critical aspect of customer service, but only if these two things are seen as intrinsic components of the right corporate values. If not, you’re just pandering, and I for one will not be pandered to.

[If you liked this article, please share! Want more like it, subscribe!]

The Next Best Thing to Innovation?

…is the appearance of innovation.

Well, it certainly seems that way; Can’t sell services over the Internet? Call them The Cloud. Can’t sell Risk Assessments and Vulnerability Management? Call it Operational Resilience. Can’t sell data management and access control on mobile? Call it BYOD.

When it becomes clear that there is no-where left to go with your existing product or service, the appearance of innovation seems to be the go-to place for institutions staring down the barrel of obsolescence. Instead of working on their customer service, value-adds, or – God forbid – actually improving their offerings, too many organisations resort to smoke and mirrors to stay competitive.

And the worst part? We let them.

The payments sector is perfect target for this blog, especially given the fact that I know little else. Take these two examples from the last few month; There’s a New Way to Pay With a Selfie, and TD, MasterCard and Nymi Pilot Heartbeat-Authenticated Contactless Payments.

Where is the innovation here, we’ve had biometrics for years? The only thing new is the ability to actually bring the biometrics to bear, which is an advance in mobile technology, not payments. The payment itself  hasn’t changed, we’re still stuck with the same primary account number (PAN) being used by the same intermediaries (Acquirer, Issuer & Card Scheme), over the same systems we’ve had for decades. Even if you build in tokenisation with these systems they’re still mapped to a PAN in the back-end somewhere.

If you accept that a payment is just a transfer of value from one place to another, true innovation must involve the complete disintermediation of almost every player in the current ecosystem except the banks. Sure, there can be service provider intermediaries, but they will be providing true benefits to consumers and banks alike in the fields of identity management / authentication, anti-fraud, customer service, loyalty and reward programs, ratings and reviews, big data analytics and host of others services of which I can barely conceive.

To be worthy of the term ‘innovative’, any service or product offering must have the following attributes:

  1. Be of practical use, and not just theoretical
  2. Provide long-lasting benefit to all stakeholders
  3. Cannot knowingly stifle or exclude competition

For payments, there are a few more:

  1. Be available to the largest portion of the population possible (including those with disabilities)
  2. Be frictionless to the average consumer, or better yet, invisible
  3. Maintain appropriate confidentiality, integrity and availability of all underlying sensitive data, to meet – or exceed – all current legislation, regulation and best practices

Not one, or even ALL of these things at once should be too much to ask, but it’s never that simple. There will always be those existing players whose power and position can make some of these requirements all but impossible for newcomers. And the newcomers themselves rarely do themselves any favours; disruptive innovation, competitive advantage, and blatant greed all prevent true innovation from reaching the mainstream.

In payments, like most industry sectors, collaboration is the key to significant and beneficial change, and in a market worth tens of TRILLIONS of £/€/$, I would have thought there was enough to go around.