Wishes

So You Want to be a Cybersecurity Professional? – Redux

At the end of last year I wrote a blog that proved to be my most popular yet, by several orders of magnitude. In So You Want to be a Cybersecurity Professional? I threw together some very high-level thoughts for those wishing to get into the field. However, it’s wasn’t until the last week or so that it occurred to me to question why this blog in particular resonated as it did.

On the assumption that it’s because there are literally thousands of people out there struggling to find their way into security, I figured I’d expand a little on the original.

With the proliferation of both certifications and U”niversity degrees, there are many avenues that attempt to fast-track cybersecurity careers. Add to this a ridiculous number of ‘new’ technologies all claiming to address a rapidly growing number of threats and regulatory compliance regimes, and you have a combination that could not be better planned to lead candidates to a career dead-end.

The new modus operandi for cybersecurity professionals seems to be; University degree > industry certifications > Technology. But if your ultimate goal is CSO/CISO you have derailed yourself even before you start. I do not know one CSO/CISO who is primarily focused on technology …not any good ones anyway. It’s the people and processes that give technology context, not the other way around.

No course on the planet can teach you people and process, that’s something you must to learn for yourself. In security, experience is key.

While technology is an indispensable aspect of security, the majority of the product and security vendors who say they are trying to help are actually causing enormous damage. In their mad rush to stake a claim to a piece of multi-billion $/£/€/¥ security industry (and still growing), they are developing technologies so far removed from the basic principles as to be almost unrecognisable. Not only are these largely inappropriate to most businesses, but far too fleeting and ethereal to ever be rely on as a career foundation.

While I assume most University degrees will cover the ages-old basics of governance, policy & procedure, risk management etc. (like the CISSP’s CBKs do), without a real-world understanding of their implementation you will never be able to put a technology into a context your clients or employer has the right to expect. Basically you will be lost in a never-ending cycle of throwing technology after technology at something that could likely be fixed by adjusting the very business processes you’re trying to protect. Technology can only enhance what’s already working, it cannot fix what’s broken.

So where should new candidates start? I have no issue with University degrees or certifications, but from my own experience it was starting out at the most basic level that gave me the greatest foundation. From firewall and IDS administrator, to a stint in a 24X7 managed security service security operations centre I received an education that has stood the test of time. Networking, protocols, secure architecture, system management, incident response / disaster recovery, and just as important; the power of great paperwork. There is no-one who appreciates a comprehensive set of procedures and standards as someone who has just taken down a client’s firewall.

For the next phase of my career I was, for want of a better word, lucky. PCI was just kicking off and the desperate shortage of QSAs meant it was relatively easy for me to become one and be thrown immediately in front of customers. I learned as much in the next year as I did in the preceding 5. Not technical stuff per se, though that was certainly part of it, but the soft skills necessary to provide a good service.

From that point forward I have stayed in consulting, as I am fully aware of that is where both my interest and skill-set lay. I am not technical, never have been, so I’ll leave that up to others. I have also never wanted to be a high-level executive, that’s too far removed from anything I have ever enjoyed. What this means is, I already know a CISO role is very likely not in my future, and I’m absolutely fine with that.

I have my own thoughts in what a CISO is anyway.

I’m not saying that CSO/CISO need be your goal, if you’re quite happy managing firewalls, that’s great, but you absolutely have to know what your goal is or you’ll flounder around the edges of security missing every boat that comes along.

So:

  1. If you want to be a CISO, remember that the vast majority of the CISO function is just a series of consulting projects designed to help the business meet its goals. The final aspect of a CSO’s job borders of politics, so that had better be what you want.
  2. If you love technology, great, but get an understanding of how your technology(ies) fits into the client’s business goals before trying to shove it down their throats. And jumping straight out of Uni into a technology start-up may seem like a good move, but only 1 in 1,000 companies make any difference. Be prepared to fail many times.
  3. If consulting is your thing, stay high-level and stay with the basics. Be the person that your clients come to to solve their challenges, regardless of who ends up performing the actual remediation. A Trusted Advisor is a very rare thing, and very few ever earn it.

Regardless of your career goal, the basics of security will never change, and you will only be at the top of your game when what you are doing benefits everyone involved.

Finally, a warning: if you think anyone other than those making a career out of it care about security, you are mistaken. Not one, I repeat not ONE of my clients actually cares about security, they care about things ranging from genuine concern for their customers to just money. Security is only, and will only ever be, a means to an end. It enables a business, it does not direct one. It’s these things that you cannot learn from school or from technology alone.

Get a mentor, one who has been where you are and is where you want to be. And never, I mean NEVER follow the money.

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Professional

So You Want to be a Cybersecurity Professional?

Like almost everything else in my life (e.g. marriage, fatherhood), I became a cybersecurity professional with little to no planning. I was happily plodding along with zero direction, and even less qualifications, when an employer required me to get an MCSE in Windows NT.

In a very short time I realised that if I was looking at a computer my boss thought I was working, so being lazy, IT was the career for me! However, I did get bored, so when I received a call about my resume on Monster.com from a start-up cybersecurity company, I jumped at the chance. A little homework showed that security was the place to be in IT, even then, especially when the company consisted almost entirely of incredibly smart ex-NSA types.

This was in 2000.

In the 16 subsequent years I have gone from firewall admin, to managed service manager, to consultant, to manager of consultants, to self-employed. I have loved [almost] every minute of it. The funny thing is though, I have no passion for security per se, I just love helping others fix broken stuff. Especially processes.

There is a LOT of work out there.

So my first piece of advice; decide why you want to be a cybersecurity professional in the first place. If it’s just for the money, move on to something else, you’re not welcome here. Having performed the Keirsey Temperament test on 30-odd security consultants across the globe, it was clear that certain characteristics are dominant in their type (ESTJ). Bottom line; they actually care, and they are:

  • Highly social and community minded;
  • Generous with their time and energy;
  • Hard working; and
  • Friendly and talk easily to others.

That’s not to say others can’t do well (I’m an INTJ for example), but you have to know yourself before you know what aspect of security would suit you best. Follow the money, or choose something for which you are not suited, and you will likely fail.

Then Bear These Things in Mind…

  1. Qualifications: A degree in cybersecurity should not be seen as a pre-requisite, as certifications are almost as much good, and neither of these things can trump experience. Regardless of your qualifications, you will start at the bottom, and there is no better place to learn. Make the most of it.
    o
  2. Specialise or Generalise: You’ll need to decide very quickly which you’re going to be; Specialist, or Generalist. You cannot be both, there are just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.
    o
  3. Learn the Basics: Jumping straight into a career in User and Entity Behavior Analytics (UEBA) or Intelligence-Driven Security Operations Center Orchestration Solutions (whatever the hell that is) may be tempting, but you are not doing your career, or more importantly, your clients, any favours. From Confidentiality, Integrity & Availability, to Risk Assessment, Asset Management, to Policy & Procedure, the basics have never, and will never change. Whenever you find yourself stuck, only the basics can give you a clear way forward.
    o
  4. Choose a Camp: Unfortunately most cybersecurity professionals tend to fall into one of two camps; 1) those focused primarily on Technology, and 2) those focused primarily on People and Process. These are two distinct skill-sets, so know which you are, and make sure you pair up with a counterpart.
    o
  5. Ask for Help: I got where I am without a mentor as such, but I most certainly didn’t get here without a LOT of help. Nor would I be able to stay here without the constant support of my peers. If there’s one thing I love about cybersecurity professionals it’s their generosity and desire to help. So join your local chapter of ISC2, ISACA and / or ISSA and start talking to people.
    Use mentors too if you can, as while I have few regrets in my career path, not having mentor is one of them.

Without question, a career in cybersecurity can be very rewarding, both in personal achievement and financial terms. It can also chew you up and spit you out if you’re not careful.

In the end, cybersecurity will give as much back as you put in, there are no shortcuts.

[If you liked this article, please share! Want more like it, subscribe!]