Breach Vultures

To All the Breach Vultures: Better Get Your OWN House In Order!

[WARNING: Contains bad language.]

The 3 things I hate most about my chosen field of cybersecurity are, in no particular order:

  1. The proliferation of ‘silver bullet‘ / end-point protection technologies – when security is primarily concerned with people and process;
    o
  2. Security organisations using either F.U.D or regulatory compliance to make money without providing real benefit – with GDPR for example; and
    o
  3. Security ‘professionals’ who bad-mouth other security professionals at the lowest point in their careers – against Susan Mauldin for example.

In 4.5 years and close to 300 blogs I have never used the following words. But for those guilty of 3.;

Fuck you!

Seriously, how dare you!? Especially those who actually had the nerve to say Susan wasn’t qualified because she had a music degree and no other security related qualifications on her LinkedIn profile. Like certifications or even a degree are accurate representations of either a person’s skill-set, or their competence. I have no security relevant degrees, and my certifications were collected by reading a book and passing a pathetic multiple-choice test, but I will happily match my ABILITIES against anyone who does what I do.

More to the point, unless you actually work(ed) for the company that was just breached, you have no idea of what caused the breach in the first place. Yes, you can point to unpatched devices, and a host of other vulnerabilities POST-forensics, but you have NO idea of the business pressures the IS/IT teams were under. And if you think that should not matter, you’re not a true security professional.

I am in no way defending organisations that egregiously ignore security good practices just to increase profit. Nor am I defending the truly incompetent. But unless you have irrefutable evidence that either was the case, keep your opinions and reproaches to yourself. There is no such thing as 100% security, and there is no such thing as unlimited resources. The best you can ever hope for is that you have enough.

In security, a bad guy only has to be right once, security professionals have to be right ALL the time. Eventually we ALL make mistakes. Most of us are lucky, and our mistakes lead to nothing more than a minor event, but for some, the mistakes are career ending. Too often this is not because the people involved actually WERE incompetent, but because of the pressure to resign from the jerks who somehow think they are better. That the breach would not have happened under their watch.

Have you noticed though, that the people who are most critical and vitriolic tend to be mid-level no-bodies who will likely never make to the CISO level?

Do these people actually think that by taking cheap shots at the less fortunate that decent people won’t hate them for it. That Equifax and the other breach victims will suddenly reach out to them for help? That someone who has nothing better to do than kick someone while they’re down is just the kind of person they want on their team?

Let me ask you this: When was the last time you saw someone getting berated by his/her team for missing a penalty / field goal / you name it? You probably can’t remember, and why? BECAUSE THEY ARE ON THE SAME FUCKING TEAM!!

There are only 2 sides to cybersecurity; the good guys and the bad guys. Choose which side you’re on and stop being part of the problem.

[If you liked this article, please share! Want more like it, subscribe!]

Wishes

So You Want to be a Cybersecurity Professional? – Redux

At the end of last year I wrote a blog that proved to be my most popular yet, by several orders of magnitude. In So You Want to be a Cybersecurity Professional? I threw together some very high-level thoughts for those wishing to get into the field. However, it’s wasn’t until the last week or so that it occurred to me to question why this blog in particular resonated as it did.

On the assumption that it’s because there are literally thousands of people out there struggling to find their way into security, I figured I’d expand a little on the original.

With the proliferation of both certifications and U”niversity degrees, there are many avenues that attempt to fast-track cybersecurity careers. Add to this a ridiculous number of ‘new’ technologies all claiming to address a rapidly growing number of threats and regulatory compliance regimes, and you have a combination that could not be better planned to lead candidates to a career dead-end.

The new modus operandi for cybersecurity professionals seems to be; University degree > industry certifications > Technology. But if your ultimate goal is CSO/CISO you have derailed yourself even before you start. I do not know one CSO/CISO who is primarily focused on technology …not any good ones anyway. It’s the people and processes that give technology context, not the other way around.

No course on the planet can teach you people and process, that’s something you must to learn for yourself. In security, experience is key.

While technology is an indispensable aspect of security, the majority of the product and security vendors who say they are trying to help are actually causing enormous damage. In their mad rush to stake a claim to a piece of multi-billion $/£/€/¥ security industry (and still growing), they are developing technologies so far removed from the basic principles as to be almost unrecognisable. Not only are these largely inappropriate to most businesses, but far too fleeting and ethereal to ever be rely on as a career foundation.

While I assume most University degrees will cover the ages-old basics of governance, policy & procedure, risk management etc. (like the CISSP’s CBKs do), without a real-world understanding of their implementation you will never be able to put a technology into a context your clients or employer has the right to expect. Basically you will be lost in a never-ending cycle of throwing technology after technology at something that could likely be fixed by adjusting the very business processes you’re trying to protect. Technology can only enhance what’s already working, it cannot fix what’s broken.

So where should new candidates start? I have no issue with University degrees or certifications, but from my own experience it was starting out at the most basic level that gave me the greatest foundation. From firewall and IDS administrator, to a stint in a 24X7 managed security service security operations centre I received an education that has stood the test of time. Networking, protocols, secure architecture, system management, incident response / disaster recovery, and just as important; the power of great paperwork. There is no-one who appreciates a comprehensive set of procedures and standards as someone who has just taken down a client’s firewall.

For the next phase of my career I was, for want of a better word, lucky. PCI was just kicking off and the desperate shortage of QSAs meant it was relatively easy for me to become one and be thrown immediately in front of customers. I learned as much in the next year as I did in the preceding 5. Not technical stuff per se, though that was certainly part of it, but the soft skills necessary to provide a good service.

From that point forward I have stayed in consulting, as I am fully aware of that is where both my interest and skill-set lay. I am not technical, never have been, so I’ll leave that up to others. I have also never wanted to be a high-level executive, that’s too far removed from anything I have ever enjoyed. What this means is, I already know a CISO role is very likely not in my future, and I’m absolutely fine with that.

I have my own thoughts in what a CISO is anyway.

I’m not saying that CSO/CISO need be your goal, if you’re quite happy managing firewalls, that’s great, but you absolutely have to know what your goal is or you’ll flounder around the edges of security missing every boat that comes along.

So:

  1. If you want to be a CISO, remember that the vast majority of the CISO function is just a series of consulting projects designed to help the business meet its goals. The final aspect of a CSO’s job borders of politics, so that had better be what you want.
  2. If you love technology, great, but get an understanding of how your technology(ies) fits into the client’s business goals before trying to shove it down their throats. And jumping straight out of Uni into a technology start-up may seem like a good move, but only 1 in 1,000 companies make any difference. Be prepared to fail many times.
  3. If consulting is your thing, stay high-level and stay with the basics. Be the person that your clients come to to solve their challenges, regardless of who ends up performing the actual remediation. A Trusted Advisor is a very rare thing, and very few ever earn it.

Regardless of your career goal, the basics of security will never change, and you will only be at the top of your game when what you are doing benefits everyone involved.

Finally, a warning: if you think anyone other than those making a career out of it care about security, you are mistaken. Not one, I repeat not ONE of my clients actually cares about security, they care about things ranging from genuine concern for their customers to just money. Security is only, and will only ever be, a means to an end. It enables a business, it does not direct one. It’s these things that you cannot learn from school or from technology alone.

Get a mentor, one who has been where you are and is where you want to be. And never, I mean NEVER follow the money.

[If you liked this article, please share! Want more like it, subscribe!]

Cybersecurity Professional

So You Want to be a Cybersecurity Professional?

Like almost everything else in my life (e.g. marriage, fatherhood), I became a cybersecurity professional with little to no planning. I was happily plodding along with zero direction, and even less qualifications, when an employer required me to get an MCSE in Windows NT.

In a very short time I realised that if I was looking at a computer my boss thought I was working, so being lazy, IT was the career for me! However, I did get bored, so when I received a call about my resume on Monster.com from a start-up cybersecurity company, I jumped at the chance. A little homework showed that security was the place to be in IT, even then, especially when the company consisted almost entirely of incredibly smart ex-NSA types.

This was in 2000.

In the 16 subsequent years I have gone from firewall admin, to managed service manager, to consultant, to manager of consultants, to self-employed. I have loved [almost] every minute of it. The funny thing is though, I have no passion for security per se, I just love helping others fix broken stuff. Especially processes.

There is a LOT of work out there.

So my first piece of advice; decide why you want to be a cybersecurity professional in the first place. If it’s just for the money, move on to something else, you’re not welcome here. Having performed the Keirsey Temperament test on 30-odd security consultants across the globe, it was clear that certain characteristics are dominant in their type (ESTJ). Bottom line; they actually care, and they are:

  • Highly social and community minded;
  • Generous with their time and energy;
  • Hard working; and
  • Friendly and talk easily to others.

That’s not to say others can’t do well (I’m an INTJ for example), but you have to know yourself before you know what aspect of security would suit you best. Follow the money, or choose something for which you are not suited, and you will likely fail.

Then Bear These Things in Mind…

  1. Qualifications: A degree in cybersecurity should not be seen as a pre-requisite, as certifications are almost as much good, and neither of these things can trump experience. Regardless of your qualifications, you will start at the bottom, and there is no better place to learn. Make the most of it.
    o
  2. Specialise or Generalise: You’ll need to decide very quickly which you’re going to be; Specialist, or Generalist. You cannot be both, there are just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.
    o
  3. Learn the Basics: Jumping straight into a career in User and Entity Behavior Analytics (UEBA) or Intelligence-Driven Security Operations Center Orchestration Solutions (whatever the hell that is) may be tempting, but you are not doing your career, or more importantly, your clients, any favours. From Confidentiality, Integrity & Availability, to Risk Assessment, Asset Management, to Policy & Procedure, the basics have never, and will never change. Whenever you find yourself stuck, only the basics can give you a clear way forward.
    o
  4. Choose a Camp: Unfortunately most cybersecurity professionals tend to fall into one of two camps; 1) those focused primarily on Technology, and 2) those focused primarily on People and Process. These are two distinct skill-sets, so know which you are, and make sure you pair up with a counterpart.
    o
  5. Ask for Help: I got where I am without a mentor as such, but I most certainly didn’t get here without a LOT of help. Nor would I be able to stay here without the constant support of my peers. If there’s one thing I love about cybersecurity professionals it’s their generosity and desire to help. So join your local chapter of ISC2, ISACA and / or ISSA and start talking to people.
    Use mentors too if you can, as while I have few regrets in my career path, not having mentor is one of them.

Without question, a career in cybersecurity can be very rewarding, both in personal achievement and financial terms. It can also chew you up and spit you out if you’re not careful.

In the end, cybersecurity will give as much back as you put in, there are no shortcuts.

[If you liked this article, please share! Want more like it, subscribe!]