Change

Cybersecurity Professionals: Don’t Change by Not Changing at All

Yes, I stole this line from Pearl Jam’s 1993 song; ‘Elderly Woman Behind the Counter in a Small Town‘. But in my defence, I have always loved the line and I did wait for almost a quarter of a century before I stole it.

The very simple, yet extraordinarily powerful message is one that applies equally to your personal and professional lives. Though I for one have never believed that you can keep your work and home life separate. They overlap in just too many ways. We used to have communities to fulfil our Maslow’s sense of belonging, now we have the companies we work for. We used to derive our sense of self-worth from taking care of our families, now it’s from a big annual bonus, a cheap award, or worse, a title.

But I digress. Already.

In a previous blog; So You Want to be a Cybersecurity Professional, I posited that you really only have 2 career choices; 1) specialise, or 2) generalise. “You cannot be both, there are just too many aspects of cybersecurity. Medicine, law, engineering, and a whole host of other careers are the same, you must find what suits you best.”

Unfortunately, if you’re not careful, both of these choices have a significant downside; if your knowledge stands still, your skill-set will become obsolete. As technology continues to advance, and the corresponding social issues (privacy for example) become more complicated, cybersecurity professionals have to adapt to an ever-changing array of requirements. While I find the vast majority of job descriptions ridiculous in the extreme, you only have to look at what employers are asking for to see the writing on the wall.

In Europe, for example, if you can’t speak at east relatively competently about technology issues as they relate to the GDPR or even PSD2, you are not setting yourself apart. Not in a good way at least. And if you are not adapting to the current cycle of distributed processing (i.e. The Cloud, containers, FaaS and so on), then your ability to administer physical assets is not likely to take you as far as you’d like.

I have never hidden my disdain for our over-reliance on IT/IS certifications. But even I find myself back in the study/test cycle in an attempt to render my skill-set a little more relevant. I have signed up for both the Certified Information Privacy Technologist (CIPT) and the Certified Information Privacy Professional / Europe (CIPP/E) in an attempt to make my individual ‘service offerings’ more attractive. I’m not saying that the certs will do that by themselves, you have to actually read the regulations to which they refer, but it’s a start. So is talking to people in related fields.

I would say that it’s the specialist career which is actually the most at risk, especially given the ridiculous number of ‘new’ technologies that have hit the market. Almost on a daily basis it seems. Tie yourself to one of these ‘acronyms‘ and it’s unlikely you’ll be relevant for more than a year or so. Unfortunately, cybersecurity is not so much an evolution of responsible services, it’s a cycle of vendor-defined demand generation predicated on buzz-words and F.U.D.

Perhaps I’m only seeing all this from my own ‘generic’ and slightly jaded perspective. I have largely removed myself from individual security technologies to focus on the basics. While the basics (or as I call them, the Core Concepts) of security will never change, even these need to be refreshed in light of evolving business needs and priorities.

In the end I think a lot of our problem in cybersecurity is that we think we’re a department alone. I believe we are the exact opposite, we are the one who need to be in on everything. After all are not data assets the crown jewels of most organisations?

With that in mind, here’s how to embrace change:

o

  1. Read – Most of us subscribe to things of direct interest, but few of us subscribe to things outside of that limited sphere. Like it or not, IT and IS departments are only there to enable, so you need to know what impacts other department like finance and legal if you want to stay ahead of the game;
    o
  2. Talk to People – Probably the hardest one for me, but IT and IS do not exist in a vacuum. What scares the crap out of all the other departments? You’ll find out eventually, don’t let it be the hard way;
    o
  3. Training & Certification – While you don’t need to go the whole hog and collect another almost meaningless acronym, at least get yourself trained by an expert in something with which you are currently unfamiliar. GPDR for example, or PSD2 if you’re in the payments space, or even PCI if you’re really desperate;
    o
  4. Self Reflection – Unless you’re one of the lucky ones who’s in a career they chose, you likely found you way into cybersecurity by accident. Or in my case, a comedy of errors. This does not mean it can’t be a perfect fit, you just have to be extra aware of your talents and skills to not find yourself in a position for which you are wholly unsuited;
    o
  5. Find a Mentor – This does not mean you have to get a hands-on mentor, even following a person whom you respect on LinkedIn is a good thing. Find someone(s) who are were you want to be, they’ve already made a lot of the decisions you are going to face.

History is full of people who could not imagine becoming obsolete. I’m going to go out on a limb and say that these people ended up with significant regret.

[If you liked this article, please share! Want more like it, subscribe!]

4 thoughts on “Cybersecurity Professionals: Don’t Change by Not Changing at All

  1. In my opinion you’ve nailed it when you talk about basics. All of the fancy jargon and new technology means nothing if you are not scanning, patching, doing user access reviews, implementing strong change control, etc. Sadly, in my profession, I see a lack of understanding for why these controls are needed and in some cases, aggression and anger that I push for them. Basic security principles are not sexy, however, they are the core foundation of any good security and compliance program. If I could wave a magic wand and change the thinking of business leaders on any subject, it would be this. Forget the newest and latest toys and sales brochures and think about boring common sense good security practices for your particular environment.

  2. Great post as usual David.

    In terms of specialisation, as you’ve alluded, it is suicidal to only play the market game, but yes, take note of the latest buzzwords. The exception is “Machine Learning” – don’t take note of that until someone with an IT background explains the developments in the field, in which infosec capabilities AI developments can help us, and how. There are LOTS of articles that make a sternly worded “if you don’t get on the ML bus, you’ll get left behind” but the authors don’t give us any clues as to the basis of their claim – its almost as if they’re just trying to get attention. I did say “almost” – of course nobody would ever do that in this field.

    The basic building blocks of security haven’t changed in three decades. So the aspiring professional should learn TCP/IP, find their way around firewalls and operating systems. Then understand something about hacking and pen testing, application security. “Cloud” is built on this stuff. “IoT” is built on this stuff, etc.

    If an infosec pro knows the building blocks, she can easily move into whatever personal agenda of a new specialisation is created.

    I wrote a piece about WannaCry recently and firewall configs. It got little attention because of the use of the word “firewall” in the title. But its clear that organisations are exposing SMB ports to the Internet, otherwise WannaCry wouldn’t be so widespread. Infosec pros in 2017 don’t know firewalls, or their advice is being ignored – probably a bit of both. Compare with this an article about Vulnerability Management and PaaS/SaaS – it got LOTS of attention.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.