My expertise is not necessarily laden in the land of career counseling, hiring standards, and education recommendations. However, anecdotally, coming into a cybersecurity career in an unorthodox manner and blossoming through passion and perseverance, this is the best advice I can offer.
First and foremost, we are past the days of the common refrain that “cybersecurity is not an IT problem, it is a business problem.” Instead we must understand that cybersecurity is a societal problem. And it is only once you immerse yourself in this dark world that you begin to see the binary light. You start to understand this when you evaluate the culture around your own experience as an information security professional.
Who Defines “Cybersecurity Career”?
Many ask what your job is. It could be your family, friends, stranger in the grocery store or when filling out a form with an ‘occupation’ field. There is a 50% chance that their eyes either glaze over, or they respond with something they heard on the media that has a slight relation to what you do. You most likely did not learn cyber terminology in elementary, middle school, high school, or even in some cases, college. Maybe you didn’t even study this initially at any level of education, and, while sauntering down your path of business, accounting, or law, you decided to jump on the roller coaster labeled “Want a Challenge?”
My point? We have a lack of foundation in which our industry lies. But rightfully so, as cybersecurity touches everyone as it is entangled through all facets of the markets, data, and global business and economic exchanges. Society is in awe of our technological advancements. Yet, every time a new profound product dog and pony show occurs, you can bet every security professional is shaking their head thinking, “Crap.”
The idea is, once we understand the common path of an InfoSec professional, from there we can impact fundamental change for the better. How?
- As a manager, are you constantly struggling to fill an analyst or risk role in your organization?
- As an employee, not in cybersecurity, do you feel the weight of liability as your annual training awareness and barrage of phishing emails follows you home and creates this incessant paranoia in your own personal life?
- As a business leader, are you concerned with juggling progress with disruption as your competitors or neighbors experience breaches?
- As a CISO, are you balancing between getting changes made, making your board happy, and avoiding the scapegoat paradigm in the instance of an incident?
- And as an InfoSec professional, while you are appreciative of the literal “job security”, you are frustrated with the lack of understanding and negative pattern of choices in the world surrounding you?
Once we nostalgically calculate the similarities in our journeys and recognize the need for change, then will this dog-eat-dog of a booming industry become less of a roller coaster ride and more of a tactically developed road?
Think of your career like earning badges as a scout. In my best efforts, I sat down and attempted to construct what this path would consist of based upon my own experience and the witnessing of leaders around me.
- “Glimmer” Badge – This is where, no matter what brought you here or your background, you experience an enlightenment that is a potential job in cybersecurity. Whether it was someone who saw something in you, a turn of events on a previous technical role or project, or an infatuation with the beauty in destruction and resurrection after a hack, you arrived here. You have a glimmer in your eyes about the future and this journey you’re about to take, like a newborn about to take a first breath. Careful, a slap on the backside is not far behind.
- “The Intern” Badge – I like to think we begin as researchers, and we maintain the title until retirement. This is where we obtain our first certification, sign up for our first training class, and hopefully follow the guidance of a successful mentor who properly aligns the objectives needed.
- “First Job!” Badge… Yippee! – There is certainly a broken record playing the track of the shortage of workforce in this field. In fact, by the end of 2018, we can expect that one to two million jobs will remain unfilled! Great news? If you are looking for your first entry level position, that’s good! You beef up the resume and either promote within or start applying
- “I Know Nothing” Badge – Even in your first role, when you think you are prepared and learned all the things necessary for success, you know nothing. Every market vertical, every business, and every team operates differently. We may follow similar compliance requirements, but the execution of controls and the maturity of the enterprise’s posture is a coin flip. This is where you truly understand the term, “ad-hoc.”
- “First Promotion” Badge… Yippee! – You have proved exemplary performance and can now level up to a senior analyst or architect position of sorts. All this means is more pay, more duties, more liability, and a new email signature. Regardless, showing growth in any position shows dedication.
- “Poaching the Young Unicorn” Badge – This industry no doubt suffers from a high turn-over rate of employees. That’s why it is imperative to understand your enablement and resource availability for your staff. They say during the bad, the bad do good. Meaning, as long as we have this shortage, competitors will offer cushy unfilled seats to your employees for their expertise. In some cases, as the professional, it is a positive career changer to try new jobs and learn new trades. As a business owner, this is a cost of qualified employees who understand your business more than the newcomer having to start at square one. I can say without a doubt, leaving one job for another was a roller coaster well worth jumping on, reaping the benefits of hidden potential and passion I had no idea existed within me.
- “Existential Crisis of the New World” Badge – Here you are to rule the day at your new job! Oh, wait did I say rule? I meant rue. Consider this a mild version of starting back at bullet point #4. What would your parents say? This will build character. Or in cybersecurity, this will build expertise. Every job will be different.
- “Skills, Experience, and the Poker Face” Badge – Never “fake it till you make it.” When you gamble, eventually the house always wins. Take any new job as an opportunity to learn new skills, no matter what level you have currently attained. Continuous education is paramount in this ever-changing landscape. Between gap assessments in your SOC’s orchestration, breach playbook creation, cloud architecture proposals, or third-party risk management plans, embrace all the experiences. On a side note, sometimes an opportunity for mastering a new skill arises due to an unforeseen problem no one has faced yet. This is where your poker face comes in. These new obstacles require a confident demeanor in order to take that historical expertise and combine it with fresh skills to solve new challenges.
- “I Guess I Need a CISSP Now?” Badge OR the otherwise “I Know Nothing Pt. II” Badge – I feel as if the title is self-explanatory. I’ve noticed at some point in a cyber-career, the pre-requisites on a job posting start to morph to require this ever elusive “CISSP” certification? The Certified Information System Security Professional (CISSP) is an example of one of those long-term expectations of achievement. I’ve heard both sides of the argument; tweets mocking the exploitation of certification junkies while on the other side, this represents hard work and dedication to studying and passing an exam. CISSP specifically requires 6 years of experience in its ten domains in order to even take this 4-hour test. Regardless of what your stance is, there is no doubt that certifications like these force you to scrape off the rust and prove your effort… yet again.
- “First Management Position!” Badge… Yippee! – Ah, the quintessential management position. Leather bound books, eager employees who show up to work, and successful board meetings with applause for your Time-to-Remediate metrics improvement and not one single critical incident. If this is your experience as a manager then either the Kool-Aid has kicked in or the evidence has already been burned. No one said this was easy. I have seen managers who lose focus and whose days are filled with constant minor distractions of employees and lack of accountability. This stage in a career is the Mr. Miyagi point where you stop painting the fence and learn to comprehensively defend. But what makes a leader from a manager?
- “Emotional Intelligence – Level Up” Badge – You guessed it. Emotional intelligence is the capacity to be aware of, control, and express one’s emotions, and to handle interpersonal relationships judiciously and empathetically. This doesn’t mean necessarily your heart strings are in a constant state of pulling or you tear up at those Campbell’s soup commercials. I believe some can inherently struggle with emotional intelligence (EI). But be aware of that if so. EI isn’t just about empathy, EI is the ability to make professional decisions based on your surroundings and the people you are working with. Personalities exist, but business continues. There is no drought of office politics, but that’s a part of life. Leveling up to Leader level means you understand your co-workers, your employees, and your clients at an emotionally responsive level. At the end of the day, sometimes people just need to be heard.
- “Leadership” Badge (The CISO Advantage) – Welcome to the CISO club! It’s the special feeling like when you reach an elite status at the airport and get access to a luxurious secret bat cave filled with soft lighting and martinis! Well, maybe. The CISO is a pivotal role in anyone’s career. But most importantly is that vital role in any enterprise. They are there to represent the security strategy and ensure it is moving along soundly. They hold both the keys, the gauntlet, and maybe even the noose around their own necks when an incident arrives. A CISO is the face of the company’s awareness and safe positioning to the world. This person is knowledgeable and knows how to engage.
- “Giving Back” Badge – To me, this badge is the basic one and not necessarily near the beginning or the end but placed throughout each phase. From guppy to big tuna, giving back is something that we should be engraining in professionals. What does this mean? Cybersecurity needs to evolve into a household word. We need to replace the headlines of breaches as the word on the street, to the positive and proactive interpretation of this as a sustainable and impactful career. We need to find ways to teach our children this, create a trickle-down effect for education to become awareness for every day citizens, and maintain a message that attracts more diverse groups of people and women to the industry. Giving back can be as small as volunteering to speak at a school or a small business, to as big as creating your own community initiative or conference.
Here and Now
When you look down at your imaginary sash, what badges have you earned? What badges are you striving for? Most importantly, when we analyze this general path of career advancement, even in the slightest modified version, what can we change for the better? Some immediate changes we can make include:
- K-12 Statewide Initiatives – Currently less than one fourth of high school students say they have even taken a computer science course. Where does your state sit on its cyber-education initiatives?
- Hiring Standards – Are you struggling to fill these “unicorn” standard analyst roles? What is the ROI in appliances versus people?
- General Awareness and Representation – This isn’t about self-branding or building your resume. This is about taking the time to spread your subject matter expertise to people who would otherwise not hear it. This isn’t just giving back. This is making your job easier in the future, so when you are sitting in that swivel chair trying to hire the right candidate, you have a pile of qualified and confident resumes to choose from. At an even deeper level, the impact of this general awareness could mean that one-second click from disaster is prevented.
This is just one person’s observations and opinions, albeit from personal experience in this industry. This is a path I’ve seen, but it’s only one path. Just as there are many ways a person can enter into this wild industry of ours, there are undoubtedly numerous ways to navigate it. One may skip over some badges, others may ignore them completely. We may also define “success” and “happiness” in vastly different ways.
Now here’s your time to give back, if even in just a small way. Continue the conversation in the comments section of this article. What are your thoughts? Are your goals even the same? What badges are missing? How would you change the system? Let your voice be heard.
Badge image is for the Programming Merit Badge.
MacKenzie Brown brings both technical and research experience to her position as an Enterprise Incident Management Consultant, where she focuses on providing clients with proactive and reactive services in order to assess their incident response capability, effectively navigate through breaches, and ultimately design a strategic program roadmap for improved overall posture maturity. In her previous role as a Research Principal at Optiv, Brown focused on developing enterprise security program frameworks and strategic deliverables which provide model, direction, and development for implementing security solutions against emerging threats. Brown is a subject matter expert in compliance and risk management, policy implementation, incident response, and cybersecurity program deployment. Brown also has practical experience in ICS/SCADA security protocols and assessment. She leverages her program development skills with her expertise and charismatic disposition for developing business, partner, and client relationships. Brown is a member of many information security community associations and regularly contributes to security organizations, holds industry certifications, has been regularly published writing on topics specific to business needs in cybersecurity, and has founded and runs an Idaho non-profit, The Ms. GreyHat Organization, that focuses on transforming the culture of cybersecurity through the empowerment of women and initiatives for developing early year cybersecurity education.browncareercisocisspeducationinfosectraining