October 2017 marked the 14th National Cybersecurity Awareness Month (NCSAM. The National Cyber Security Alliance (@NatlCyberSecAlliance) once again hosted a series of Twitter chats every Thursday in October using the hashtag #ChatSTC (moderated by @STOPTHNKCONNECT), in which ESET researchers once again participated. Throughout October we gathered our own thoughts on the topics chosen each week for this short series of blogs, in the hope that reader might take advantage of the commentary and advice offered by other players in the security industry.
In our previous blog entries we covered Simple Steps to Online Safety, Cybersecurity in the Workplace and Today’s Predictions for Tomorrow’s Internet. In our final blog in the series we will be talking about the opportunities that await you if you were interested in a career in cybersecurity.
The Internet Wants You – Consider a Career in Cybersecurity Thursday, Oct. 26, 2017, 3:00-4:00 p.m. EDT/12:00-1:00 p.m. PDT
____________________
Q1: What does it mean to be a security professional?
Bruce P. Burrell: COMPUTER security professional, I presume.
I guess it means one gets paid to spew stuff about computer security. Unfortunately, that does not necessarily mean one is an expert – perhaps only that one has a larger soapbox on which to stand. So, as I've said elsewhere: "Trust is earned."
[Of course, not all security professionals are public-facing. For example, I'd say that the folks in our Malware Research Labs are security professionals, and you might argue even that anyone hired by a computer security firm is at least in some way a security professional, though you don’t expect the same level of expertise from someone in Sales, say, as someone in the Malware Research Labs!]
Aryeh Goretsky: Less Sleep.
David Harley: Requests for help with another company's security software. Requests to write unpaid articles. Weekends catching up with the latest urgent breach. People at parties stop asking you what you do for a living after the third time their eyes glaze over. [Who am I kidding? The last party I went to was my daughter's wedding reception…]
Lysa Myers: For me it means helping people use technology safely. Teaching folks to protect their privacy.
Q2: What are some of the career paths you could take – or positions to consider – in security?
Bruce P. Burrell: As mentioned above, there are positions that are public-facing … and that are internal. All for-profit companies need people in Sales, Marketing, Accounting, HR, and Management – and these will not, in general, require prior experience in the security field. So there are all these positions that don't have a specialization in security. Tech support and IT will, of necessity, require more knowledge of security itself, but for most in these jobs, it won't be the primary focus. And then there are the highly-specialized positions in product development and research. [And surely other aspects I've not considered here.]
Perhaps the best advice is to take a look at several companies' websites and have a look at the positions available – that will give some idea of the possibilities out there. Note that there are some secondary education opportunities to train for computer security, but these are not yet widespread.
Aryeh Goretsky: Research, engineering, legal and compliance all come to mind.
David Harley: https://www.welivesecurity.com/2016/11/09/careers-fighting-cybercrime/
Lysa Myers: Lots of options, some more technical & some more people-oriented. Both offensive and defensive. Emergency response, or long-term design/architecting options. Administrative or creative. Research or regulatory compliance.
Q3: What are some of the top benefits of a career in security?
Bruce P. Burrell:
- Depends on the position, of course
- If it's a field that interests you, then it's interesting work. While that may sound like a tautology, think about it.
- Never a dull moment
- You get to wear a white hat.
Aryeh Goretsky: It pays well.
David Harley: Sometimes, you make the world a slightly safer place. And you actually get paid for being a geek.
Lysa Myers: Making a difference in the world! Learning things! Travel! Stable, lucrative job! Never a dull moment!
Q4: Why are cybersecurity professionals in demand, and what types of organizations need skilled security workers?
Bruce P. Burrell: They're in demand because there are more open positions than qualified applicants. And while some need them more than others, ALL organizations need security personnel, even if it's subcontracted.
Aryeh Goretsky: Demand has outstripped supply, and pretty much every organization from brick & mortar stores to the government needs security practitioners.
Lysa Myers: I can’t really think of a single type or size of organization that doesn’t need security workers. Question is really how many? Businesses large & small all have security needs. These needs will only grow from here on out.
Q5: What are the top skills to have if you want to enter the security field?
Bruce P. Burrell: Hard skills? Depends on where you're going. Soft skills? I'm not a manager, thank heavens, but I'd imagine it would be a combination of enjoying a challenge, being tenacious, loving to learn, being flexible, being willing to work long hours, having great communication skills.
Aryeh Goretsky: Knowledge of how things are supposed to work. Troubleshooting skills. Ability to think analytically. Ability to clearly communicate with technical + non-technical people.
David Harley: https://www.welivesecurity.com/2016/11/09/careers-fighting-cybercrime/
Pretty long for a blog, let alone a tweet, but extracted from https://www.onlineeducation.com/expert-interviews/david-harley-senior-research-fellow-eset:
It might seem that security as a specialism might require a specialized skillset and type of personality, but it’s not exactly so. Obviously, some traits are beneficial in many roles: caring about the safety of yourself and others; common sense and an analytical bent; a painstaking approach to problem solving; adaptability and coolness in a crisis. Other traits are clearly role-specific: security evangelists tend to be extroverted (but extroversion helps for anyone in the public eye, including researchers lumbered with conference presentations). A security administrator needs a broad range of technical skills, usually including a comprehensive grasp of programming, server and desktop operating systems, a range of security programs and how they work, and so on. Threat analysts need coding and analytical skills, ferocious concentration and attention to detail, and so on.
Those of us with an educational remit (whether it’s formal training, technical writing, or geek-to-English translation in the media) are constantly trying to strike a balance between geek-ish pedantry and the need to simplify without oversimplifying.
[…] All specialists sometimes require support and management addressing issues outside their own competence. There are as many types of managers as there types of unit to be managed, but clearly there is a range of necessary business skills that aren’t specific to security management.
It won’t surprise you that I also consider an understanding (not necessarily an in-depth knowledge) of security to be a necessary business skill. Security is certainly an area where the hybrid manager has an edge, but because being up-to-date technically and performing the usual managerial functions is terribly demanding, it’s also important for a security manager to know his or her limitations and be ready to seek and accept advice. It also helps to have the people skills to be able to assess whose advice to take. […]
In all areas of security, a certain amount of paranoia, cynicism, pessimism, and ability to spot the weak points in a proposition is helpful. These may not be altogether admirable qualities in a human being, but they definitely bolster the security skillset. […] the ability to think like an attacker when it comes to assessing the attack surface needs to be combined with a firm grasp of ethics, with personal honesty and integrity.
Lysa Myers: Technical is important, also communication skills/thirst for knowledge. https://www.csoonline.com/article/3093397/it-careers/which-non-technical-skills-are-most-important-to-a-career-in-security.html
Q6: What advice do you have for students and professionals who want to work in security?
Bruce P. Burrell: Get as good an education as you can – not necessarily in computer security, but certainly in something that forces you to think critically. Get experience any way you can, including providing tech support in a public forum, perhaps. Read and understand as much security info as you can. Consider various certifications and specialized training – but do your homework first to decide what's quality … and what's offal.
Aryeh Goretsky: Study, learn/read everything you can, and network (socially, that is).
David Harley: https://www.welivesecurity.com/2016/11/09/careers-fighting-cybercrime/
Lysa Myers: Knowledge is good, being trusted in the community is crucial. https://www.welivesecurity.com/2015/06/16/beginners-guide-starting-infosec/
Q7: What can parents, teachers & orgs do to grow interest in security jobs & prepare people to fill these roles?
Bruce P. Burrell: Well, at least let the kids know such opportunities exist. Unfortunately, there's some evidence that, even when offered some pretty amazing resources, for free, schools may not be interested in adding this as a curriculum….
Aryeh Goretsky: Treat finding a security hole as a learning experience, instead of [with?] punishment.
David Harley: https://www.welivesecurity.com/2016/11/09/careers-fighting-cybercrime/ (Is there an echo in here?)
Lysa Myers: Make sure students learn age-appropriate comp sci & safe computing in school! https://www.welivesecurity.com/2014/01/21/why-are-so-many-kids-still-not-receiving-computer-science-education/
Q8: What resources can help people learn more about the security field & take steps to enter the cyber workforce?
Bruce P. Burrell: Learn more about security? Google Is Your Friend, and with any luck it will lead you to WLS.
Enter the field? More difficult to answer, but as I mentioned: there are a few academic programs in computer security, so at least look at them critically and, if one or more seems like a good fit, do more research and perhaps apply. If accepted, perhaps matriculate. And even if you don' graduate with a degree, then, assuming you're still interested, apply for jobs in cybersecurity, since you'll have more training and skills than you did before you enrolled.
Aryeh Goretsky: www.securingourecity.org + www.welivesecurity.com
David Harley: https://www.welivesecurity.com/2016/11/09/careers-fighting-cybercrime/ Yeah, yeah, I know…
Lysa Myers: https://www.welivesecurity.com/2015/06/16/beginners-guide-starting-infosec/
____________________
And with that our series of Twitter chats has come to an end but we hope you found them both informative and entertaining. If you did enjoy them and would like to learn more on the topics mentioned we encourage you to check out a page put up by ESET offering lots of free cybersecurity resources to help you become more #CyberAware.