They are everywhere, the tips and tricks from every cybersecurity social media influencer and outspoken conference presenter on how to get a job. Heck, I’m no exception–simply read on. The problem though, to me, is a market saturation of “guidance” from most folks who’ve never earned their stripes.
Celebrity CISOs, graybeards, security evangelists, everyone seems to have an opinion on what it takes to break into this field, or at least about the educational background necessary. Institutions of higher learning have created entire curricula on cybersecurity, there are boot camps galore, and the everyone-has-a-voice-if-you’re-loud-enough internet is absolutely inundated with “evidence” of successes in the field. “Heroes” of cyber are named, written about, and honored with much the same accolades as inventors, playwrights, and statespeople.
The problem though, to me, is a market saturation of “guidance” from most folks who’ve never earned their stripes.
Imagine the gold rush of the 19th century–if you were a young, motivated soul who had no distaste for working with your hands all day, would you believe the collective advice of thousands of fellow gold seekers espousing that the promise of their future could be secured via a rough few years and some travel? Would you commit yourself to emulating one of those billboard heroes, following in their footsteps to one day hit it rich? Orrrrrr… would you listen to the frontline miners—their fingers swollen and cracked, ratty unkempt hair, hygiene in decay, consistently keeping overalls a renewable staple of American fashion—tell you about the commitment it takes, the losses, the wins, and what a lifetime of investment in the craft demands.
So in this episode of John’s opinions on everything cyber, I’d like to present the perspective of a person who entered this field to solve hard problems, remains close to the keyboard, pans for gold not to strike it rich and be on a billboard, but to learn, defend, and keep learning. I’m no Celebrity CISO. I don’t spend my time flying from conference to conference commenting on esoteric possibilities in “cyber leadership.” I type “ls -al” on the Windows command line and get furious that it is rejected, and more furious that I forgot I’m on Windows. I use terms such as “exclusive or” and “boolean flag” every day. I ask questions, and when the engineers create something awesome, I want them to know how much it means to us all. You don’t need my background, and I’ll never start a speech or presentation giving it to you. Hopefully you can see the rock dust on my hands, the sweat on my brow, and the evidence that I’ve made a career in this field. One that I hope you can too.
So this article is meant to teach you survival skills. I can’t promise success, promotion, even career growth. But I can explain what you need to survive, what you need to get a job. And in this world, that often results in its own reward.
The first question I think most should ask themselves is why do they want to get into cybersecurity? Is it the promise of a big paycheck? It’s true that cybersecurity is a very lucrative field, but if that is your only motivation, well, this might not be for you. There’s a level of altruism necessary in this field that often conflicts with financial motivation. What would 20 years in cybersecurity mean to you? Where will you end up? Is it a lilypad career field to something bigger? Interestingly, it seems as though cybersecurity is kind of an ivory tower. Meaning that it’s an end-of-road career field, your personal zenith of excellence. It’s uncommon, at least in my experience, that cyber engineers go back to networking, storage, sysadmin, or any block-and-tackle discipline of IT. Typically, it’s the other way around. So is that acceptable? Again, I’m no oracle. But if solving the hard problems is your thing, if managing massive complexity only to deliver a slight reduction in operational strife to the end user is interesting, you’re in the right place.
The next question to ask is that when faced with a dilemma, say choosing to travel west with your fellow pioneers, or not, what do you do? Do you ask what everyone else is doing? Do you research the route for lions, tigers, and bears (Oh my!)? Do you look at log data from previous travelers, their success rates, costs, and alternatives. The mind of any cyber professional is a constantly evolving analytical decision tree. If I choose this, what happens there? If the attacker could do this, what shall I protect with that? If users have options X, Y, and Z, which is most risky and where do I invest my time? This theme of “digital detective” repeats itself in risk analysis, threat hunting, security operations, DevOps, identity management, and everywhere that cyber professionals exist.
I once had a keyboard warrior blast me for insinuating all cyber professionals should have master’s degrees. Maybe he had sticky keys turned on, or maybe his spectacles just needed a polish because this couldn’t be further from the truth. Is there a backdoor to the cybersecurity engineering center of excellence? NO. Is there a “fast track” to become a cyber engineer? NO. But you don’t need a master’s degree and in many cases don’t even need a bachelor’s degree. What you do need is experience in the block and tackle disciplines of IT; you need to “earn it”. I’d say that the best cyber engineers earn their stripes in networking, storage, sysadmin, or even soft skills like help desk, and project management. The point is, an education in IT is fundamentally critical. Whether that’s in the schoolhouse or “on the streets of IT.” Cyber touches all things, has its fingers in every river, every stream, every sluice. It is all-seeing, and in some ways all-knowing. It’s a benefactor as much as a single ivory tower of knowledge. I hear complaints sometimes from passionate cyber onlookers that such guidance eliminates the possibility of young graduates, interns, etc., getting entry level jobs in cyber. I want to be clear: this isn’t meant to be a survival guide for those hiring managers or ones who celebrate security. It’s meant for people who want to get a job in this field and ensure their own success.
Cyber—information security as it is formally referred to—is often stereotyped as “the house of no.” In fact it’s one of the reasons you’ll find a lot of tenured engineers are wallflowers. No one wants to work for the house of no. So sometimes the weaker infosec shops attract folks looking to hide out among lots of open requisitions, and might not really be true infosec professionals. This happens at all levels by the way. Executives promoted out of opportunity instead of merit are also in cyber. But the good infosec teams recognize that saying no is useless, confrontational, and often technically incorrect.
My job is to try and find a way to say “yes.” Cyber even has its vernacular for the word: “compromise.” Instead we say “compensating control,” “risk reduction,” or “vulnerability mitigation”. Fancy! Finding a way to say yes is a chemistry of humility, technical depth, and empathy—kind of like the “good, fast, cheap” paradigm. At all ranks, true infosec professionals take this challenge seriously.
There’s more guidance out there you might not have the patience to endure. Here’s a few survival quotes I find useful:
“Security can never be right 100% of the time” – Unknown.
“He who defends everything, defends nothing” – Frederick the Great.
“All warfare is based on deception” – Sun Tzu.
I’d like to reiterate that the above guidance is from my experience. There are many paths to your own personal success, and the most important thing is to let that define you, rather than any forum troll, keyboard warrior, or blowhard executive who uses way too many metaphors.
John Frushour has 20-plus years of experience in IT and is the Chief Information Security Officer for the New York-Presbyterian Hospital System. John’s responsibilities include NYP’s security operations center, identity and access management team, vulnerability and forensics team, security engineering and architecture teams, enterprise messaging, authentication services, and more.