Cybersecurity Consultant, Microsoft
The road to cybersecurity
Much like the adage "the road to hell is paved with good intentions," so too can be the journey of a budding cybersecurity professional. The ability to adapt to varying environments and circumstances is key to anyone who is seeking to go down the path of a cybersecurity professional. The biggest learning factor through my career path in the security profession is that security can normally be trumped by a business's need to perform! This is normally a big blow to any individual that has the passion to secure a business, only to be halted at the next meeting, project review, development discussion, or just plain corridor talk, for many varying factors.
When I started along my journey, there were many things I had to learn, and I had to double- and triple-check to make sure I was getting it right. This industry has changed from a no business to a let's make this work, however, securely business. Whether you are talking to technicians, architects, managers, directors, or even end users, none of these people will quite understand the passion behind your convictions to get a product or environment as secure as possible – that is, until disaster strikes or it is looming in the background.
Knowing the limits
My first bit of advice would be to know yourself, and to know your own limits. There are plenty of individuals in the cybersecurity industry, and I haven't met one who knows everything. This field is miles long and plenty deep, all depending on which path you choose. The many facets of the industry can be very rewarding if you know what you enjoy and what will keep you going. Puzzles, challenges, mystery, intrigue, and even romance, can all be expected in this field, a cliché never the less out of a novel or even a movie, yet all these things can be experienced in a moment or over a period of time.
Forensics, compliance, breaching, testing, analytics, or even design, are all pieces of a larger puzzle that encompass this vast subject called cybersecurity. The question that most people ask when they hear about what I do is "How can I get into that?" or "What should I study to do security?" Many a time, I have been left pondering the correct answer to give, only to think about my journey to this career path. This can be a discussion that goes on for minutes or hours as I sit and describe all the exciting options that cybersecurity has to try to guide you in the right direction. Sometimes, it's a simple question of, do you prefer to read or watch movies? And, out of the those, what is your favorite genre?
This is a general guideline of where you could see yourself within the field of cybersecurity. The following are some of the exciting roles and brief descriptions that can await you, just to name a few:
- Application security: A continually growing field, with exciting challenges and tremendous rigor. This can have you thinking about software integration, development life cycles, vulnerability management, or simply how security will feature in the application itself. The ability to learn as the world changes around you and how to adapt to those changes will see an individual soar in this field.
- Cloud security: With all things moving to the cloud, the call to have better controls and security around this will be on the up and up. This is no longer a pipe dream, and the ability to make sure that all requirements are met for varying frameworks, laws, and customer requirements is a big must. IoT will be your best friend and will definitely challenge you.
- Cryptography: Does your mind work at a mile a minute? Can you make up secret languages, or decipher them quickly? Then this is where you would want to be. In a world where your PlayStation 3 can be clustered and used to break encryption (Dumitrescu, 2009), the need for better encryption and encryption methodologies are always welcome. This career path can see you working in top-secret organizations or defense contracts.
- Forensics: Your typical who dunnit scenario or murder mystery. Whether you go corporate or law enforcement, your ability to solve puzzles will be key. Sometimes, it will be as easy as spotting Waldo in a snow field standing alone, or as tough as trying to find him in at a Father Christmas convention. Your ability to do things methodically and with due diligence will be a great asset to you as you could be called to testify as a witness.
- Information security: Protection information while it is a rest or in motion can be called for in many regards, whether it be Yahoo's data breach of 3 billion accounts in 2014 (Armerding, 2018) or some small database from the local medical practice. Information is sacred to someone and can have dire consequences if it's in the wrong hands. Various industries have varying standards on how to protect information. Financial, personal, or just trade secrets, it could be your responsibility to make sure that it remains safe and secure from leaking. This could even mean that you deploy technologies to prevent leaks from occurring from within an organization.
- Mobile security: Nearly everyone in a corporate environment has a mobile device. These devices are powerful handheld computers that can be used to steal information, infiltrate a meeting, or just plain cause malicious harm to its end user. Companies require their staff to be productive while mobile, but not at the expense of information or access. Where alarming numbers of mobile devices are being left in taxis in the UK alone (Peyer, 2014), the potential of any of those devices to contain company data is very high. You would need to know how to secure and segregate company data versus private data on a single device and be prepared to wipe the device remotely if possible.
- Network security: Your initial start to this part of the industry can be slow, as many people will not let a rookie loose on their production environment. With different vendors in this space, you will have options to venture through, but as you master this technically, your expertise will be sought after and consulted upon for design and security considerations. Firewalls with deep packet inspection, direct access, VPNs, and even detection and prevention mechanisms of the data traversing in, out, and around your network could be controlled by you. You would be an information traffic cop, if you will.
- Penetration testing: You know the bad guys we are trying to protect systems from? Well, it would be your role to simulate those guys within known or unknown environments to try to ascertain whether there are known weaknesses on a system that could be exploited. Thinking on your feet to try and break into a system and get the data or the highest level of privilege possible would be your goal. You could use your smarts and code an exploit or simply your charm to get onto the system. However you do it, it is up to you, but the goal is getting access! As a penetration tester, you will help by finding gaps in the security already established for systems and thereby inform organizations or other security individuals about said gaps so that they can be mitigated before the system goes live.
- Risk management: This is about recording and tracking all known security risks to an organization. Even though this may not sound exciting, it is key to understand the potential threat or losses that could occur due to open risks. What is the likelihood of such an occurrence happening? Research and industry knowledge will be key here. This role is tied to business continuity and consultation on most security incidents.
- Security analysts: Breaches, false positives, events, and pages of data is what will await you here, for example. Trying to determine where a malware originated from, who coded it, or whether it was just a hoax. As an analyst, you can be part of the Security Operations Center (SOC) or an incident response team. Understanding data flow, methods of compromise, or just what looks abnormal, your in-depth knowledge will point you in the direction of potential or existing threats. This can very much be a detective role with a cowboy outlook, stopping bad guys at the source.
- Security auditing and compliance: Are you the kind of person who loves following the rules, and enjoys making sure that others do too? Well then, this role will suit your needs. Different frameworks, legislation, and standards are adhered to or must be followed through most industries and organizations. Things such as the Payment Card Industry for dealing with credit or debit cards, VISA, MasterCard, and Amex will adhere to the standards and require anyone issuing their cards to do the same. You will make sure that these frameworks are being followed and adhered to, making sure that the minimum level of security set by those standards, frameworks, or legislation is being used within the organization. It is when the rules are not being followed that the auditing comes in and brings this to the attention of the directors. Auditors can do manual or automated checks to help find these discrepancies.
- Security operations: This is your man-on-the-ground role. You may need to implement a fix to mitigate a problem penetration testers have found, close a gap discovered by an auditor due to non-compliance, or find a solution to reduce a risk that has been plaguing the risk management team. Welcome to the firefighting team. This role will keep you busy, and your learning curve will be exponential and rewarding. Though you might never be a master of a specific listed field, you can certainly excel in other ways. Things such as identity management, technical controls, centralized management, and deployment techniques could all stand you in good stead along your path. You will eventually deal with all of the cybersecurity roles to a certain degree. Your broad knowledge will have you challenging even physical security concerns.
The listed roles provide a glimpse of the skills or mindset you might require to fulfill those roles. Bear in mind that these roles could be fluid and ever-changing, adapting to the times and the situation you are in. Remember what I said at the beginning of this chapter: have the ability to adapt. Keeping that in mind, the industry has a lot of certifications to help aspiring cybersecurity professionals. The problem, is which ones should you take and how will they help you? This is another question that is asked of most cyber professionals, and there can be many opinions on the matter. I also know of many individuals that are not certified in any of the well-known certifications, but are, however, still very knowledgeable in their areas of expertise.
I would suggest that, depending on your level of knowledge of the industry, number of years in the industry, years of study, and, of course, knowing your probability to fall into a certain role, that you investigate the known certifications houses and see what offerings they have from beginner to expert level. See which appeals to you or where you would like to focus your interest. Also, look to the job boards to see the role you are looking for and what the certification requirements are, if any. Some certifications have a practical requirement, which requires you to demonstrate the knowledge that you have learned in a simulated environment over a standard test. Where possible, practice building labs with friends or family that have the same interests and learn; you will be surprised at just how much you will know after you rebuild that lab for the tenth time due to an incorrect security setting, or a failed simulation.
In my case, I had already been in the Information Communications Technology (ICT) industry for 10 years before my interests led to cybersecurity. Although security was always something in the back of my mind, it became more imminent when threats where causing late-night work and presumed on-call work. Viruses such as the ILOVEYOU virus in 2000, which brought down email systems, or the Conficker worm in 2008 and Stuxnet in 2010, really tested the resolve of cybersecurity teams.
Its through scares such as these and the needs of the organization I was in at the time that drove me to look to names in the industry and follow principles. When tackling any identity-related security, I always looked at principles of least privilege as a starting point, and, subsequently, the segregation of duties. Having a military background really helps with this line of thinking; however, it does not always translate well into every organization. Saying that, it reiterates my previous statement that flexibility is key.
Frameworks really helped to build the ground roots of my understanding, and each one can be quite different. When starting out, I shot straight for the US National Institute of Standards and Technology (NIST), and this gave me a broad depth of knowledge that led me to find out about more frameworks to use, which were industry-specific. This included the likes of PCI DSS for all payment card handling, HIPPA for US health care and information handling, and PIPA for the handling of personal information in South Africa. Much like the foundation of a house, a framework can provide you with some of that foundation. However, these are just foundations; certain aspects can differ for various reasons.
The next step is to look to big names in the industry. Bruce Schneier was one of the first that I found that was useful, especially around the topics of cryptography. Then, many others will come to light and you will soon see whose style of writing and insights you enjoy. Try to follow these people on social media and visit their blogs and websites if you have that information. That said, the internet is full of information and helpful sites. Sign up to some threads around your topics of interest to see what's happening around the world. But, beware—you can soon find yourself inundated with information and not know what to read. Stick to reputable sources and keep it relevant to your needs.
Knowing your threat helps you to better focus on what would be required to protect the system. So, in those terms, when I was tasked with looking after certain bits of the business, I would focus all my attention on the means of delivering that software, the hardware it was on, and the methods of accessing it. To better understand the vectors of attacks, I learned to think like an attacker and went and learned about hacking. I achieved a Certified Ethical Hacking (EC-Council, 2019) certificate, and that was my first cybersecurity certification. My next goal was to achieve my CISSP (ISC2, 2019), as this was seen as the flagship certification to have in the industry. This was great to achieve at the time, as I had already had a lot of experience to my name. I also completed my masters degree in computer security just to enhance my educational background. The quest for learning in this field is always vast, and never dull. There is always something to find, even if it means you find out that it's a subject you don't like.
I have used my skills in different organizations and in different roles, each very different and fulfilling. I'm constantly learning and still, to this day, have a passion for the cybersecurity field. I always have a drive to protect the innocent from the dark side of the internet, as many, many people can be naive. Where possible, I like to make my knowledge available to those people, to help them understand the role of cybersecurity. I like talking to parents so that they can protect their children. The World Wide Web is just like the real world and has scary places to visit, and I always like to say that it has made the oldest crimes available in the newest ways; that is, you can rob a bank from the other side of the world without leaving the comfort of an armchair.
In closing, if asked would I do this again, my answer would yes be a thousand times over, as I love it very much. It is a great profession to be in and will be needed as long as the world progresses to move forward, where information will be valuable to someone at some time.
Who is Judd Wybourn?
Judd is a cybersecurity professional with over 20 years' experience in the ICT industry. He has a master's in computer security and various industry certifications. He currently works at Microsoft as a Cybersecurity Consultant, delivering solutions to customers. Judd has a big passion for protecting children on the internet and when he has the opportunity, he speaks about it to children, parents, and professionals alike.