Security Lead at ZeroFOX
What was your career in before making a switch to cybersecurity?
Unlike many professionals in the current field, I started my career in the cybersecurity industry.
Tell us about your journey transitioning from your primary career to cybersecurity.
By the end of high school, I had established my aptitude for computing, and security in particular. Like many students in such a situation, I was advised to seek a degree in computer science. Upon arriving at university, I was surprised to find out that they had started a dedicated computing security degree that very year. Given my passion for the subject, I enrolled in the new program which, after graduating, led to my career in cybersecurity.
Why did you choose a career in cybersecurity?
In short, passion. I had always been interested and practiced the topic before I realized that it could become a lucrative career.
Share your views and thoughts for those who want to be part of the cybersecurity industry.
The industry is not for the weak-willed. As a professor, I occasionally happen upon students or parents who will talk chiefly about the opportunity for compensation. While there is certainly money in the field, it is important to remember that cybersecurity is a constantly evolving industry that requires tremendous effort to master and subsequently remain up to date with. Without this investment of time and energy, failure—or at least failure to advance—is a very likely possibility.
What would you like to suggest to our readers who want to start a career in cybersecurity, and how can they do so?
Cybersecurity is a fantastically interesting and entertaining field that is just now starting to mature. Unlike other careers, its relative youth means that there is always plenty to learn, and new tools and techniques are becoming public daily. My suggestion is to get involved in the cybersecurity community. More than most industries, security provides for an open and nurturing community that is there to both teach you and empower you as you develop.
Do you suggest that someone should be expert in one vertical of cybersecurity or should they be an expert in every domain of cybersecurity? What is your opinion from an industry perspective?
Becoming an expert in one field is a common occurrence; however, the most successful security practitioners have a well-laid foundation of the principles and are able to speak to and, if needed, pivot to other areas within the industry. More generally, I find that most successful members of our industry have a limited few areas where they don't focus, rather than restricting themselves to just one vertical.
The cybersecurity landscape is ever-changing and extremely dynamic, how do you keep yourself updated? What are your suggestions for our readers?
Staying up to date should be an outcome of your love of the topic. This can involve reading the news, books, conferences, training, and more. I find that the more engaged with the community you can be, the easier it is to stay on top of advances.
In your view, what is more important: having a security certification, getting the relevant security training, or gaining hands-on experience through a job?
Without a doubt, hands-on experience is the most useful background to have when it comes to any job. Think about security as if it were driving. While sitting through a driver's education course and getting a driver's license is part of the equation, they simply indicate that you have the minimum set of capabilities to drive a car. It is the years of practice and experience that make you a good (or a bad) driver.
We all agree to the fact that cybersecurity is a non-negotiable factor of today's industries. As an industry leader, in your opinion, what are those new frontiers where cybersecurity will be needed in the near future?
I think we will continue to see a place for the traditional offensive and defensive security engineering positions. However, there are some areas that we, as an industry, have underperformed in. Two of the weakest areas are data analytics and development. Often, these two go hand-in-hand, either working on automating complicated problems or making new products. We can be sure that there will be continued growth and demand for these skills. The other area that is just starting to really take shape is a more involved role for technical security individuals in legal and policy matters. This is being driven both by recent regulations around privacy, such as GDPR, but also by third parties that require basic levels of technical security controls and auditing, such as via SOC2.
Who is Chaim Sanders?
Chaim Sanders is a professional security researcher, lecturer, and tall person. When he is not busy being overly cynical about the state of computing security, he teaches for the computing security department at the Rochester Institute of Technology. His areas of interest include eating food bathed in butter, and web security. Lately, his research has been focused around defensive web technologies. Chaim's sarcasm-driven approach to security provides a unique vantage point that helps him to contribute to several open source projects, including ModSecurity and OWASP Core Rule Set, where he serves as the project leader. You can find his personal website at http://www.chaimsanders.com/.