What is the biggest mistake you’ve ever made, and how did you recover from it?
Many years ago, while working as a telecom tech, I got sent to a mine in the Arctic Circle with a replacement router in the dead of winter. It was a spontaneous, last-minute fix for a critical failure in poor conditions, and I didn’t check my gear properly. After a bizarre journey by prop plane, hitchhiking in the dark, and entering the mine with no cell phone service, I realized that my console cable didn’t work. I had traveled across an ice sheet in the dark, I was totally alone, and I couldn’t connect to and configure the router. I ended up building a server out of parts in the telecom closet of the mine. They never knew. Hopefully, they never read this book. ■
10
Lee Carsten
“There is also a digital transformation occurring, and many of the new jobs will be substantially different from the security jobs we know today.”
Twitter: @lcarsten • Website: www.linkedin.com/in/leecarsten
Lee Carsten is a vice president at Aon Cyber Solutions. Based in the firm’s Dallas office, he is responsible for developing and growing the firm’s relationships with enterprise clients, helping them proactively manage and control their risk and reactively respond to incidents. Lee is also the president of the Alamo Information Systems Security Association and a steering committee member on EC Council’s Global CISO Forum. In this capacity, he helps information security leaders build relationships with their peers, get recognition for innovative initiatives they are leading, and give back to their communities. He is active in a number of other security organizations, including the Open Web Application Security Project, InfraGard, CyberPatriot, and the National Collegiate Cyber Defense Competition. Lee is a graduate of the University of Arkansas, where he studied engineering and business, and has a degree in Accounting and Computer Information Systems.
If there is one myth that you could debunk in cybersecurity, what would it be?
That the security profession has a million open jobs, and we just need to attract and train more people to fill all of the open positions. Organizations are adopting more cloud-based infrastructure and services, and tool- and service-specific jobs are moving away from those organizations and into the service provider space. There are examples all over the place of companies getting more done with 35 security people today than they could with 100 a few years ago. There is also a digital transformation occurring, and many of the new jobs will be substantially different from the security jobs we know today. Deep learning and neural networks are going to supplement predictable, repetitive work streams. Security roles will be more aligned with business processes specific to certain industries and organizations, and knowing the business will be as critical as knowing the tech. There will continue to be good jobs in our industry, and we need a diverse group of intelligent, motivated people who are interested in helping us solve hard problems, but we need to ensure that we are training security professionals for the jobs of the future.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Implement trusted DNS and country-specific blacklisting. Learn how to implement and use the tools you have. Sunset end-of-life/unsupported systems and get them off the network.
How is it that cybersecurity spending is increasing but breaches are still happening?
Attacks and attackers are becoming more sophisticated and are increasing in scale. You don’t even have to be technical with the exploit-as-a-service models that are popping up. Anyone can do it.
The need to compete drives businesses to introduce an ever-increasing number of endpoints, significantly expanding the cyberattack surface—whether through a retail bank’s mobile app, a manufacturer of connected cars, or even office equipment like printers or employee devices.
“The need to compete drives businesses to introduce an ever-increasing number of endpoints, significantly expanding the cyberattack surface—whether through a retail bank’s mobile app, a manufacturer of connected cars, or even office equipment like printers or employee devices.”
Organizations are also bringing processes and infrastructure online, for example, through connected grid systems, supervisory control and data acquisition (SCADA), and industrial control systems (ICS). Cyber risk is dynamic: every change in a company—an M&A transaction, working with a contractor, introducing new software, or moving data to the cloud—affects a company’s cyber-risk posture. Securing this shifting target is challenging. Legacy systems are also vulnerable to being exploited with modern attacks.
Do you need a college degree or certification to be a cybersecurity professional?
No, but I personally think it helps. It doesn’t even need to be in a technical field, but college is a place where you learn how to learn. Internships and associate programs within companies are extremely beneficial if you want to be in the security field. If college isn’t an option for you, there are many examples of top security pros who didn’t come out of a traditional four-year degree program.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got started in 2002. I was working for an IT services company and a client of mine needed help managing their firewalls. I went to an Information Systems Security Association (ISSA) meeting and got involved with the local chapter, and that started my move toward security. I liked the people and thought this was an important problem to help solve, and that changed the course of my career.
As for pursuing a career, my advice would be to get involved in your local community. The people you meet will be as important to your career as any degree or certification. Find a meetup, an ISSA or OWASP chapter, attend a Security BSides—whatever seems to have some momentum in your area. Leverage online learning resources.
Don’t focus just on the security or hacking tools; learn what you can about systems as well. Learn how to code, or, at a minimum, learn how to script and work with the command line. Podcasts are another way to ease into what people in the industry are working on. Follow 10 security thought leaders on Twitter.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I started in IT and moved toward information security in the early 2000s. I’ve spent most of my time in my security career on the business side of things.
AppSec (application security) is an area of focus for me. The Open Web Application Security Project (OWASP) is a great place to begin. Having a development background is also important if you want to work in software security.
Right now, I am working in the risk quantification space to help security leaders measure the dollar value of their programs and evaluate how to maximize their investment. There are lots of opportunities in the industry that are people-oriented and don’t require years of technical experience.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
You have to understand what you are good at. Know your strengths and weaknesses. Be honest about them. Suit up and show up (dress the part).
Don’t let your appearance turn people away so they can’t hear what you’re saying. You have to be continually learning. Know who you’re talking to. Do your research. Add value. Take the tasks nobody else wants and overperform. Then, train your replacement.
What qualities do you believe all highly successful cybersecurity professionals share?
The best security people are inquisitive tinkerers and have a sensitivity around what is right and wrong. They don’t take things at face value. They test boundaries and look for evidence. They break things to understand how they work. They don’t always follow instructions. Integrity matters.
“The best security people are inquisitive tinkerers and have a sensitivity around what is right and wrong. They don’t take things at face value. They test boundaries and l
ook for evidence.”
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The Phoenix Project. This book is a novel that anyone can read and follow, as it highlights one of the important shifts that occurred in the software development industry. It’s not solely a security book, but it represents the business environment we are tasked with securing.
What is your favorite hacker movie?
Ocean’s Eight. I know the technical advisor for the film, and I’m excited about some of the tech that was used.
What are your favorite books for motivation, personal development, or enjoyment?
Wild at Heart by John Eldredge. The Purpose Driven Life by Rick Warren.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
There is no such thing as privacy on the internet.
Don’t say or do anything online you wouldn’t want your grandmother to see.
What you say no to is as important as what you say yes to.
Who you are as a person is more important than what you do.
Understand what tech does for you. Don’t adopt tech just to adopt tech.
What is a life hack that you’d like to share?
When you get to your hotel room, take a picture of the room number with your phone so you won’t forget which room you are in.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Many years ago, I was responsible for an email migration for a professional sports team that went wrong. It was on Lotus Notes if that gives you any indication of the timeframe. I had a subject-matter expert brought in for a weekend to help with the migration. The team had a virtualized environment. We started the upgrade without checking the available disk space, and the upgrade failed halfway through. There were no good backups. All systems on that server went down and were unrecoverable. It was also done during the season, and the league was doing a DNS change at the same time.
“There is no such thing as privacy on the internet.”
I took full responsibility for the error and committed every resource I had to get them back up. Twenty-hour days—with lots of communication with the team, the ownership group, and the league about where we were at—and my team stayed completely engaged and on task till we got all of their systems restored. Even during the 48 hours of DNS propagation changes, where we couldn’t do anything but wait to determine whether the fixes would take, we were there. A 12-hour project turned into five days. It was a character-building experience. ■
11
Whitney Champion
“We spend countless hours securing things from the more obvious outside attacks, but we don’t always spend enough time auditing who has permission to do what from within, or disaster recovery.”
Twitter: @shortxstack • Website: whitneychampion.com
Whitney Champion is a systems and security architect in South Carolina. She has held numerous roles throughout her career—security engineer, systems engineer, mobile developer, cloud architect, and consulting architect, to name a few. In the last 15 years, she has worked on operations teams, support teams, development teams, and consulting teams in both the private and public sectors, supporting anywhere from a handful of users to hundreds of thousands. No matter the role, security has always been an area of passion and focus.
If there is one myth that you could debunk in cybersecurity, what would it be?
It’s not always the hacker in the black hoodie trying to steal your data, and it’s not always about someone trying to steal your personal information, credit card numbers, or secrets. Sometimes, it’s the teammate who is still getting their feet wet—but has administrative access to all your systems—who accidentally took down or deleted an entire piece of your infrastructure.
We spend countless hours securing things from the more obvious outside attacks, but we don’t always spend enough time auditing who has permission to do what from within, or disaster recovery. Both of which are equally important.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
You don’t need to spend thousands to improve your security posture. There are a lot of fantastic open source tools out there that will secure your infrastructure for free. You should be spending your money on the people you want to use those tools so you can implement them properly. That will get you much further than buying an application that checks a few boxes that no one knows how to maintain.
How is it that cybersecurity spending is increasing but breaches are still happening?
People and organizations seem to think they have to spend a massive amount of money to secure their infrastructure because that’s what they’re often told by the media, salespeople, or others. People will drop all kinds of money on the fancy security appliance that does all the things, but at the end of the day they probably don’t know how to use it properly, and they probably didn’t even realize they could have spent all that money on qualified individuals to implement most of these same features on free or open source software. Spend the money on recruiting and training the talent it takes to secure your organization instead of on the fancy box with all the bells and whistles.
“Spend the money on recruiting and training the talent it takes to secure your organization instead of on the fancy box with all the bells and whistles.”
Do you need a college degree or certification to be a cybersecurity professional?
Absolutely not. That’s not to say it doesn’t help with getting your foot in the door in certain organizations, because it absolutely does in some cases. Requirements are different everywhere. But I think a large part of what has driven me, and many other people in the field, is natural curiosity and a drive to do the things we do.
We are inquisitive as a community, and we question everything we use. How is this system or application put together? How does it work? What can I do to change X feature? What happens when I do this? We learn by tearing things apart and putting them back together again, reconfiguring, and constantly trying to keep up with the technology firehose. There is always something new to learn, break, or demystify, and that never-ending list of ways to improve is what has gotten me to where I am today.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got started in security specifically in college. I had always been obsessed with computers and development and building my own systems, but I wasn’t properly introduced to the security field until about 2005. I had a handful of friends who were minoring in security, and they told me about the security lab and some classes I didn’t even know about. I volunteered to be a lab assistant because I had a strong Linux background and it sounded fun. I’ve been hooked ever since.
Bottom line: get involved. Talk to people. Go to conferences or even volunteer at one. Get your hands dirty. Listen to all the podcasts. Take advantage of free training and knowledge. Jump into a capture-the-flag contest or an open source project, even if it makes you nervous. Always be learning. The more people you meet in this industry, the more you’ll realize there are things you don’t know. That can be daunting to many people, but take that feeling and turn it into motivation. So many doors open this way, and you will never be bored again a day in your life. This speaks to not only security, but IT in general.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My security focus has always been related to Linux and cloud infrastructure. For years, I have specialized in hardening Linux systems on dev, production, and operations teams, and the infrastructure and networking they run on. My experience has spanned a wide variety of application stacks and platforms, and this has been beneficial in many ways. One way being that I have never been tied to any one language or piece of technology.
/> Lots of companies need these skills, and the landscape is always changing, so the opportunity is there for the taking. My advice is to dive in head first and get your hands dirty. Build out some systems, or a network. Stand up a server and deploy an application. Try all the cloud platforms, or even deploy your own private cloud. Poke holes and figure out how to fix them. There are even exercises online built specifically for the purpose of exploiting systems and figuring out the flaws.
Internships, shoulder surfing, capture-the-flag contests, building your own lab, and hands-on practical experience are all great ways to get more experience in this area.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
As for getting hired, let your passion speak for you. What drives you? What keeps you up at night? What do you start working on and suddenly four hours have gone by? Chances are, companies will recognize that. Show things you’ve worked on or written about, and talk about why you loved that project you worked on a year ago, how you built it, and why it was awesome. Companies need to hire people with skills, sure, but they also need to hire people who have the hunger to learn and are teachable.
As for climbing the corporate ladder, the more you learn, the more you can teach others. Start mentoring people with less experience. Share your knowledge. Show that you are capable of leading others. Express interest in taking on more responsibility. Don’t be afraid to tell your boss or manager that you want to take the next step. Be vocal about your career goals while working toward them, and make sure they can see you putting forth the effort.
What qualities do you believe all highly successful cybersecurity professionals share?
Tribe of Hackers Page 7