Tribe of Hackers
Page 25
Do you need a college degree or certification to be a cybersecurity professional?
Do you “need” a college degree or certification to be a cybersecurity professional? Well, yes, because many organizations require this type of pedigree as a checkbox for even being considered for a cybersecurity job opening. In that sense, it is pretty much necessary. But I could just as easily say, “No, all you need is a whole lot of talent and desire and curiosity and experience, and you will succeed.”
Now, I am old school and have the perspective that the best cybersecurity professionals have learned their craft through experience—that education (first) and certification (later) are not necessary at all. I still bristle every time I see certain certifications listed by individuals, and I believe that the more certifications you possess, the less likely you are to have any meaningful skills. But…I realize that not everybody had the opportunity to be in on the “ground floor” of the internet and that there are amazingly talented young people who would love to break into this industry but simply don’t have the experience—and won’t get it because of HR screening practices. So, while I’d like to say, “No, these aren’t necessary to be a cybersecurity professional,” I think that, realistically, these days you need to start somewhere, and degrees and certifications are a good way to get the foundational knowledge that will help you succeed.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I began my career in information security working for the Department of Defense. I ended up working in an office that conducted security evaluations of fielded (crypto) systems and ultimately the “networked systems” branch in that office—right around the time that the internet was becoming publicly available. I discovered that I possessed this thing that came to be known as the “hacker mentality”—which made me good at figuring out how to break and/or find flaws in the security. At the end of the day, it was a matter of being at the right place at the right time, but I would also attribute getting into the field to a natural curiosity that my “hacker mentality” brought about.
The advice I would give to a beginner pursuing a career in cybersecurity (or any field, really) is to make sure you’re pursuing something you’re genuinely interested in, that makes you happy, and not just pursuing it because it has the promise of paying well. I have met too many folks who want to get into this industry because it looks like fun and appears to be rewarding for various reasons. But, they don’t necessarily have the fundamental drive, the “hacker mentality,” to really help them excel in their pursuits. I’m not convinced that this mentality is something that can be taught or obtained. In other words, either you have it or you don’t. This doesn’t necessarily mean that you shouldn’t pursue a cybersecurity career or that you can’t be really good at what you do. There are, after all, many aspects to this thing we call cybersecurity, and it takes many types of skill sets to move this profession forward. Nobody does it all or knows it all.
“The advice I would give to a beginner pursuing a career in cybersecurity (or any field, really) is to make sure you’re pursuing something you’re genuinely interested in, that makes you happy, and not just pursuing it because it has the promise of paying well.”
I keep coming back to finding something that you are interested in doing, enjoy doing, and maybe even have some talent for. There you will find the most success and satisfaction.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
This is a tough question to answer. My specialty in cybersecurity is that I am a generalist; I know a little about a lot. I spent nearly 10 years of my career working as a third-party assessor, where I was hired by companies to help them build their own cybersecurity programs to meet industry compliance standards. This experience required me to become an “expert” at virtually every aspect of cybersecurity—not necessarily from the perspective of being a practitioner, but being able to see the big picture of cybersecurity and how each aspect or element fits into the overall strategy for becoming “secure” (or rather “compliant”). I encourage people to try to find jobs that give them exposure to the big picture or overall strategy of cybersecurity in their organizations. I believe that “big-picture” understanding helps you to be better at your job, no matter how big or small your role is in cybersecurity. Move around, try different things. If you can’t get a job or assignment doing something different, then be an observer or volunteer (intern) to learn another aspect of the job. Ask questions. Try to see the big picture and how each element fits into it.
“I believe that “big-picture” understanding helps you to be better at your job, no matter how big or small your role is in cybersecurity.”
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Whatever you endeavor to do, make sure you are doing it for the right reasons. I often hear people in this field say some variation of, “It’s so cool that I get paid to do what I love.” That’s one thing that makes this field really special and why so many want to get into the field. But, there’s an old saying where I come from: “It’s not just an adventure, it’s a job.” Perspective is everything, and that is something I often have to remind myself. Yes, you need to get paid, and yes, you should do something that you like to do, but that isn’t always the case. Having a positive attitude can help, or having the ability to look beyond yourself (I think that’s called empathy).
In terms of starting a company, I would say that you need to remind yourself of why you want to start something. Do you really want to help? Do you see a need and have a solution? Great. Go for it. Do you see a way to make millions? That’s also okay for some, but I would suggest you think twice before heading down that path. The most successful and happy/content people I know in this industry got there because they had a vision for solving a problem and helping people (organizations) do better at cybersecurity. They made sacrifices, yes, but they also had their limits. Somebody once said, “Keep your feet on the ground, and keep reaching for the stars.” (It was Casey Kasem…Google it!)
What qualities do you believe all highly successful cybersecurity professionals share?
The shared qualities of highly successful cybersecurity professionals depend on how you define success. If you define success as simply becoming incredibly wealthy, then the shared qualities too often involve being cutthroat, screwing over the customer to get the sale, and sacrificing families, friends, and personal values. Not all the time, but it is common to meet the CEO of a highly successful company who has incurred significant personal loss, generally through a divorce (or two).
On the other hand, if you define success in other ways, such as providing solutions, helping others, promoting sound cybersecurity practices, giving back to the community, or setting personal limits on what you will or won’t do in terms of personal/family sacrifice, then you are going to find a different set of shared qualities. These types of individuals tend to be “real.” They set limits for themselves and their employees; they encourage time off and really mean it; they reward innovation and give credit where credit is due; they have families and like to spend time with them; they are passionate not only to learn but also to teach; they are humble; they care. And they are really good at what they do from a technical perspective.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
I’m not advocating that this is a particularly great movie, but Harrison Ford’s Firewall touches on one aspect of cybersecurity that we never really talk about, at least with regard to multifactor authentication. That is the “what if somebody puts a gun to your head” scenario or, in this case, threatens your family. Not that we don’t talk about it, we just don’t really have a good answer for it. This is a good illustration of how cybersecurity tends to focus on stopping the inadvertent or casual hacke
r while doing little to stop or mitigate deliberate efforts to target you specifically. Nobody wants to spend the type of money it would require to “secure” everything, so we tend to ignore the fact that most organizations can’t or don’t protect themselves from targeted attacks.
What is your favorite hacker movie?
I’m going to date myself with this one, but I’m okay with that. I have to list two, though: WarGames—“Shall we play a game?”—because of its portrayal of the hacker mind-set. Sneakers—“My voice is my passport. Verify me.”—because it was the first mainstream movie to show social engineering and physical compromise as part of penetration testing.
What are your favorite books for motivation, personal development, or enjoyment?
For motivation:
Dangerous Wonder by Michael Yaconelli
To Own a Dragon by Donald Miller
For personal development:
Inside Out by Larry Crabb
Messy Spirituality by Michael Yaconelli
The Wounded Healer by Henri J. M. Nouwen
Out of the Saltshaker & into the World by Rebecca Manley Pippert
For enjoyment:
The Chronicles of Narnia by C. S. Lewis
With Justice for All by John Perkins
A People’s History of the United States by Howard Zinn
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Don’t fill your house with any more technology than necessary. Separate your accounts into “more” sensitive (private) and “less” sensitive, and use stronger, more cryptographically secure passwords for the sensitive accounts. Be aware of what information you possess and what you consider to be private information, and treat it accordingly. Use separate payment cards for online versus brick-and-mortar shopping. Be aware and informed of the pros and cons of implementing new technologies anywhere.
What is a life hack that you’d like to share?
Remember these two important life truths: everything matters, and nothing matters. What does this mean? Basically, it means that you should always try to see the bigger picture. It’s easy for me to get spun up about major issues in my life or workplace, but I try to remember to take a “step back” and see the bigger picture—and there’s always a bigger picture. A former supervisor once told me, “Don’t bring up any problems that you see in the organization unless you have some idea of how to solve them.” I think that’s been a pretty good litmus test over the years for getting spun up about problems and issues.
What is the biggest mistake you’ve ever made, and how did you recover from it?
This really depends on how you define “mistake.” I have certainly done things that have caused me to be pushed out or even fired from several jobs, but I don’t consider any of those events to be big mistakes. I have made career choices that have not yielded the financial rewards that others have enjoyed, but I don’t consider those choices to be mistakes at all. I cannot think of a single significant event, but I know that there have been times in my life when I’ve put myself first over my wife and family, only to find out how hurtful my actions were to those that I love and care for the most. The biggest mistake, then, was putting myself first before others in terms of decisions and actions I’d taken, which ended up being hurtful to others.
How did I recover from these times? Someone, usually my wife, pointed out my selfish behavior and how hurtful it was to others. Once I am aware, I apologize and resolve to do better the next time, and I try to remember to consider others before myself as well as what the potential impacts of my actions are. It’s not a life lesson that I would say I have mastered, as I continue to disappoint and hurt those I care for the most. But it helps to keep me humble and focused on doing better the next time. ■
42
Jim Manico
“Learn to code. No matter what else you do in security, it will augment your career and capabilities.”
Twitter: @manicode • Website: manicode.com
Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. He is also the founder of Infrared Security and Brakeman Security and is an investor/advisor for Signal Sciences and BitDiscovery. Jim is a Java Champion and a member of the JavaOne Rock Star speaker community. He is the author of Iron-Clad Java: Building Secure Web Applications from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation, where he helps build application security standards and other documentation. For more information, see http://www.linkedin.com/in/jmanico.
If there is one myth that you could debunk in cybersecurity, what would it be?
That input validation is enough to stop injection. Programmers need to master other techniques like query parameterization and proper escaping to stop the various forms of injection.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Force a policy of 16-or-more-character passwords as the new minimum.
How is it that cybersecurity spending is increasing but breaches are still happening?
Hackers gonna hack.
Do you need a college degree or certification to be a cybersecurity professional?
Nope. Experience rules the roost. Can you play or not? That is the question.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I’m a coder first, security pro second. Learn to code. No matter what else you do in security, it will augment your career and capabilities.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
Application security. Learn to code. The best way to learn about secure coding is to work under an architect who gets it.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Chop the corporate ladder into firewood and use it to start a campfire, where you get really drunk or have some other life-altering experience where you finally decide to start your own company and become an independent consultant or entrepreneur.
What qualities do you believe all highly successful cybersecurity professionals share?
A desire to learn more! At all times!
What is the best book or movie that can be used to illustrate cybersecurity challenges?
My first security book was Gary McGraw’s Software Security, with the yin and yang on the cover. Great read.
What is your favorite hacker movie?
The 1995 movie Hackers with Angelina Jolie. The fire sprinkler system going off is my first security memory.
What are your favorite books for motivation, personal development, or enjoyment?
I carry a Hawaiian language book with me when I fly. I also started reading the book EQ, Applied, which is a powerful book on topics we do not address enough in the security industry.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Really, really long, unique passwords on all things.
What is a life hack that you’d like to share?
When you get a text early in the morning saying, “Nuclear ballistic missiles are inbound, take cover. This is not a drill,” open the good stuff and spend some time with friends. We got such an alert in Hawaii recently, and it was a life-altering experience.
What is the biggest mistake you’ve ever made, and how did you recover from it?
You have to take me to dinner first and tell me sweet nothings before I tell you that one. ■
43
Kylie Martonik
“Oftentimes, it feels as though companies are quick to buy the newest “whizz-bang” tool or software that is presented as an all-in-one solution that can fix all of their problems without ensuring that the bas
ic security checkboxes are filled.”
Twitter: @0xNBE1 • Website: www.linkedin.com/in/kyliemartonik
Kylie Martonik is a managing security consultant. Specializing in pentesting, she has seen an array of diverse environments ranging from small credit unions to large healthcare providers. Kylie has assisted security and IT teams in long-term project efforts, short-term operations, and building the road map to bring them closer to the ideal security program. Outside of work, she can be found flying her drone, playing video and board games, or actively hunting for the next action figure to add to her collection.
If there is one myth that you could debunk in cybersecurity, what would it be?
The myth I would debunk is that it’s all technical work. I believe people tend to directly correlate “cybersecurity” with technical tasks or skills, such as hacking, malware reverse engineering, incident response, and so on. However, there are many other areas within cybersecurity where in-depth technical skill is not required, such as policy, compliance, and privacy.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Oftentimes, it feels as though companies are quick to buy the newest “whizz-bang” tool or software that is presented as an all-in-one solution that can fix all of their problems without ensuring that the basic security checkboxes are filled. Many organizations could get the most benefit from doing the reverse. By that, I mean spending the time/money on implementing and maintaining the basic administrative policies that support information security, the standard technical tools that can improve resilience against a future attack, as well as providing proper and regular education on information security topics to their workforce.
How is it that cybersecurity spending is increasing but breaches are still happening?