Product vendors often (not all the time) push their products as the magical solution to solving information security problems. Also, the decision-makers who procure those tools may be uneducated regarding what is truly needed to implement a robust security program that would mitigate or reduce the likelihood of a breach.
Additionally, the information security industry struggles with communicating the true business risks of vulnerabilities and threats in a way that is understood by said decision-makers. When combined, this can create the perfect scenario for breaches to continue to occur.
Do you need a college degree or certification to be a cybersecurity professional?
In this current day, degrees can help a less-experienced individual break into information security. However, I do not believe that degrees are strictly required to enter the field.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
When I was in my third year of college, I enrolled in a class ominously named “Information Warfare.” Within the first month, I had popped my first shell using MS08-067 and have been hooked ever since. My advice to a beginner would be to stop wondering if you can break into information security and instead just go for it.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My professional journey led me down the path of a pentester, but I have had the opportunity to experience other areas of the field as well. What I would recommend to others is to go experience what you can, chase what you find interesting, and have the grit to stick through the highs and the lows.
“What I would recommend to others is to go experience what you can, chase what you find interesting, and have the grit to stick through the highs and the lows.”
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Build your soft skills as urgently as your technical skills. You can be the best hacker in the world, but if you can’t communicate what you’re doing, how you’re doing it, and so on, it won’t matter.
“Build your soft skills as urgently as your technical skills.”
What qualities do you believe all highly successful cybersecurity professionals share?
Passion. Information security thrives when individuals are passionate about what they do.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The TV show Mr. Robot.
What is your favorite hacker movie?
The Matrix, with Hackers being a close second.
What are your favorite books for motivation, personal development, or enjoyment?
Mindset by Carol S. Dweck and the Space Odyssey series by Arthur C. Clarke.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
I actually struggle with this question because the standard advice of “stop reusing your password” and “enable multifactor authentication” seems to fall on deaf ears for the bulk of the population. While I would not hesitate to tell anyone this type of advice, there is still the challenge of helping them understand why it’s important in terms they can understand so they actually follow it. Otherwise, I believe it can be viewed as an impediment to what they actually want to do while using computers, and there’s a high chance they will revert to their “old ways.”
“Information security thrives when individuals are passionate about what they do.”
What is a life hack that you’d like to share?
As someone who experiences imposter syndrome, I regularly create mental habit loops to combat my brain’s tendency to want to focus on the negative. If I start thinking to myself something like, “I’m not good enough” or “There’s no way I could do that,” I make those my triggers to say something positive to myself, such as, “But with enough time and effort, I can improve/learn.” Even adding a “yet” to the end of those types of self-thoughts can be comforting and dissipate the feeling of disparity.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Being afraid to fail. I still encounter this feeling regularly. However, I actively remind myself that failing is not a negative thing but rather an opportunity to learn and improve. ■
44
Christina Morillo
“The biggest myth is that everyone—from companies to every hacker on the planet—has it all figured out.”
Twitter: @divinetechygirl • Websites: www.christinamorillo.com and www.linkedin.com/in/christinamorillo
Christina is a New York City–based information security and technology professional with a background in enterprise-level security and identity. By day, she works as a senior program manager at Microsoft, helping organizations “do more” securely.
In addition to her professional work, Christina also cofounded a virtual community that is best known for boosting visual representation in the tech industry by way of an open source collection of stock photos. Christina advocates and is passionate about visual representation, connecting and creating opportunities for others, and empowering women and underrepresented folks to follow careers in security and technology. When she is not at work/traveling for work or spending time with her family, she is co-leading Women in Security and Privacy’s NYC chapter, attending InfoSec meetups, or watching Black Mirror episodes.
If there is one myth that you could debunk in cybersecurity, what would it be?
The biggest myth is that everyone—from companies to every hacker on the planet—has it all figured out. In a field that has both breadth and lots of depth, trust me when I say this isn’t the case. The one thing both companies and people have in common, besides skipping the basics when it comes to security, is refusing to admit that we don’t know it all.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
This is subjective and greatly depends on the organization’s priorities and strategy. By the way, this can also change depending on the business’s needs. For Company A, this could mean enabling multifactor authentication (MFA) for all employees, while for Company B, this could mean prioritizing productivity and enabling single sign-on for all users. My point is that there isn’t a one-size-fits-all approach when it comes to security.
How is it that cybersecurity spending is increasing but breaches are still happening?
CISOs are under enormous pressure to show immediate value, which results in security teams investing in and prioritizing tools they feel have a quicker ROI (like firewalls and logging) over basic hygiene.
“CISOs are under enormous pressure to show immediate value, which results in security teams investing in and prioritizing tools they feel have a quicker ROI (like firewalls and logging) over basic hygiene.”
Do you need a college degree or certification to be a cybersecurity professional?
That depends. While you don’t technically need a degree to work in the field, some companies—for example, financial corporations—may require this as part of their hiring practices and corporate culture. As far as certifications, well, these are a bit controversial in that not all certs are created equal. A lot of the big-name certs you’ve heard of are mostly theoretical and less practical (e.g., CISSP), but they remain popular among recruiters and CISOs due to name recognition and echo chambers. If you need to level up, I’d look at SANS GIAC info security certifications. While there is massive value in theory and understanding the basics, there is no substitute for getting your hands dirty. That being said, if I had to do it all over again, I would still obtain my degree(s).
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
While attending university, I started gaining experience by internin
g at my school’s computer lab. I then moved on to external help desk/technical support roles and gradually moved into a desktop support role. By the time I graduated with an AS in network administration and a BS in information technology, I had amassed enough experience to land a job as a network/system administrator at a technology consulting firm. While I didn’t have formal security training at the time, my previous experience and insatiable curiosity led me to my first role as an information security/identity management engineer a few years later. Back when I started, there really wasn’t a direct path, so I had to carve my own.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
Thus far, most of my information security career has been building out and developing enterprise identity and access management frameworks. I have since pivoted to cloud identity and security and am focused on that these days. How can others gain this expertise? By doing the work and building a portfolio of hands-on experience, which, by the way, does not have to look like anyone else’s. That’s the secret. My advice would be to map out a plan and think about what experience (not tools) are relevant. This could look different depending on the specialty, year, and what level of experience you already have. So, perhaps start off entry level and then look at self-paced SANS, CTFs, and local college courses.
“How can others gain this expertise? By doing the work and building a portfolio of hands-on experience, which, by the way, does not have to look like anyone else’s. That’s the secret.”
For my role, and I think for most, understanding foundational networking concepts is key. Critical thinking and the ability to break down a problem into solvable parts is also equally important.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
For being hired: great listening skills along with emotional intelligence. You’d be surprised by how much people love to talk, which gives you leverage. Listen, extract value, and frame your responses accordingly. Having excellent communication skills and confidence are also must-haves. Don’t be overly confident or cocky, as this can be off-putting. Always do your research and tweak your résumé to emphasize why you are the best candidate for said job/project. Ask thoughtful questions, and don’t be afraid to say you don’t know something; it’s all about how you phrase it.
“You’d be surprised by how much people love to talk, which gives you leverage. Listen, extract value, and frame your responses accordingly.”
What qualities do you believe all highly successful cybersecurity professionals share?
An insatiable curiosity and passion for making things better. Critical thinking. Seeing past shiny tech and addressing root causes. Always willing to learn, listen, and ask questions. Willing to help and guide others whether by volunteering, mentoring, or simply listening.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Black Mirror episodes.
What is your favorite hacker movie?
I don’t have one, but I absolutely love Mr. Robot and how they incorporate real practices and exploits.
What are your favorite books for motivation, personal development, or enjoyment?
Some of my current tech faves: Hacking the Hacker, The Manga Guide to Cryptography, Serious Cryptography, Penetration Testing: A Hands-On Introduction to Hacking, CISO Desk Reference Guide, 2600: The Hacker Quarterly, and many more.
For motivational and personal development: The Subtle Art of Not Giving a F*ck, The 48 Laws of Power, The Alchemist, The Smart Girl’s Guide to Privacy.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
I start by introducing the concept of threat modeling and how this applies to the individual. I then get into basic hygiene across devices and social platforms. It can be overwhelming, so I tend to phase this out. If I had to give a practical top five, it would be these:
Set your phone to auto-lock and set a passcode.
Use a password manager. This is easier than having to remember to not use the same passwords, but do use hard-to-guess passwords/passphrases as needed.
Enable multifactor authentication everywhere!
Harden your home network. Reset the default admin password. Rename Wi-Fi SSID and passwords.
Install updates across devices—do not skip indefinitely.
Bonus: Never connect to a public Wi-Fi network, and if you must, use a reputable VPN.
What is a life hack that you’d like to share?
Career-wise, don’t wait on a mentor to make moves. You are your number-one mentor and advocate. Equally important: never check a bag and always use no-bake lasagna noodles (you’re welcome).
“Career-wise, don’t wait on a mentor to make moves. You are your number-one mentor and advocate.”
What is the biggest mistake you’ve ever made, and how did you recover from it?
The biggest mistake I’ve made is letting my fear of failure dictate my dreams and ideas, especially after becoming a mother. Failure sucks, and where I come from, it is not celebrated because it is not an option. The only way to recover is to keep pushing myself past the point of uncomfortable by walking toward what I am afraid of and by turning my losses into lessons. ■
“The biggest mistake I’ve made is letting my fear of failure dictate my dreams and ideas, especially after becoming a mother.”
45
Kent Nabors
“Technology is made by people. Technology is implemented by people. Technology is used (and abused) by people. So, perhaps this isn’t a technology problem but rather a people problem.”
Twitter: @KentNabors • Website: www.linkedin.com/in/kentnabors
Kent Nabors has worked in bank examinations for the FDIC and the Federal Reserve. After leading the networking infrastructure team for a national midmarket bank, he went on to build their cybersecurity practice and then served as the institution’s first CISO. After more than 20 years in the banking industry, he recently took over as the cybersecurity leader for a national retail chain with more than 800 locations and a significant e-commerce presence. Kent is also the co-author of Dissecting the Hack: The F0rb1dd3n Network. When not practicing cybersecurity, Kent is an occasional speaker on the topic for industry, university, and civic organizations. He also does volunteer work for community cybersecurity activities. In what spare time remains, Kent owns a small business with his wife. He received his MBA from the University of Oklahoma.
If there is one myth that you could debunk in cybersecurity, what would it be?
When you practice cybersecurity (more on the term practice in a moment), you eventually realize that you cannot be successful. For someone tasked with protecting systems, this realization can (and should) grow into a question about what our organizations are asking of us. It is a far easier thing to give an assignment of “protect us” than it is to implement.
The reasons for this are legion. But I also think they can be categorized:
Technology. “You go to war with the army you have, not the army you might want or wish to have…” (Donald Rumsfeld). We work with the tools we can afford. And “afford” may not mean money; it could also mean human skill to implement or time to implement. And even if you have huge budgets and large, talented teams, the technology you work with may still not be sufficient to the task. Ultimately, technology is only a part of the cybersecurity problem.
Environment. David Foster Wallace gave a commencement speech in 2005. In it, he told the following joke: “Two young fish are swimming alone, and they happen to meet an older fish swimming the other way, who nods at them and says, ‘Morning, boys, how’s the water?’ And the two young fish swim on for a bit, and then eventually one of them looks over at the other and goes, ‘What the hell is water?’”
We spend so much energy trying to buy and implement systems for cybersecurity or
create new procedures or produce the next awareness program, but we rarely think about the water we are swimming in. We assume far too much about what we do in a day. Even when we do things like threat modeling, we often work within walls of assumptions that prevent us from understanding what risks we are accepting. Then you realize—cybersecurity isn’t possible.
Mission. We may set a mission or purpose for our cybersecurity teams, but does it align with the organization? What happens when the organization has a different risk tolerance (often unstated) than what is required to achieve the organizational mission? I have debated with leaders who want “zero risk” and then cap a cybersecurity budget at 2 percent growth in a world of threats that increase exponentially. Then you realize—cybersecurity isn’t possible.
People. Technology is made by people. Technology is implemented by people. Technology is used (and abused) by people. So, perhaps this isn’t a technology problem but rather a people problem. That’s why there is a whole field of cybersecurity dedicated to initiatives like SANS “Securing the Human.” But if we are honest with ourselves, we know no human is reliable or ultimately trustworthy. So we are tasked with implementing technologies made by people to protect information that people want to steal or destroy. Then you realize—cybersecurity isn’t possible.
As for “practicing” cybersecurity, this isn’t something we can achieve. The medical profession has this concept right. We “practice” medicine with the goal of improving our abilities. We have made astounding progress in medicine, but so far the mortality rate among humans has remained stubbornly stuck at 100 percent. Humility is a good trait to have for cybersecurity professionals. “On a long enough timeline, the survival rate for everyone drops to zero” (Fight Club).
I don’t mean all of this as an “all is lost” view of the business of cybersecurity.
Tribe of Hackers Page 26