My intention is to show that we overstate things when we say something is “secure.” Instead, we need to have an approach of active defense. There is no time when our data or systems are secured, but they should always be defended. Diligence should be our mantra more than security. That approach keeps us just enough on edge so we’re always looking for how we can become better.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Tell the truth. Any organization larger than three people has political issues. Somewhere past 20, you have political parties. Then you drop that organization into a marketplace of customers, regulators, activists, attackers, and so on, and suddenly truth starts to become “truthy.”
It takes courage to stop a large project that a business has invested time, money, and talent in to warn them that implementing it will violate a risk principle. It takes courage to read a penetration testing report and start acknowledging you don’t know as much about your organization, application, self, or adversary as you thought you did. It takes courage to listen to someone who is right, even when they don’t have the highest title in the room. It takes courage to keep showing up and standing against those who would tear down what you are charged with defending. But when you do that, you have to also have the courage to call for help when you see a new threat, or a breach in the defenses, even if it will be expensive. It is so hard to learn that it will only get more expensive the longer addressing the problem is delayed.
How is it that cybersecurity spending is increasing but breaches are still happening?
We are still trying to solve the wrong problems. If you are a cybersecurity practitioner, how do you advance your career? You need to build something new. You add to the size of your security team. You implement new tech. You chase after artificial intelligence, and threat modeling, or any other buzzword that is at or near the cutting edge of the industry.
But what does your organization actually need? I bet it would benefit from the wisdom of Ignaz Semmelweis. He was the physician who made a logical leap based on observable evidence in the hospital where he worked in 1847. He noticed that women in the maternity ward got sick when examined by physicians who had just left the morgue. The physicians weren’t washing their hands. He instituted a handwashing practice and illness rates fell from 10 percent to 1 percent. Of course, the wisdom of the age said he was wrong, and he was forced out of the hospital.
What kind of hero would you be if you came into a company and said, “We need to do basic hygiene, and we probably don’t need to spend any new money to do it?” The company would benefit, but would it jazz your résumé? Would you be able to publish a white paper about your discovery of digital handwashing? We need to use the right tools in the right places. Sometimes that will mean new tech and new approaches. But you’d better do the basics as well. Hunting for bad actors and new threats is cool and absolutely needed. But we also need to walk around and lock the doors, patch the things, and all the other basics.
Do you need a college degree or certification to be a cybersecurity professional?
Yes and no. No—By the time you go through a degree process, what you learned at the beginning is already becoming outdated. And the person who taught it to you either hasn’t been a practitioner in a long time or never was at all. So a degree gets you a basic body of knowledge. Perhaps 10–20 percent of that knowledge might be helpful for a while at the start of your career. The biggest thing it proves is you can endure a four-year hazing ritual.
Certifications are really good to show technical competence. They are probably better than college degrees in this regard. But they don’t age well either. They also create a circular situation, where you’re chasing after “credits” of some form to document that you’re maintaining your certification. Ultimately, a certification is a reputation substitution scheme. I don’t know much about you, but I know something about that organization, so now I know something about you. At some point, your own reputation has to be built on performance.
Yes—If you want to step from technical doer to technical leader, you need to know how to think. One of the smartest businesspeople I worked with in my career had a bachelor’s degree in letters. When he told me that, my question was, “What’s that?” For his degree program, he read the classics of Western literature and philosophy. We debated and worked on complex business and technical projects together, and he always asked the best questions. A degree forces you to solve problems (yes, even learning how to manage a pile of homework at finals time is a valuable career lesson).
At the start of a career, certifications and degrees can help. But if you don’t create a habit of study that continues, they will be about as valuable as my long- expired Novell Network and Windows NT certifications.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got in the business because of a virus infection. We had decent IT practices for the time, but we were not ready for new threats. Something got in. It didn’t do any damage, but we realized the rules had changed. I was fortunate to work for an organization that learned from the experience, and we quickly flipped the priority of security. I didn’t have cybersecurity in mind when I got my bachelor’s degree in business management. When I added an MBA, I was still thinking about things far from the world of cybersecurity (then again, not many were thinking about cybersecurity in those days except people like Clifford Stoll).
But what I found is that cybersecurity is ultimately a people problem. That interested me. Here was this complex mix of technologies, regulations, threats, business objectives, and people. Now that was something I could work on. And there is one more important part of cybersecurity: if you want to be good at it, you have to see the nobility in it. We are protectors for people who don’t realize they need it. In this industry, you walk around life seeing things others can’t see. They need you to train your vision to see threats and rally to their defense. You have to be willing to do the work even when no one realizes what you did to protect them.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
Hah! If you want to learn about my cybersecurity specialty, go read a history book. Seriously, my hands-on tech skills are not what they used to be. About 10 years ago, I found more of my time committed to building teams and building organizational habits around the practices of cybersecurity. There is a difficulty with this path because it is hard to see progress. You can labor for months and not see a change. Then, one day, a system admin or a tech support person, or even a front-line customer service staff member, calls and reports a security concern. The organization has learned to make security part of its habit. It’s like seeing a little green plant popping out of the soil after you planted seeds so long ago you’d forgotten you’d done it.
How do you gain expertise there? Ask questions. Don’t be satisfied with marching orders. Ask for context when you’re given an assignment. Be curious about the mission of your business. Send a meeting invitation to a leader in your business, and ask them if they will teach you about the company. Volunteer in a community organization and meet people. We are in the networking business with data, but we should be in the networking business with people!
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Don’t get hung up on getting credit. When you’re starting out, you are playing a long-term game. You need to create and develop a brand (go read any of the great material from Tom Peters on building your brand). The best way to do that is to help other people.
Instead of working on your own accomplishments, maximize how many people you can help. Then, one day, you will look around and be amazed at how many interesting people you know, and you’ll look back and see that you accomplished far more through their abilities th
an you could have done by yourself.
What qualities do you believe all highly successful cybersecurity professionals share?
Perpetually curious. Cybersecurity professionals must teach themselves to see the world differently. We are surrounded by systems, controls, and influences that attempt to shape human behavior. Most people walk through life not seeing these things. We need to constantly practice asking questions, learning new things, and testing, testing, testing.
One more—practice people skills. Technology can be alluring. It is interesting to learn about something and dig deeper to learn more. The deeper you go, the deeper you need to go to really understand. But cybersecurity is about accomplishing things through the skills of people. If you can’t communicate the reason behind an action to a team, then that team won’t act effectively. The tech skills you learn today will be obsolete quickly. The people skills you learn will last your entire career.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The classic book is Cliff Stoll’s The Cuckoo’s Egg. The challenge most clearly illustrated is the constant struggle Cliff faces in convincing people that there’s a problem. Just because a system “works” doesn’t mean it isn’t compromised. The magic of his story is how he noticed one small thread out of place; he pulled on that thread and then unraveled an entire mystery.
Cybersecurity professionals need to build time into their day to pull on threads. Find the thing that is out of place—or, better yet, study what “normal” is so you’ll be ready to see what shouldn’t be there. Then ask questions. And then ask more questions. I had a boss almost 20 years ago who regularly used the “three whys” technique. It often drove me crazy and was exactly what I needed to build a mind-set of digging to find the truth underneath a surface phenomenon.
What is your favorite hacker movie?
I’m going to go older here with Sneakers. It’s dated and the tech is rather magical, but I like the eclectic collaboration of the team. You can also take the “five mind-sets of hacking” that Josh Linkner put in his 2017 book, Hacking Innovation, and find every one of them in this 1992 movie. And even if you can’t get past the old tech, it’s still worth watching to see them talk Whistler (a blind character) through driving a van across the parking lot to save the team.
What are your favorite books for motivation, personal development, or enjoyment?
Tom Peters has built a strong community and keeps his website fresh with regular content. Every time he does a presentation, he posts his slide deck for free on his site. The Dip by Seth Godin is a good book about quitting. It’s a great way to challenge your thinking about strategies or practices you have put into place and help decide when it’s time to reevaluate. Team of Teams by General Stanley McChrystal is a really good book about managing in complex and dynamic environments. I really like his explanation of complicated versus complex, which has a lot of parallels in the cybersecurity world.
This question is interesting to me because I’ve used a variation of this in interviews—“Tell me about the last book you read.” Cybersecurity professionals need to constantly read, and the material that is most timely is probably a post linked off of a tweet or GitHub. But if that is all you are reading, then you aren’t learning how to think. Your reading list should be diverse and challenge how you think—just like every day on your job in this business.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Keep things up to date, segment, and call a (competent) friend for help when you are in over your head. Good advice for every network. Over my career, I’ve been asked to help out at a lot of smaller and personal networks. The problems are so similar: default passwords, systems not patched to current level, and things on the network that should never talk with devices that hold private data.
At a minimum, keep all your devices patched. Just like you need to clean house or mow the lawn, patch your things. For the world of Internet of Things, take the time to learn how to segment them from your personal devices. Your laptop and thermostat don’t need to be on the same network.
What is a life hack that you’d like to share?
Balance. Cybersecurity people work so hard at making sure the technology in our networks is kept up to date and patched, and we should be doing the same for our own bodies and minds. And we should encourage the people on our teams to do likewise.
I want people who love technology on my team. I want people who will dig into the documentation and experiment with new configurations. But I also want people who know something about the world they live in. I want them to think and have opinions and explore. When we all do that, we bring better insights to the puzzles before us each day.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I didn’t appreciate the power of time. When you face a big problem, you see the entire problem, and it seems too big to accomplish. But when you break it down and win small victories over time, you create the type of momentum that actually speeds up your success. When you are 20-something and people tell you to invest (financially or with your energy), you think you have so much time and you will get to that later.
When you’re in your 30s, you realize you should have started in your 20s, but that’s over. Then you double down on your work and effort, only to find in your 40s that you might have been investing too much in areas that weren’t as important as you thought.
I know I didn’t say what my specific “biggest” mistake is. That’s because there were so many. And they all centered around not getting started when I should have, trying to take a shortcut to make up ground, and then putting too much effort into the wrong things. When I figured that out and started focusing on just a few things, and getting good at those, then I started to see results. Find out what is important to you and then pay the price to be good at it. If there is a barrier to your success, that’s just the way the world tells you to try harder. ■
46
Wendy Nather
“There are definitely people from different ethnicities, women, or whoever being judged as not capable, whereas other people are given the benefit of the doubt automatically. So, those minorities may need to prove themselves a lot more, and that’s when the education can come in handy.”
Twitter: @wendynather • Website: idoneous-security.blogspot.com
Wendy Nather is a mild-mannered threat intelligence research director by day and a former analyst and CISO in the public and private sectors. Warning: This interview may contain snark.
If there is one myth that you could debunk in cybersecurity, what would it be?
The biggest one from my perspective is the idea that all of the users of our systems need to know as much as we do about security. Back in the early days, in the ‘70s and ‘80s, when we were first building these systems, we built them for each other. And everyone in the community had pretty much the same level of knowledge. When you designed something, you were designing it for yourself and for people who knew the same things you did. The description of an intuitive interface really made a lot of assumptions that somebody else had the same background that you did, and therefore, they would be able to intuit what you meant with something. That’s completely different now. The rest of the world is using technology, and none of them understand security or IT in the same way that we do. If I could, I would kill the idea that they do understand the same things we do and, furthermore, that they must understand the same things we do. I think it’s unfair to expect them to have the same level of knowledge.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
There’s a lot of talk about the basics. If the basics were easy, everybody would be doing them. But I think they’re still worth calling out, even though they are difficult. The first thing is simply knowing what you have, what it’s being used
for, and by whom. I recommend starting with an asset inventory—understanding what data is on those systems, who is using that data (and for what purpose), and who’s using the processes running on those systems. Still, that is so much harder than it sounds. I’ve known so many organizations that could not keep a running inventory. You have to solve that by doing continuous discovery, because people are frequently changing the endpoints that they use, especially with virtualized systems.
How is it that cybersecurity spending is increasing but breaches are still happening?
You can certainly spend more money on something and still not be doing it right. On the other hand, you can be doing a lot of things but not spending money in the right places. We tend to equate one with the other—that if you’re spending a lot, you must be doing a lot; and if you’re doing a lot, it must be effective. But I don’t think any of those things follow, necessarily, from that. In a lot of ways, we don’t understand how to solve this problem yet. So we’re throwing more money and lots of different techniques at it in the hope that we’ll find the right thing—find that spaghetti that sticks to the wall—but I don’t think we’ve gotten there yet. Therefore, spending more money doesn’t necessarily equate to solving the problem.
Do you need a college degree or certification to be a cybersecurity professional?
No. As somebody who does not have a college degree myself, and the only certification I got I gave up later, I would definitely say no. Certifications and education help in cases where the hiring process involves people who don’t know how to judge the capabilities of the candidates they’re looking at. Things like certifications and educational degrees can help them shortcut the need to know how to judge those capabilities, and therefore, they can be useful.
They can also be useful in cases where you’re hiring candidates and you have to plausibly defend against grievances and lawsuits. In that way, they can help you justify your hiring decision in an objective manner. Again, having those pieces of paper is a great shortcut and a great standard that people can agree on.
Tribe of Hackers Page 27