Finally, if you are an underrepresented minority and you are facing bias that forces you to demonstrate much more rigorously that you know what you’re talking about (rather than someone giving you the benefit of the doubt), then, again, having those pieces of paper may be necessary. I wish it weren’t, but, unfortunately, that’s often the case.
There are definitely people from different ethnicities, women, or whoever being judged as not capable, whereas other people are given the benefit of the doubt automatically. So, those minorities may need to prove themselves a lot more, and that’s when the education can come in handy.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got into it by accident. I was managing a Unix system administrator group, and the company I was working for, a Swiss bank, decided to outsource its IT operations. I was put on a task force to figure out whether we could do that without violating Swiss banking law. So, investigating all of the security aspects of that outsourcing led to me being put in charge of regional security for the Europe, Middle East, and Africa region. That was my first security position, so that’s how I got into it.
For new people today, the most I think I can offer in the way of advice is to really study technology and understand the systems that you’re working with, and the applications, because you can’t secure them unless you understand well how they work.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
That’s kind of tough because I think I may be one of the few remaining generalists in the field. I haven’t specialized in any particular area and have instead gone very broadly with my knowledge—both because when you’re a CISO, you need to understand a bit about everything that you’re managing, and then, as an industry analyst, I ended up covering pretty much every area whenever anyone on my team left. I would have to take over their areas of coverage and understand what those vendors were doing and the technology they were creating. I’ve studied just about everything.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Interestingly enough, when you start working in security, it’s the so-called hard skills that will get you in the door—or understanding the technical aspects of what you’re doing. But as you start climbing the corporate ladder, it’s the so-called soft skills that make you a leader. You need to be able to not only engineer a system but engineer cooperation with your colleagues as well as other departments. To bring those efforts together, you need to be able to relate well to your customers (who are the business) and help design things that are helpful to them.
Also, you need to be able to influence other people to take the right security attitudes even if they don’t report to you directly. Learning how to influence or socially engineer people is important. And, of course, being able to manage people and help them develop, and mediate conflict, and do all the difficult things that managers have to do with line management; all of those things are necessary if you’re going to climb the corporate ladder.
What qualities do you believe all highly successful cybersecurity professionals share?
The first one I would say is curiosity, or wanting to understand how things work. And I think the second one is humility and knowing that you are never going to understand everything completely. The people who have gotten to really high positions who are very well admired and known in the industry are, for the most part, people who are very humble. I always enjoy talking with them because they are as eager to learn from me as I am to learn from them.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
There are so many books, and they all seem to cover different slices of what is a really expanded whole. I don’t really think there’s any movie that’s covered it well, and I know people who love the classics like Sneakers and Hackers and so on are going to disagree with me there, but as a professional who’s worked on the defense side all this time, I’ve never really found a movie that I could relate to. So, I think that’s long overdue.
From a facetious point of view, if I were to make a movie about the life of a CISO, a lot of it would be staring at Excel spreadsheets and turning off the notifications on your phone. It’s really hard to portray, but I wish somebody could do it in a way that wasn’t overly sensationalized. There are a lot of state actor attacks and sensational headlines that we see, but we don’t see the really boring stuff like, “Oh, Bob has been going to the wrong website again,” and “I’ve got to pull the logs and give them to HR, and I just hate my life right now.” It’d be really interesting to get this information from a lot of CISOs and see if you could put it together into an interesting enough movie that didn’t fall back into the sort of “hacker scene.”
What is your favorite hacker movie?
I would have to say my favorite has always been Real Genius. It’s not, strictly speaking, a security movie. But it sure is about hacking, and it sure is about creative people, and the ways that they interact with the world are definitely ones I can relate to. And Real Genius has some pretty fun songs in it.
What are your favorite books for motivation, personal development, or enjoyment?
I like a lot of science-fiction books. One that I think has helped me with motivation is called Hardcore Zen by Brad Warner. He is a Buddhist monk who used to be a punk rocker, and he describes how Zen Buddhism really does share a lot of the same ethos as punk rock, in that you don’t just blindly trust authority, and you try to figure out for yourself what reality is. I think it’s a really interesting look at a philosophical perspective.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
I try not to give them advice because it’s really hard. I think the simplest thing that I tell people is this: to avoid scams, phishing, and so on, don’t respond to anyone you don’t know who contacts you first. I think that will cut out a lot of the problems that people tend to run into. That doesn’t stop teenagers who go to really sketchy websites and end up with malware and that sort of thing, but for just about everybody else, if it’s not a person you know personally, and if it’s someone that’s reaching out to you, don’t respond in the same way that they contacted you.
What is a life hack that you’d like to share?
Sometimes I go on what I call a data cleanse, and I will just stop reading things, listening to things, and I put my phone away. I try to spend a lot of time without other people’s words and thoughts in my head. I find that it’s pretty hard at first, but it becomes relaxing the longer you do it. Today, we are so used to reading as much as we possibly can—because it’s so available and it’s at our fingertips—instead of picking one book and spending a week reading it and thinking about it. So, I just try to step away from all of that and try not to ingest as much data as possible all the time.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I think a lot of the things we do at work or in life all seem to be the right thing at the time, and maybe in hindsight we could have done something differently, but we never really know how it would have turned out if we had. So, I try not to spend too much time second-guessing things that I did. I still feel bad about them, but I don’t think about how I would have done them differently. ■
47
Charles Nwatu
“Security is a complex problem that contains many components, and there is something for everyone. We should be open to helping and teaching all.”
Twitter: @charles_nwatu • Website: www.linkedin.com/in/cnwatu
Charles Nwatu is originally from Alexandria, Virginia, and currently resides with his wife and two kids in Northern California. As an information security professional, he uses his skills and experience to develop and design dete
ction and response teams. Charles is a continuous learner and enjoys meeting and connecting with people. He also has a passion for advancing underprivileged and underrepresented communities within the STEAM community.
If there is one myth that you could debunk in cybersecurity, what would it be?
“Security is hard!” That would be the myth I would like to debunk. I look at security as an ongoing, evolving challenge that anyone can participate in. To start debunking this myth, I believe that, as security practitioners, we need to be explicit with our language and ensure that we are collectively speaking and using the same terminology. One of my personal goals is to reduce the barrier to entry when it comes to security and how it is explained to people. Security is a complex problem that contains many components, and there is something for everyone. We should be open to helping and teaching all.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
“Do less better!” Organizations should invest in performing basic security hygiene on a continuous basis. Does your organization have the ability to answer the following questions?
What have we defined as an asset?
How many corporate assets do we own?
How many server assets do we own?
What is the current software inventory of our corporate assets?
What third-party libraries do our application or services use?
What are the current versions of the third-party libraries that our application or services use?
I am explicit about the questions I ask so that participants in the conversation can understand what we mean and how we define it. These questions focus on vulnerability management, detection engineering, instrumentation, and monitoring. Simple investments in understanding your “assets” will help guide where and how you invest and improve your security posture.
“Organizations should invest in performing basic security hygiene on a continuous basis.”
How is it that cybersecurity spending is increasing but breaches are still happening?
I am probably oversimplifying this, but as I said earlier: do less better! Organizations can gain great insight by performing basic security hygiene. I see breaches as failures in our ability to understand our environments. The following quote from Matthew Syed in his book, Black Box Thinking, also sheds some insight into the ills that face our industry:
“Failure is rich in learning opportunities for a simple reason: in many of its guises, it represents a violation of expectation. It is showing us that the world is in some sense different from the way we imagined it to be. […] These failures are inevitable because the world is complex and we will never fully understand its subtleties. […] Failure is thus a signpost. It reveals a feature of our world we hadn’t grasped fully and offers vital clues about how to update our models, strategies, and behaviors.”13
“I am probably oversimplifying this, but as I said earlier: do less better! Organizations can gain great insight by performing basic security hygiene.”
In other words, throwing more money at a problem does not necessarily fix it!
Another major challenge within the security space is knowing how to effectively measure security investments. Investments are defined as tool spending, personnel hires, personnel development, process definition, and improvement. Within security, there is this concept of the “Defender’s Dilemma,” which basically is the idea that, as a defender, I am responsible for all of the things, whereas an attacker only has to find a single thing to exploit. This “single” thing could be as simple as walking into an organization and dropping a malicious USB stick, phishing, or publicly disclosing a private cloud infrastructure.
When organizations do not understand their true “asset” visibility, it is challenging to protect and monitor it. Once visibility is gained, continuous instrumentation and testing is needed to validate the organization’s posture and the effectiveness of any security investments made to date.
“When organizations do not understand their true “asset” visibility, it is challenging to protect and monitor it.”
Do you need a college degree or certification to be a cybersecurity professional?
No. With that said, I do understand the importance of demonstrating your knowledge, and this can be done through many vehicles. You can do it via code, by giving back to open source projects, or through formal education. At the end of the day, demonstrating what you know as a cybersecurity professional is important; your journey is your journey.
“At the end of the day, demonstrating what you know as a cybersecurity professional is important; your journey is your journey.”
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
While attending Pennsylvania State University, I enjoyed programming, but I did not want to build applications; it just didn’t excite me. During my junior year, I applied and was selected as a DISA IA scholar recipient. This program exposed me to the security side of technology, and, in particular, I loved incident response. With incident response, I had the opportunity to find the needle in the haystack, to put the puzzle together with limited pieces; I was drawn to this and have never let it go.
The advice I would give to people is that security is a way of thinking that anyone can pursue. This pursuit is your dedication to the craft. There are so many paths within security, and you should try them all. Take time to find mentors, visit meetups, or go to the various conferences. Be explicit about what you are looking for. Language matters.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My cybersecurity specialty is incident response. Lately, I have been rebranding incident response to detection and response engineering (DRE). It is the ability to create security tests and security sensors that act as detectors to provide analysts with data they can take action on. The response component is more than just the technical know-how; it also requires an understanding of people and how to manage an incident.
The approach I take around DRE is to always be reading and practicing. I read up on the latest attacks and various capture-the-flag write-ups, follow InfoSec folks on Twitter, and talk to red team members to understand the current attack space. Within the attack space, there will be concepts that are more applicable to your organization or area of interest. The goal is to keep learning. Security is ongoing, never static, which means there is an investment of time to keep pace with what’s going on. Therefore, stay with it!
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
The biggest advice I can give in this area is to keep learning and find what you love within security. These two things will help drive you and propel you forward.
What qualities do you believe all highly successful cybersecurity professionals share?
One of the qualities I have seen in highly successful cybersecurity professionals is the ability to explain concepts to people clearly and in such a way that people walk away having learned something new. I would also say cybersecurity professionals who take the time to think about security from their customers’ perspectives (aka walking in their shoes) are the ones who ultimately develop and design thoughtful security.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Black Box Thinking by Matthew Syed. Securing DevOps by Julien Vehent.
What are your favorite books for motivation, personal development, or enjoyment?
On Intelligence by Jeff Hawkins. (Marcus J. Carey recommended this to me, and as a detection and response engineer, I think this book is important.) The Secret by Rhonda Byrne. Start with Why by Simon Sinek. Black Box Thinking by Matthew Syed (an awesome book recommended to me by Bob Lord).
What is some practical cybersecurity advice you give to people at home
in the age of social media and the Internet of Things?
Keep your systems up to date—desktop, laptop, mobile, game systems. If it connects to a network, keep it up to date. When it comes to passwords, use password managers, passphrases, and two-factor authentication on all your accounts. When it comes to social media, what happens in the dark will come to light. So if you don’t want it on the Web, don’t do it.
What is a life hack that you’d like to share?
I’m not sure if this is a life hack or more just being a parent, but any free time I have I quickly decide how I want to spend it on myself. I divide this into three things: personal development (technical), personal development (fun), or family development. This thinking just helps me prioritize my time. I love my family and being a security practitioner, but time is a limited commodity.
What is the biggest mistake you’ve ever made, and how did you recover from it?
While working on a security project, I made a comment along the lines of, “If you want to run this security tool effectively, the organization will need to staff three to four team members.” I did not realize, at the time, who was around me when I made that statement, and that statement was used to push for additional budget for these new hires. The only thing was that our budget had already been approved for the year, and the funds were taken from somewhere else. My director at the time called me in to discuss the ramifications of how my statement was used. From that point on, when it comes to scoping security projects properly, I make recommendations up front on what is needed to install, tune, and mature a security capability. ■
Note
13. Matthew Syed, Black Box Thinking: Why Most People Never Learn from Their Mistakes—But Some Do, ebook (New York: Penguin, 2015), accessed May 2018, https://books.google.com/books?id=d-VJBgAAQBAJ.
Tribe of Hackers Page 28