What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
I have gotten the best return on investment from security awareness training. Creating a culture of security is absolutely essential to cybersecurity defense. Almost all successful penetrations rely on human weakness. Think phishing, social engineering, and human error. You can spend a fortune on technology controls, which can all be defeated by an attacker simply finding one careless insider. Training is relatively inexpensive, but an army of diligent human firewalls is priceless.
“I have gotten the best return on investment from security awareness training.”
How is it that cybersecurity spending is increasing but breaches are still happening?
There are two reasons that cybersecurity spending is increasing but data breaches are still happening. First, security leaders are not spending money on the right things. There is often little correlation between unmitigated risk and the investments organizations are making. For example, most organizations allocate the bulk of their cybersecurity budget to mitigation of externally perpetrated attacks, despite the fact that the majority of breaches are the result of malicious or careless insiders. Second, attackers work together better than defenders do. Malicious actors of all types cooperate in an extensive interconnected digital underground. However, most defending organizations go it alone, maybe consuming threat intelligence from others but rarely contributing anything to a shared defense. Legislation limiting liability for intelligence sharing and the growth of information sharing and analysis centers/organizations (ISACs/ISAOs) are helping, but there is still a lot to do.
Do you need a college degree or certification to be a cybersecurity professional?
No. You do not need a college degree or certification to be a cybersecurity professional. In a field with negative unemployment, raw talent is often enough. That being said, I would highly recommend both. An employer needs some way to weed out candidates and validate that individuals know what they say they know. Although by no means perfect, there are few better ways to obtain independent, third-party validation that a candidate possesses some base level of skills than through the completion of an objective certification process or a formal degree program.
Beyond that, the successful pursuit of education and certification also is an indicator that a candidate possesses the maturity and persistence to set a long-term goal and achieve it. If a person claims to be a cybersecurity expert, then they should have no problem passing a certification examination. The unwillingness to put that knowledge to the test may be an indicator that they are not as knowledgeable as they claim to be.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
The term cybersecurity did not exist when I entered the field more than 22 years ago. It was just referred to as “security” or “IT security.” There were no formal educational programs for security. If you knew a lot about all aspects of technology and had a defensive mind-set, you just found your way onto a security team.
I started my career as a system administrator at Arthur Andersen LLP, one of the “Big Five” accounting and auditing firms at the time. When the internet was commercialized in the late 1990s, I joined a new team focused on designing “internet architecture,” where I became familiar with network security concepts. The combination of system administration and networking expertise allowed me to make the move onto the security team. Once there, I never looked back.
I think it is a lot easier to get into the cybersecurity field these days, as there are now formal programs (academic and trade oriented) that are focused on giving individuals the skills they need to break into the field. If going back to school isn’t in the cards, there is no substitute for simply immersing yourself in the field. You can join professional associations dedicated to security, attend security meetups and conferences, teach yourself the skills you need on your own time, and invest in your own professional certification. If you show initiative and demonstrate a passion for the field, a security leader like me, desperate for talent in a tight labor market, is going to notice it and give you a chance.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
At this point, my “specialty” is security leadership (i.e., conducting the security orchestra). I have served as the head of the security function for quite a few years now. Earlier in my career, however, I specialized in many areas within security, including ethical hacking, IT audit, risk management, forensics, security management, IT governance, privacy, strategy, architecture, and IT compliance.
If your goal ultimately is to become the top security leader within your organization (or another), you need to be familiar with all of the major specialties within security. At the very least, you need to know enough to determine whether a vendor or co-worker is giving you a line of crap (I call this level of mastery “BS detection”). Add to that fine-tuned communications skills, diplomacy, and political tact, and you are well on your way to becoming a CISO. If your goal, however, is simply to be the best within a single area of specialty (and there is nothing wrong with that), then I would suggest educating yourself on that specialty, hanging out with people already in that specialty and learning from them, joining professional associations dedicated to that specialization, getting certified in that area of specialization, and so on.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
My advice for career success is to aim high and think big. If you are looking to move up in your current organization, perform the functions of the role you aspire to and not just the one you are in. When leaders are looking to fill a leadership position below them, they try to imagine how potential candidates will perform in that role. Leave nothing to the imagination and actually demonstrate your ability to do the job before you are asked to.
When searching for a new role, don’t allow overly specific requirements in job descriptions to deter you. Hiring managers often make the mistake of treating a job description as a “wish list.” They throw everything they can possibly think of in there in case the perfect candidate comes along. Instead of weeding yourself out, apply anyway and focus on demonstrating that you are capable of doing everything your prospective employer is asking for.
Finally, exude confidence. Creating the perception that you know what you are doing is often as powerful as actually knowing what you are doing. Don’t be afraid to take on your dream job before you think you are prepared for it. If you have a passion for the field and an insatiable appetite for learning as you go, you’ll be fine.
What qualities do you believe all highly successful cybersecurity professionals share?
There are four qualities that I believe all highly successful cybersecurity professionals possess. First, they never stop learning. This field evolves incredibly fast, so you have to be constantly learning to avoid obsolescence. Second, they have excellent communication skills. Cybersecurity professionals are regularly called upon to explain complex technical concepts to non-technical people. It takes a knack for communication to do this well. Third, they collaborate well with others. Cybersecurity professionals must work with individuals throughout an organization—IT, legal, compliance, auditors, HR, operations, sales, marketing, etc. Lone wolves don’t go far in this field. Finally, they demonstrate a passion for the field. Cybersecurity can be a stressful calling. If you don’t absolutely love what you do, you won’t last long in this field.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The book that can best be used to illustrate cybersecurity challenges has got to be The Cuckoo’s Egg by Clifford Stoll. I realize this is one of the oldest (if not the oldest) book about hacking. Although the technology discussed is dated, many of the main concepts (e.g., the me
thods used by a hacker to cover his or her tracks, the difficulty of following an attacker who is moving laterally within a network, the extraordinary skill and determination required of defenders, etc.) are as true today as they were in 1989.
What is your favorite hacker movie?
WarGames is my favorite hacker movie. Seeing Matthew Broderick show Ally Sheedy how to war dial and hack into a Pentagon computer in 1983 changed my life forever. Fascinated by what I saw, I saved up my money and bought a 300 baud modem for my Commodore 64 personal computer. Soon I was completely engrossed by the world of underground dial-up bulletin board systems and sharing software hacks with fellow “BBSers.” Ultimately, this fascination with digital communications networks turned into a career in security that has served me very well. Oh—and it didn’t hurt that I had a huge crush on Ally Sheedy.
What are your favorite books for motivation, personal development, or enjoyment?
I enjoy real-life drama and I am an entrepreneur at heart, so I love to read nonfiction books about the spectacular rise and fall of innovative businesses. Not only is reality often just as interesting as fiction in the world of business, making for a fun read, but there are often lessons to be learned from the mistakes of the past that can be applied to solve current problems. Three such books are Commodore: A Company on the Edge by Brian Bagnall, which follows the rise and fall of Commodore Business Machines in the fledgling personal computer market of the 1980s; Barbarians at the Gate: The Fall of RJR Nabisco by Bryan Burrough and John Helyar, which describes the leveraged buyout of RJR Nabisco in 1988; and The Smartest Guys in the Room: The Amazing Rise and Scandalous Fall of Enron by Bethany McLean and Peter Elkind, which covers the rise and fall of Enron in the energy sector in the early 2000s.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
The best cybersecurity advice I have to give to people in the age of social media is to resist the temptation to overshare information. As a society, we seem to have lost any appreciation for our own privacy. This is especially true of younger generations. We post a ton of information about ourselves on social media. That information can in turn be utilized by malicious actors to discern passwords, socially engineer us or others, and steal our identities. Learn to use the privacy settings of the social media sites you use and/or just be a little more discreet about what you share online. The entire world doesn’t need to know everything about you.
I have similar thoughts about IoT. It has become clear that there are inherent weaknesses in most IoT devices. From connected cars to thermostats, these devices often are not designed with security in mind, and there is usually no mechanism to update them when vulnerabilities are found. So, take the time to assess the risk before connecting everything you have to the internet.
What is a life hack that you’d like to share?
My life hack is to always remember that although you may have little control over what happens to you in life, you are always in control of how you react to it. In other words, don’t worry about trying to change something you have little control over (e.g., what others say and do to you, the weather, the business cycle, etc.). Focus only on that over which you do have control (e.g., whether you are going to let that uncontrollable circumstance negatively affect you). Too many people go through life stressing over what is happening to them when things do not go to plan rather than focusing on what they can learn from the situation and how they can use adversity to improve themselves and become a better person in the long run.
What is the biggest mistake you’ve ever made, and how did you recover from it?
The biggest mistake I ever made was leaving a job that I absolutely loved for the wrong reasons. I was at an organization with a great culture where I was working with extremely talented people, learning a ton, and growing professionally every day. I left that role to take a position with a firm with a more conservative culture and little opportunity for professional growth, based largely on the prestigious reputation of the firm and a significantly more attractive compensation package. I learned the hard way that when it comes to career satisfaction, culture trumps compensation every time.
Once you’ve reached a point in life where your financial needs are met, the source of your happiness shifts from more money to whether your role provides you with the opportunity to grow with an organization that has a culture that makes you excited to get up in the morning and immerse yourself in it every day. In other words, the extra money does not make up for feeling professionally unfulfilled. Fortunately, there is a happy ending to this lesson. The company I loved felt the same way about me, and I was given the opportunity to return, which I gladly seized. I refer to the episode as my “career mulligan.” ■
58
Chinyere Schwartz
“People rely too much on technology to protect them instead of looking at how their actions (or inaction) make them vulnerable to attack.”
Website: www.linkedin.com/in/chinyere-schwartz-9155bb10
Chinyere Schwartz is an information system security officer (ISSO) currently employed by SRC Technologies, Inc. She has been working in information security for a little over seven years and became interested in the field while working for the human resources help desk at the U.S. State Department in Washington, DC. In addition to working, Chinyere is a wife and mother of two children. She met her husband at Howard University while they were both working on their BS degrees in electrical engineering. She has been married to her husband for over 11 years, and they have a soon-to-be-10-year-old daughter and a 3-year-old son. Chinyere enjoys spending time with her family and friends, learning about new things, and relaxing.
If there is one myth that you could debunk in cybersecurity, what would it be?
I think one of the myths that, unfortunately, is still hanging around out there is that “It can’t happen to me.” People rely too much on technology to protect them instead of looking at how their actions (or inaction) make them vulnerable to attack. If you consistently accept the updates on your cell phone (thinking your phone is secure) but turn around and download apps from untrusted sources, you’ve potentially opened yourself up to some unknown threat.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
At the end of the day, the same actions that were used to protect an organization before the term cybersecurity became popular are the actions that need to be taken to protect an organization now. Ensuring that security is “built-in” instead of “bolted-on” goes a long way toward a healthy security posture. When security controls are implemented in the design, build, and test phases of the architecture, features such as unnecessary ports/protocols/services are turned off and best practices are followed regarding account management, auditing, identification, and authentication—just to name a few.
“Ensuring that security is “built-in” instead of “bolted-on” goes a long way toward a healthy security posture.”
How is it that cybersecurity spending is increasing but breaches are still happening?
I think that may be a symptom of where the money is getting spent. It’s when more of the budget is used for a particular solution, but you don’t purchase the maintenance plan that includes software/hardware/firmware updates (especially if it’s proprietary). Or you hire more IT personnel, but you don’t have a patching plan in place, which could require implementing an automated solution and subsequently re-engineering your architecture in order to become and/or stay compliant.
Do you need a college degree or certification to be a cybersecurity professional?
Depending on where you work, having a degree and/or certification is still required (especially if it’s a STEM-related degree). Some places may take years of experience, but again, it definitely depends on the customer and sector.
Depending on where you work, having a degree and/or certification is still required (especially i
f it’s a STEM-related degree). Some places may take years of experience, but again, it definitely depends on the customer and sector.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I was interested in becoming an ISSO when I did help-desk work with the State Department. My supervisor was an ISSO, and one day he and our lead SA had to confiscate a person’s machine. I was curious and asked him about it, and he gave me the basics of that aspect of his job and told me I wouldn’t like it because it was mainly paperwork. I was still interested and, initially, when the opportunity presented itself, I had all the credentials except the certification (Security+), which was a requirement for the position. I quickly got my certification and was hired. I’ve been doing ISSO work ever since—about seven years now. For someone beginning or pursuing a career in cybersecurity, I would encourage them to do their research on which aspect of this field they want to be a part of. Do you want to be on the defensive side or offensive side? There’s a lot out there to be a part of—you have to look at what best suits you.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I am an information system security officer, and my role is responsible for ensuring that the organization adheres to security policies and procedures that protect it from both internal and external threats. As far as gaining expertise, while you don’t have to be technical, it doesn’t hurt. When you get hands-on experience configuring security policies on systems, it helps a person (in my opinion) understand the challenges that are sometimes involved in making a decent security posture a reality.
Tribe of Hackers Page 35