What qualities do you believe all highly successful cybersecurity professionals share?
The ability to be malleable. Security rolls forward with technology, and technology is always changing. If you’re not prepared to adapt when the new things come rolling in, you’ll get left behind—plain and simple. Always be learning; always be interested in what’s coming down the road. Some of it is interesting, and some of it is horribly lame. You have to see what’s coming and examine whether it’s something that you want to be involved with. Your success will depend entirely on the choices you make here.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
This is a toss-up between several different properties. Few movies actually articulate what “security challenges” are, if any. I’m having trouble just thinking of one. There are tons of movies that go over “how to attack stuff,” or social engineering specifically, or, at a high level, how to conduct certain types of attacks or operations, but I can’t think of any movie that directly mentions or covers “security challenges” from a defensive perspective.
What is your favorite hacker movie?
Toss-up between Hackers, Sneakers, Swordfish, and Antitrust.
What are your favorite books for motivation, personal development, or enjoyment?
I spend a lot of time watching conference talks on YouTube and trying out new things from walk-throughs and documentation. I find myself with so little time that I don’t spend it on traditional paper books, and my “reading” has turned into fetching audiobooks and listening to them during travel. I’ve read a lot of Neil Stephenson, I enjoyed Ready Player One, and I’ve been told I’d really like Daemon. Also, supposedly, people squint at you if you tell them you haven’t read The Cuckoo’s Egg. I haven’t read it yet. I should add that to Audible.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Don’t let it on the network. I don’t care how cool you think it is. It’ll get shelled, it’ll be part of the next Mirai botnet. Take the time to investigate what it is you’re buying and how that will affect an attacker’s ability to gain control of your life. If something is super easy, it usually means it’s super easy to exploit.
What is a life hack that you’d like to share?
Try the nload and iftop command-line tools. To install, type apt-get install nload iftop. When you see what they do, you’ll put them on every box you touch.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I didn’t know until 2008 or so that information security was an actual profession. I thought it was just an extension of IT. I haven’t recovered from it, and I don’t think that I ever will. It arguably set my InfoSec career back something like five years. If I knew that all the hacky stuff I was doing as a sysadmin was “its own job,” I’d have been applying for those instead of getting systems architect jobs and trying to convince management that I should be 100 percent focused on security. ■
65
Ben Tomhave
“There are plenty of highly experienced cybersecurity people in the market right now who would love to be working, and yet employers are completely unable to get out of their own way to get these folks on board.”
Twitter: @falconsview • Website: www.secureconsulting.net
Ben Tomhave is a security industry veteran, progressive thinker, and culture warrior. He holds an MS in engineering management from The George Washington University, has a BA in computer science from Luther College, and is a graduate of the BJ Fogg Behavior Design Boot Camp. Ben is CISSP certified and has previously held positions with Gartner, AOL, Wells Fargo, ICSA Labs, LockPath, and Ernst & Young (EY). He is former co-chair of the American Bar Association Information Security Committee, a senior member of ISSA, former board member of the Society of Information Risk Analysts, and former board member for OWASP NoVA. Ben is a published author and experienced public speaker, including engagements with the RSA Conference, MISTI, ISSA, RMISC, Secure360, RVAsec, and DevOps Connect, as well as Gartner events. He’s covered most topics in InfoSec, including application security, DevOps/DevSecOps, security architecture, data security, and encryption and key management.
If there is one myth that you could debunk in cybersecurity, what would it be?
Just one? Today, I think it’s the myth of the workforce shortage. In many ways, this is a self-created issue due to a number of deficiencies in vision, strategy, and execution. Automation is not sufficiently wielded. Instead, we see organizations building large SOCs staffed with extremely junior personnel, who stare at screens and push buttons when colors change—changes that are indicative of a threshold being met, meaning an automated trigger all but exists. Instead, we should be focusing our resource development needs elsewhere. Moreover, companies seem unwilling to invest in developing junior resources to help them advance to a journeyman stage in their careers while simultaneously devaluing experienced hires by underpaying them, by not supporting their needs for ongoing career development, and by incredibly short-sighted inflexibility on work arrangements (such as denying remote work). There are plenty of highly experienced cybersecurity people in the market right now who would love to be working, and yet employers are completely unable to get out of their own way to get these folks on board.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Culture change is the overarching “most valuable change” that’s needed today. It’s also the least common. Culture change impacts behavior, incentive models, accountability, and transparency—and myriad other critical enablers that help to mature and improve cybersecurity programs. Until organizational culture— comprised of values and behaviors—is substantially reformed, cybersecurity failures will continue to abound.
How is it that cybersecurity spending is increasing but breaches are still happening?
Cybersecurity spending is as much an embodiment of “shiny object syndrome” as it is anything else. We have grossly unqualified “leaders” in CISO (or equivalent) roles who simply don’t understand the subject, and they’re trying to drive change and compliance using a haphazard, vendor-influenced “strategy.” Very few organizations are truly taking stock of actual, measurable information risk as it faces the organization, let alone adopting reasonable, agile, quantitative methods for assessing that risk.
Do you need a college degree or certification to be a cybersecurity professional?
No degree or certification is needed, but having a reasonable education doesn’t hurt. We need more critical thinkers in our cybersecurity (and IT and development) ranks, and getting a degree can be one means of getting people there. Unfortunately, there are broader issues in society that are decreasing critical-thinking skills among younger generations, such as the weakening of pre-college education programs and institutions.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I came to cybersecurity (or information security, as I still prefer it) quite naturally in the mid ‘90s when a high school classmate of mine showed me how he was abusing the network and computing resources at the college where my dad was a professor. He showed me how he was making money from “warez” and pirated software, and all without ever having to directly authenticate into the systems he was exploiting. This drove me to explore how he was able to exploit those environments, how to fix the environments to stop those exploits, and so on.
By the time I got to college, I had started to see the promise of the internet as I worked my way through school doing systems and network administration (admin on HP/UX and Novell NetWare systems, as well as literally pulling cables to install network ports, network cards, and TCP/IP software stacks in Windows 3.x systems). I compiled and deployed the first web server on campus and began actively promoting tr
aining people on how to create websites, while also promoting the use and development for official purposes by the college. By 1997, we were starting to see early e-commerce sites deployed using SSL, and it was painfully obvious that there was more needed than firewalls. Systems hardening, patching, active testing of software for vulnerabilities, and both user and developer education were all necessary components. My career took off from there.
My advice to people interested in a career in cybersecurity is to not pursue a career in cybersecurity. Instead, we need people with well-rounded backgrounds in systems and network engineering, software development, research, and anything else that inspires the development of critical-thinking skills. Give me a motivated, reasonably experienced technical professional, and I can easily turn them into a “cybersecurity professional” (who will then start suffering from depression and substance abuse—ha-ha…). However, there’s actually very little real opportunity for “green,” fresh recruits who lack suitable technical and real-world experience. Moreover, there are still far too many “cybersecurity professionals” who simply do not understand how organizations work and who lack the empathy to understand the needs of the organization. We need better thinkers who can apply diverse experience, not pigeon-holed specialists with very limited futures.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I am intentionally a generalist. By trade, I am most often associated with the security architecture role. Security architects generally need to understand nearly all specialties within cybersecurity in order to help formulate a coherent cybersecurity strategy that cuts across all silos and specialties. Gaining expertise as a security architect requires working in a variety of cybersecurity roles in order to understand unique challenges and then parlay that into a broad, strategic vision for the organization.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Run away! (Ha-ha, just kidding…or am I?)
I have a number of recommendations.
Have perseverance. This industry is painfully difficult to traverse, and there are more “bad days” than “good days.” Stick with it; focus on learning, patience, and perseverance in the face of adversity.
Early in your career, it will be tempting to hop around a lot to aggressively move up. Be careful doing that, and make sure you’re leaving or moving up for the right reasons, which include getting stale in your current role, new opportunities for learning, or moving to a team or organization that is a better culture fit or represents better learning opportunities.
Be careful about burning bridges, which can be done easily in the current age of social media insanity. Be careful what you say in public forums because you never know when it will come back to haunt you. This industry continues to be very cliquish, which means getting on someone’s bad side can have broad and long-lasting negative impacts on your career.
Find outside interests for your own sanity. Staying too much within your industry and work environment, especially with cybersecurity, can be highly detrimental to your mental and physical health. Jobs in this industry tend to be highly stressful and demoralizing, which greatly increases the need for outside connections and interests. Having a life in meatspace is the best way to stay grounded.
Be honest and do your research. Whether it’s starting a new job, looking for a new job, or starting a new company, it’s absolutely imperative that you’re honest and that you do considerable research. As a startup, that could be market research to fully understand the competition and what problems your customers are facing. As a job seeker, that could be deep research on prospective employers to determine whether or not it’s truly a place you want to work. Or, it could be as simple as building a mentor network to help you grow and mature your career, including identifying seemingly orthogonal or adjacent skill sets that can provide a huge boost to your proficiency and overall expertise.
What qualities do you believe all highly successful cybersecurity professionals share?
The two most prevalent skills found in successful cybersecurity professionals are curiosity and critical thinking. They have the willingness to ask “why?” and then pursue finding an answer, while also being able to suss out truths by reading between the lines. A third important skill, though one that’s still in short supply, is empathy: the ability to understand and identify with our customers, whether they’re internal or external, and provide reasonable, rational, and kind support to them.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
My strongest recommendation for reading today is Reinventing Organizations by Frederic Laloux. The book is about organizational culture and makes extensive use of case studies. What’s fascinating about the book is that, unknown to the author, it closely aligns to the DevOps movement, which leads to my second recommendation, The Phoenix Project. Neither book is about cybersecurity, but they nonetheless perfectly highlight the key challenges facing cybersecurity teams today. Lastly, I recommend reading Surveillance by Aaron Pogue because it’s a near-future, semi-dystopian crime drama that, in many ways, accurately represents what could soon become our modern reality.
What is your favorite hacker movie?
I don’t tend to watch “hacker” movies because I find most of them ridiculous. If forced to answer, I suppose I’d suggest Sneakers as an okay example since it demonstrates some (albeit ridiculous) problem-solving and critical-thinking skills with a remarkably diverse cast for the time. One could also point to WarGames as the cult classic, but it’s a bit too dated for many people today.
What are your favorite books for motivation, personal development, or enjoyment?
I’ve done a fair amount of reading over the past couple of years around the topic of “generative culture,” which is a culture that develops strong, positive benefits while thinking about impact on future generations. There are a number of interesting books that one can read, ranging from Senge’s The Fifth Discipline to Scharmer’s Theory U to Kotre’s Make It Count, and so on. Further, Westrum’s seminal NIH research paper, “A typology of organisational cultures,” is interesting reading, as is anything and everything one can find from BJ Fogg on Behavior Design. One’s time is also well spent reading Cialdini’s books Influence and Pre-Suasion to understand how people can be influenced and preempted. Nudge by Thaler and Sunstein is also very interesting, as it holds similar notions to the so-called “butterfly effect,” as does Cialdini’s Pre-Suasion as well as Fogg’s “Tiny Habits” theories, in terms of how seemingly small things can greatly influence decisions and change.
In terms of reading for enjoyment, I almost exclusively read lightweight sci-fi and fantasy fiction. I’m a big fan of Michael G. Manning (Mageborn series and all related works), as well as John Conroe’s Demon Accords series (and related works), Kel Kade’s Dark Tidings series, the dystopian Silo series by Hugh Howey (Wool, Shift, and Dust), and Steve McHugh (Hellequin Chronicles and Avalon Chronicles).
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Honestly, I’m generally so overwhelmed and inundated by cybersecurity in my work life that I tend not to be proactive about cybersecurity advice to friends and family. I focus more on teaching my kids to be skeptical and aware of their surroundings. My oldest (a girl) has reached an age where kids are starting to be mean, and I have already had a couple conversations with her to set expectations that this sort of nonsense will continue. I will actively oppose her involvement with social media for the foreseeable future, instead emphasizing real-world friendships and activities.
What is a life hack that you’d like to share?
I enjoy cooking (the process), but life often conspires against me. Eating out gets tiring, not to mention expensive. Many a day, I forget to thaw meats from the freezer, and that used to leave
me scrambling to figure something out—until I found the Instant Pot. You won’t be mistaken for a gourmet chef, but there’s something magical about being able to throw meat (thawed or frozen) into a pot with some water or broth, push some buttons and magically have cooked food a little while later (up to 90 minutes sometimes, but that’s okay if you’re not in a rush). Eating a home-cooked meal with minimal manual effort frees me to do other things (like going for a walk!), which is so important to surviving.
What is the biggest mistake you’ve ever made, and how did you recover from it?
The biggest mistake I’ve ever made, professionally, was not taking a chance and going for a front-line manager position more than a decade ago. The person who ended up in the position became my boss, and my job went from enjoyable to miserable in less than two weeks. I subsequently left the company a month or two later out of sheer frustration, which began a decade-plus of trying to find a new, lasting position somewhere else. While I’ve definitely learned a ton of interesting and useful things over the past decade, I also lost a lot of progress in career development. Today, as I write this response, I’m miserable! All because I didn’t take a chance at a pivotal point in my career. So, the lesson here is to take chances and push yourself, even if it feels uncomfortable at the time. Otherwise, you may not only be left with regrets, but it may also set your career back. Recovery from such setbacks are difficult, lengthy, and—for me—not yet concluded. Ask me in another decade how things have turned out. ■
66
Robert “TProphet” Walker
“Certifications do not make people more qualified. Some of the best people in the industry don’t have any certifications.”
Twitter: @TProphet • Website: www.seat31b.com
Tribe of Hackers Page 40