Over the past several years I have balanced my work life with that of being a security educator. As I edge closer to 60 (!) I recognize the need to assist the next generation of cyber warriors to be bigger and better than I could ever hope to be. And if you think about it, the future cyber warriors will need to be better considering the array of threats which they will face. With this goal in mind, I spend a goodly portion of my week talking with folks who wish to enter the cyber security field; with senior cybersecurity professionals; and with academicians who teach the topic. I've found that several themes keep recurring in these conversations...
...so it's probably time that I captured them in writing :)
This will be the first of a series of blog posts on the cybersecurity career path. In these posts I will move from general topics to addressing the questions of specific audiences. Hopefully those reading this will find at least one useful nugget of information that will aid in their endeavors. This first post is a rehash (and update) to an article I wrote in 2017 called "Building Security Warrior 2.0." It outlines what I believe are the key tenets and concepts that must be recognized by our future cyber warriors.
1. Defense Alone Is Not Enough. The former commander of Cybercom (General Keith Alexander) coined the phrase “Cyber Network Operations (CNO)” as a better definition of what we commonly refer to as cyber warfare. CNO is broken up into 3 parts: Cyber Network Defense (CND), Cyber Network Attack (CNA), and Cyber Network Exploitation (CNE). While CND is absolutely critical, most cyber professionals look at this as a zero-sum game. We layer our defenses; buy the neatest, latest tools; and hope they are sufficient to defeat (or at least discourage) potential attackers. While I do not advocate organizations exercising CNA, developing the skills and mindset necessary for CNA and CNE within organizations allows you to better protect your critical assets. “Thinking like the bad guy” needs to become more than a catch phrase; it should be something that is taught, nurtured, and/or fostered within our security organizations. Only in this fashion can we truly protect our assets against the types of attacks and challenges that we are likely to face in the real world.
It's worth noting that an adversarial approach requires more than red teaming; it requires an adversarial mindset on the part of your in-house threat actors and a willingness to move toward a threat (versus vulnerability) led approach to security. In the military, intelligence officers study the likely adversary incessantly in an attempt to understand how he will come at US forces. Adversary teams in security need to do the same thing.
2. Security Is An Interdisciplinary Problem. There are five competency families of which any good security professional must have some working knowledge:
Network Fundamentals and how to secure them
Application Fundamentals and how to secure them (including how applications interact with data
Governance and Privacy Fundamentals
Communication and Leadership Skills (speaking, writing, organizational psychology, ethics, time management, etc.)
By their very nature, these competencies cross lines between technical and non-technical areas. A person with training in just the technical competencies will be limited in their ability to appropriately articulate the risks of a problem, may fail to adequately understand the role of governance structures in solving that problem, and will lack the ability to communicate the problem or solution effectively. A person with training in just the non-technical competencies will lack the technical expertise to understand how to implement an effective solution, and may create governance structures that aren’t supported by the technical footprint of the organization. We must create security professionals with the foundational knowledge, skills, and abilities in all 5 competency families.
3. We Need To Bring Back Critical Thinking. In the last security organization that I ran, I had a mantra that went like this: “Making lemonade out of lemons is easy. The job of any security professional is to make lemonade out of two apples, a grapefruit, and a kumquat, and make it look easy.” Finding creative solutions to problems is the security professional’s job. Finding new and innovative ways to exploit the network so that we can defend against these exploits is also a security professional’s job. Security professionals need to be aware of the box, but need to be comfortable looking beyond the box for both challenges and solutions. This requires truly multi-dimensional thinkers who aren’t content with just the most obvious answer and have the ability to look beyond what the logs show at face value. It also requires folks who understand that the answer to the problem will most likely not be found via a search engine.
4. Not Communicating is Not an Option. One of the terms I used to affectionately describe some of my more technical resources is “pizza folks.” These are the folks that I could lock in a room, shove pizza under the door, and ask them to solve any problem in the company, and they could do it…but I could not ask them to chat with another non-technical person in the company. In today’s world, that is not necessarily good enough. As security professionals, we have long sought for the elevation of security to the attention of the C-suite and the Board of Directors. Congratulations; we have gotten our wish. It is now incumbent upon us to better communicate the problems, issues, and challenges faced within the realm of security. While I do not expect a 22-year-old InfoSec analyst to be comfortable speaking directly to the Board president, I do expect said analyst to understand the fundamentals of communication, how people process information, how to write in complete sentences, how to formulate an argument, how to begin to translate technical jargon into English, and how to carry on a conversation with a non-technical peer. In small shops and fluid environments (and let’s face it: all of our shops are short staffed, and all of our environments are fluid), you will not always have the option to place a senior security body in front of someone for an answer. Their first contact may be the most junior member of your team. While that person will most likely not give them as cogent an answer as the CISO, their business colleagues should still walk away feeling like a reasonable communications effort has been made by a very competent security professional.
5. Reality Matters. One of my hobbies is that I teach and train in martial arts. At my first dojo, I remember the day when a very young and physically fit man came in and arrogantly declared, despite having never taken a single martial arts class, that he felt he was capable of taking on “the best the dojo could offer.” My sensei smiled, and asked me — a 40-year-old 250+ pound man with a pot belly and bad knees — to go onto the mat with him. After 2 minutes, this fit and agile young man was breathing heavily. After 3 minutes, he had stopped being able to deflect my punches and kicks. After 4 minutes, he conceded the round. My sensei gently walked up to the young man and said to him, “You may be fit, but the only way to train to spar is to spar.” In similar fashion, future cyber professionals should be encouraged (if not mandated) to go out into the real world and work on real-world problems in real organizations as part of their course of study. While I applaud and wholly support the need for our higher institutions to engage in research-driven innovation efforts, these should not be considered an adequate substitute for opportunities to obtain real-world experience. (Note to the CISOs reading this: this means YOU need to be willing to take on and mentor interns within your organization, and give them experiences that go beyond just fetching coffee and making copies.)
* * * * *
The future cyber warrior is an individual who:
is highly technically skilled;
has the ability to think critically;
understands the tenets of governance, privacy, and risk;
can communicate their ideas in a cogent fashion;
has had some real world experience solving real world problems in a real-world environment; and
has the potential and the foundational skills to thrive in any role within the security organization
I firmly believe that creating such an individual is not beyond the reach of our very talented and very dedicated global security community.
My two cents…