Cybersecurity Career Strategies: What Not to Do
Frederick Scholl, Ph.D., Cybersecurity Program Director, Quinnipiac University
“I took the one less traveled by,
and that has made all the difference.”
What do these well-known lines by Robert Frost have to do with cybersecurity career strategies? Well, if practitioners today knew exactly what to do, we would not have the continuing cybersecurity risks that we do have. We wouldn’t have the CEO of JP Morgan Chase stating that cybersecurity risks may be the biggest risk to the financial system. But no one today has all the right answers; if you want to carve out a career for yourself, you need to avoid following the crowds and stay away from imitating what everyone else is doing in the profession.
So, what are the top things that are continually promoted or misunderstood in the industry, but that are just myths. These are my top most travelled roads to nowhere:
1. Assume that security problems will be solved with technology.
While product vendors necessarily push this idea, practitioners must realize that security is a business decision and must be viewed as a system of systems. Security products are great, but how they are operated is even more important to a strong security posture. As a practitioner you need toS figure out how security tools fit into a holistic defense, and, more important, where the gaps are. Finding and fixing such a gap can be a great career enabler.
2. Assume that attackers are all “bad guys” and that you are one of the good guys.
Security has long promulgated the wild west mentality where it’s “us vs. them.” While this is fun, today’s risk environment includes insiders, third party providers, excess business risk taking, underperforming security vendors, privacy risks and just plain internal errors. Yes, the bad guys are still out there, but if that’s your only focus, you will not be going down a path to success.
3. Assume that tomorrow’s security jobs will be the same as today.
The industry is undergoing a huge change, and to find the right path, you need to be constantly learning and networking with the community. This goes for people entering the industry and for established practitioners. Legacy career paths to security included network administration and server management. Today those paths are moving into the cloud, where dozens of such positions can be filled by one person working for the cloud vendor. Newer security jobs will be more aligned with the business, emphasize cloud skills and software skills.
4. Assume you need to be a hacker to succeed in security.
Yes, many of today’s top security pros do have a hacker/pen tester background. But shiny 0-days are not responsible for most breaches. Instead security professionals must deal with misconfigurations, human error, default settings, unpatched software and inadequate breach response procedures. By understanding these everyday risks, you will be better armed to protect information assets.
5. Assume that security is the top priority of your business leaders.
It isn’t, and it helps early on to understand this and proceed accordingly. In “normal times” security was #7-10 on the list of priorities for Chief Information Officers. For the past two years it has been #1. But in any given situation, security may take a back seat to product delivery times, customer features, revenue streams or product costs. Security leaders need to understand this and find creative ways to make sure digital initiatives have adequate risk mitigation.
6. Assume that your users are the security problem.
These “users” are security’s customers and it is your responsibility to make sure they are trained, empowered and motivated to protect organization assets. In fact, if you implement a new security technology you must make sure users understand it. Any other strategy will be career ending.
7. Assume that compliance helps companies be secure.
It is easy to follow this career path, since you will be given lists with checkboxes and asked to fill them in. What could go wrong? For one thing, you must really understand the organization’s business risks and no outside compliance regime can do that. For another, unless you focus on security process implementation, you will find that the day after the auditors are done, compliance starts to regress.
This is a list of activities you do NOT want to be doing. Of course, there are always exceptions. If you work for the FBI, you will be dealing with bad guys all the time, and #2 will not be correct. If you are a security product vendor, you will need to follow path #1 at least for a time. Other than those exceptions and a few others, do not choose any of these career paths; choose the road less travelled.