This post is a continuation of my answers to the questions posed in the Tribe of Hackers book. I am answering these questions before reading the other responses in the book in an attempt at self-assessment. And to mark any changes of insight after consuming the book. This is part 2 out of 4.
4. Do you need a college degree or certification to be a cybersecurity professional?
No, but they can help. A college degree is less important than it used to be, but the experience can teach many life skills at an age when young adults are busy finding themselves. Beyond that, you can learn a lot about a profession as well, and a degree can get you past HR filters that may otherwise reject those without a degree.
Certifications are a useful vehicle to learn topics and have something tangible that at least somewhat attests to some knowledge on those topics. These are things that can add to your marketability, either for yourself or as an agent of another entity. At the end of the day, though, those are just tools, and they don’t replace being an expert in your chosen domain. Regardless how you get there, be a master of your domain.
5. How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I’ve always had a love of puzzles, mysteries, and a sense of curiosity and creativity. I first thought about IT security back around 2000 when I wrote a long-gone article for a video gaming community about what sorts of careers someone who grew up with PC gaming could get into, and information security was one of them. But, it wasn’t until I picked up a random IT book at Barnes & Noble to continue my post-graduate learning: Hack Attacks Revealed by John Chirillo, that I fell in love with the topic.
For my career, I officially got started having a security interest while doing normal IT desktop, technical support, and sysadmin duties. If something related to security came up, I would tackle it, set it up, configure it, or evaluate it. I remember sitting with government pen testers and showing them Metasploit shortly after it came out. I spent nearly 15 years with a general sysadmin title, but largely doing security-related things. In recent years, my title has shifted to officially be a security one, which makes selling myself a little bit easier!
I would advise someone beginning a career in cybersecurity to have one or more career goals in mind, and some ideas written down on how to get from where you are today to those goals in 1, 3, 5, or 10 years. And pursue that. Keep your eyes on the horizon, and move towards it. Seek advice from peers and those you want to emulate. Always be learning and always be active, whether in a cybersecurity role at the start of your career, or in a more general IT role. Either way, you can effect changes in security postures, learn more, and build skills that will directly carry over to the time when you arrive at your cybersecurity goals.
I would also suggest being involved. Share your knowledge, teach others, meet other professionals and hobbyists locally, and be part of the cyberspace and meatspace infosec communities.
6. What is your specialty in cybersecurity? How can others gain expertise in your specialty?
I don’t really have one, which might mean my specialty is about being generally good at many things. But, if I had to pick one, it would be about thinking like an attacker; playing five moves ahead and solving those problems.
And to get anywhere, it is all practice, practice, practice. Don’t be afraid to fail and learn. Practice, fail, practice, do better, practice, succeed, practice, improve.
7. What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Be a good person, be intelligently enthusiastic, be an expert, and be honest about your desire to effect appropriate improvements. Be honest, about everything, including things you don’t know.
But one of the most important things in business and security is about selling yourself and selling your ideas. Speaking and selling are key ingredients for effectiveness in getting things done and leading.
I don’t run a company in cybersecurity, but if I did, I imagine my biggest stressor would probably be making sales and being good about that. I think that might be my biggest advice; gain the sales skills or align with someone who can.
8. What qualities do you believe all highly successful cybersecurity professionals share?
The willingness to say what is right, the integrity to stick to what is right, and the self-awareness to know when you might be wrong or it is just not the correct message for the day. Security is a cost and gets in the way of convenience. Being on the security team is rarely a good choice for someone who desires only to be liked and not rock the boat when it is needed. But, perfect security will never be accomplished, which sometimes mean we have to move on, and know when we’re wrong about something, and yet still walk forward with head held high to the next battle.
I digress, though. Other qualities I admire in people in general are enthusiasm, passion, integrity, constant learning, being a good person, and being an expert. Some of my favorite celebrities are like that; Adam Savage, Wil Wheaton, Matthew Mercer, Steve Irwin. These are qualities to live one’s life, and qualities to bring into one’s career.