Kim Jones recently had a wonderful article talking about Building Security Warrior 2.0. I really liked his points and bullet items. I don’t think this is the whole answer, but it’s a very good one.
1. Defense Alone Is Not Enough – I’m not sure this is a really new point, but he does tie this in later on with how we’re shifting from governance and programmatic defense over to being able to think like an attacker on a technical level. It’s one thing to just play defense, but another to start anticipating the moves and weaknesses. That said, he’s also correct to walk this back a bit; it’s not about a security team attacking attackers (or would-be attackers), but it’s about thinking like them. And maybe, if you have a large enough organization that is a big enough target, to actually keep a finger near the pulse of parts of the attacker industry.
2. Security Is An Interdisciplinary Problem. – This times ten, although I do think he left off a bullet item in the list: Systems administration fundamentals. He lists network and app disciplines, but leaves out the system level. Anyway, it’s true otherwise. Some roles in security really are high level communication and leadership positions, while others are in-the-trenches technical ones. But there is almost always some level of upwards tendencies for all security people these days. You may be helping on a project with other teams at or above your pay grade or assisting with an incident that involves people *way* above your pay grade, and the ability to communicate and understand a wide range of security topics is important. This is why I find it harder to coach brand new employees out of college looking to get into security; often (not always) people should get some other sort of IT experience under their belt before sliding over into security, in my opinion. I suppose there are entry level SOC/NOC types of positions, but for anything above that, having some other fundamental skill specialties is really awesome.
3. We Need To Bring Back Critical Thinking. – This sort of goes without saying. Security professionals are fighting a game of innovation and discovery, and doing so across all functions of IT and across other non-IT functions. This means you need critical thinking skills that put you in and out of the box at all times. Often, security can be brought into project planning or operations incidents largely due to their wide and deep expertise and critical thinking skills, even if the issue at hand is not strictly a security one.
4. You Do Not Have The Option Not To Communicate. – Pretty much echoes points made above, but it’s nice to separate this out. As a security person, you’ll *have* to communicate to some degree, since security is (almost) always about making things a little harder (but more secure) for users and data and customers internal or external. Now, this doesn’t mean everyone in security needs to be able to talk and play golf with the CEO or be buddy-buddy with executive leadership. You just need to be able to talk to your audience, technical and non-technical, to get things done and understood. (Honestly, this is a key point for any level of IT support these days. You get every level of employee or boss that may come to you on any given day…)
5. Reality Matters. – Definitely this. Theory and book smarts and unrealistic research only goes so far. I definitely encourage anyone new in security to get their hands dirty, whether it’s with security topics, network/systems/app work, or sitting along for capture the flag competitions or shadowing current professionals. Security is not just technical, but it’s also part creativity and part gut feeling.
6. Information Assurance (IA) and Cybersecurity are Neither Synonymous not Mutually Exclusive. – Jones starts to get into some terminology here and this is where we tie back into the very first bullet point about programmatic governance and technical aptitude for attacks. I really like this line, “Part of that [pendulum swing towards IA] result…has been the increased volume and severity of data exposures, combined with the erroneous labeling of suck attacks as ‘sophisticated.'” Too many of these attacks are not sophisticated. Now, that’s a huge topic in itself…
Jones finishes the article with a list of attributes for the Security Warrior 2.0, and they really read like any security job description should start out. I think this is a really good foundational goal for anyone coming into security or looking to square their shoulders up again to where we’re headed.