Cybersecurity career landscape and industry trends

I recently did an interview with Karen Marcus for Careers in Cybersecurity on education, career development, and career success.  The transcript is provided below and is divided into a section for those just starting out in cybersecurity, those mid-career and those late into their career.  Enjoy the read and please let me know your thoughts in your comments.

For someone just starting out in cybersecurity:

What degrees should they pursue? Any advice for landing that first job?

There are a variety of degrees from associates to Ph.D. that concentrate on security in some way such as Information Assurance, Cybersecurity, or Information Security.  Some may also decide to pursue a similar degree such as IT or Computer Forensics with an emphasis on information security.  However, if you do not have a degree in one of those fields, don’t despair.  Cybersecurity touches on many aspects of the organization, and your individual discipline and experience can give you insight into that part of cybersecurity.  For example, those in HR would relate to employee training, onboarding and termination procedures, employee screening and background checks, and employee compliance requirements while a person from an accounting background could understand the SOC/SSAE accreditation process, ROI, the financial impact of implementing new systems.  If you fall into this category, consider training to educate you on compliance, security controls, and risks so that you can adapt your own business understanding to cybersecurity.

What three things should they focus on in their first job to support advancement later on?

This is a hard one as each job will be different and there may be different methods used for advancement.  However, generally, a person in cybersecurity should demonstrate that they are a continual learner by striving to stay ahead of the technology curve and never stop reading.  Second, focus on your communication skills.  Communication skills are essential at any level, but they are increasingly valuable the farther up the ladder you move.  Lastly, be adaptable.  Cybersecurity is an ever-changing industry, and you will need to be able to change with it.

What pitfalls should they watch out for?

Don’t peg your life to some arbitrary set of career objectives.  Your career is as unique as you are and you should be the one to determine where you want to go.  Next, be successful from start to finish.   Success is not something that is achieved finally at the end of a career by seeing if you met some life goal or accomplishment.  Rather, it is being satisfied with the position you have, the value you bring to your company, and the impact you have on those around you.  Satisfaction is not complacency.  Goals are excellent, and you should set exciting stretch goals for yourself, but understand that each goal would not be accomplished if not for the successes of the moment.  Recognize those successes and take the time to cherish and celebrate them.

 

Middle Career (those who have been working in cybersecurity for a few years but haven’t progressed to a senior or executive level):

Do you recommend pursuing a Master’s degree?

A Master’s degree is an excellent choice for those who have established themselves in the industry and want to move forward.  I do not recommend it for those who have not yet entered the industry yet as it will price them out of entry-level jobs by being overqualified and yet they will be underqualified for other jobs.  A Master’s degree can be an excellent way to augment a degree that was not in cybersecurity such as those with a CIS, Computer Science, or Business degree.  Those are likely the people who will see the most value from a Master’s degree.  Some employers will want a Master’s degree in order to progress up the ladder and so this may be a requirement.

What skill gaps may a person in this position need to fill? How can they get appropriate training and/or mentoring to address them?

A mentoring relationship is an excellent suggestion, but I wouldn’t wait till you are in you middle career to do it.  I found a mentor shortly after starting in the industry and have mentored those who haven’t even entered the industry yet.  There is hardly ever a time when the experience of someone who has gone before you cannot be put to good use.

Your employer may have training options for you on specific skills.  The type of training should be based on your own learning style.  Some can learn easily from reading books, while others learn best from webinars or from online training.  Still, others require instructor-led training.  Each has its advantages and disadvantages regarding ease and cost.

Each person needs to take responsibility for his or her own training and keep learning each day.  This includes reading articles and other materials regularly to keep abreast of changes in the industry.  Consider following a cybersecurity expert on Twitter and read what he or she posts.  You can also subscribe to RSS feeds from cybersecurity sections of major publications or for cybersecurity blogs.  You would be surprised at how much you can learn just by reading a little bit each day.

Are there other obstacles that may have nothing to do with the person (e.g. company politics or being in a particular sector)? If so, how can they be overcome?

Company culture can be a catalyst or an inhibitor for success.  Ensure that you are well suited for the company culture.  Many have found themselves in a culture that is counter to their own, and their career progression was difficult like swimming against the current.  Let the culture current take you where you want to go rather than fighting it.  You will have a much more satisfying life if you do.

Late Career (those who have been working in cybersecurity for many years and have seen substantial success, perhaps progressing to executive and C-suite levels):

What is the next level for professionals in this position, and what can they do to get there?

Executives are the big fish in a company, and the way to move up is to find a larger pond or to grow their own pond.  That often means finding a larger company or one that is growing at a faster pace.  However, the real focus should be on what your goal is.  You may be perfectly satisfied with your current position.  If you make enough money and enjoy the position, there may not be a need to increase stress by changing jobs, learning a new routine, establishing new relationships, and proving yourself all over again.  Consider the cost of changing new jobs when evaluating the potential benefits.

What advice do you have for diversifying skills or fine-tuning specialties?

There comes a time in everyone’s life when they realize that change has finally made part of their skill set irrelevant.  In the cases, it is important to recognize this and not fight it.  Next, seek out complimentary skills that build on the knowledge and experience you have already and then seek those out.  Add breadth to your skill set by extending outward in your retraining rather than seeking out greatly differentiated skill sets.  Retraining with this method will make it much easier for you to adopt those skills and to thrive.

Is there a common post-retirement path or pattern?

I am a strong proponent of mentoring others.  I think the process should begin long before retirement and extend into retirement.  Mentoring gives the mentor a connection back to a previous generation and into the workforce after they have left it and it is a great benefit to those they mentor.  Seek out no more than three people to mentor and establish a real relationship with them, asking them questions about their goals and strategies and sharing your understanding and the things you have learned along the way.

Retirees can also participate in professional groups.  Those who spent a lifetime learning likely won’t want to stop, and this can be an excellent way to keep up with what is happening in the industry.

Resume Ransomware: GoldenEye targets hiring managers, recruiters and HR

People charged with filling career positions at their companies need to be on the lookout for ransomware—especially GoldenEye ransomware.

GoldenEye is a new form ransomware written by the same cybercriminal who gave us the Petya and Mischa ransomware attacks. The author has applied some of the same distribution tactics that Petya and Mischa are known for by masking the ransomware as a job application. GoldenEye attacks typically begin with an email that appears to be from someone interested in a position. The inboxes of human resource personnel and hiring managers are often swamped with emails from potential candidates. As a result, very little time may be spent reviewing each email. Instead, recruiters and HR managers open the attachments and quickly screen resumes or cover letters to determine if the applicant is qualified for the position. GoldenEye takes advantage of this behavior. GoldenEye is currently targeting potential victims in German-speaking countries, but that could change at any moment.

GoldenEye emails include two attachments; a PDF cover letter and an Excel spreadsheet with a file name that includes the phony applicant’s last name, a dash and the word “application” in German. The cover letter looks entirely legitimate. The cover letter has an introductory statement, photograph and then states that the Excel file contains references and results from an aptitude test. The PDF attachment does not include any malicious code but the presence of a well-written cover letter aids in convincing the victim to open the second attachment, an Excel file.

The Excel file contains the ransomware as a macro. The file displays a flower logo that appears to be loading something. Microsoft Office blocks the macro unless macros have been enabled by the victim. Victims are enticed to enable the macros so that the loading screen will disappear to display the resume content. However, once enabled by the victim, the macro will save code into an executable file in the victim’s temp directory and then launch the ransomware. The program encrypts files and displays a ransom message. However, after the initial ransom message is displayed, GoldenEye restarts the machine and encrypts the Master File Table (MFT) and replaces it with a custom boot loader that shows the ransom message upon computer startup.

GoldenEye essentially performs the file encryption activities of Mischa and then restarts to perform the MFG encryption activity of Petya. Both encryption methods have been improved, and decryption methods for Petya and Mischa will not work on GoldenEye.

GoldenEye’s ransom message instructs victims go to a URL on the dark web to obtain their decryption key. Victims will need the decryption code presented in the ransom message to pay the ransom.

Be careful when opening any attachments from an unknown person and ensure you have a backup of critical files so that GoldenEye does not claim a ransom from you.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Which Security Career is Right for You?

Security is a growing field, and with its growth come many different career options. As you gain experience in different security areas, you may choose to further specialize or move into management in that area. Some security roles include analyst, network security engineer, auditor, computer forensics and penetration testing.

Analyst

Security analysts interpret security information from within the organization and from outside entities and make recommendations to management. They review security logs and data collectors for organizational systems and alert colleagues to potential threats. Some analysts work in a Network Operations Center (NOC), where information from data collectors is consolidated and presented for ongoing review and decision-making. They also review current security standards and recommend methods and controls to maintain a consistent information security risk level within the organization. Analysts are generally detail oriented, organized and thorough.

Network Security Engineer

Network security engineers implement controls as defined by management or required by regulations. They are responsible for configuring a variety of technologies including perimeter defense systems such as firewalls and intrusion detection systems; authentication systems such as directory services, remote authentication, and biometric systems; and encryption services. Network security engineers often have a background in information systems and networking.

Security Auditor

Security auditors are responsible for assessing whether adequate security controls are in place in an organization in order to satisfy regulatory requirements and organizational risk thresholds. They may work as consultants providing auditing services to clients. Auditors may use multiple methods for assessing controls: observations involve reviewing control documentation, corroboration relies upon interviews and statements of those responsible for controls, while inspection relies on direct control review. Auditors may also test controls by conducting simulations. Auditors are generally detail-oriented, pragmatic and methodical.

Computer Forensics

Computer forensics professionals such as forensic investigators or analysts collect digital evidence from devices such as computers, hard drives, phones and flash media. They follow a strict process that ensures original evidence is not modified and that a chain of custody documenting each interaction with the evidence is maintained. Computer forensics professionals analyze the data on devices, including data in deleted areas, memory or unused portions of media to find data relevant to an investigation. They may also be required to testify in court regarding their findings. Major tools used in computer forensics include Guidance Software’s EnCase, Access Data’s Forensic Toolkit (FTK) and Cellebrite.

Penetration Testing

Penetration testers assess the security of a system by attempting to break into it. Penetration testing occurs only after the owning entity of the system provides authorization for testing to be performed. The attacks used and vulnerabilities discovered are documented along with appropriate remediation steps. Major tools used in penetration testing include Metasploit, Nmap, OpenVAS and Kali. Penetration testers are generally very creative, adventurous and curious about how systems work.

Security Management

Security managers coordinate activities in their area of responsibility. They ensure that those in their department have tasks to accomplish and the resources to complete those tasks. Security managers ensure that costs stay within budgets and approve or make recommendations on new equipment purchases or staffing changes. Security managers also provide leadership and coaching to their departments while interfacing with other executives to coordinate activities and communicate the status of ongoing work. Security managers may be responsible for areas such as a Network Operations Center (NOC), Security Operations Center (SOC), penetration testing team, auditing department, incident response, system analysis, or other areas.

Managers are sometimes promoted from within a department or may come from a business or project management background in another field. If you wish to get into management, gain familiarity with an information security discipline and then begin developing your project management and leadership skills.

You are in for an exciting career no matter which role you choose. Consider your own personality and think about which of these areas appeals to you. One element common to all these roles is continual learning. The security field is constantly changing, and you will need to stay abreast of these changes to be effective in your role.

Continue reading

Security Career Networking Tips

Do you know why all the major online retailers offer a way for users to review products? It’s because people want feedback from others when making a decision. Job searches are no different. A resume may say a lot about skills and experience, but it says little about a person and, in the end, it’s the person who gets hired. Start networking to accomplish this. You can do this by building a network, networking through groups and through social networking.

Building a network

A word from a colleague or associate regarding an applicant makes a much greater impression than a good resume. For this reason, it is important that you not only gain the necessary skills and experience but also build a network of professionals in the industry.

You can begin the process right now. Create a list of the people you already know, such as friends and family, neighbors, co-workers, coaches or trainers. Even people you have met in the past such as friends of your parents, your doctor, insurance agent or lawyer can help.

Discuss your career goals with people you know and seek their advice on how best to prepare. Most people have a desire to help and enjoy providing advice if they know that advice will be appreciated. Make sure you follow their advice if it sounds reasonable and keep them up to date on your progress.

If you don’t follow their advice, let them know why. These people will be your champions once they see that you are willing to listen attentively, pursue your goal tenaciously and communicate with them. You are giving them a success story they can later relay to a hiring manager, which can go a long way in establishing that you’re fit for the job.

Networking through groups

Join one or more professional groups such as ISACA, ISSA, ACM, or Infragard and begin attending their meetings. As you talk to people, concentrate on asking questions about their work and some of the challenges they face. Work on being a good listener by concentrating on the person, thinking through what they say and asking questions to clarify.

Don’t forget about your nonverbal communication. Smile and make eye contact. Shake hands firmly and keep an open, inviting stance. Be aware of their nonverbal communication as well, especially indications that they want to switch to a different topic or step away from the conversation.

It can help to collect business cards and take notes on the people you meet; it’s easy to forget important details if you don’t write them down. Review your notes before your next meeting so you can engage with people again and pick up where you left off.

Social networking

Develop a LinkedIn profile and possibly a Google+ or Twitter profile. Add the people you meet to your social networks so you can continue to interact with them and better understand their relationships with others. However, don’t rely solely on social networks, because they are simply an extension of your real-life networking activities.

When it comes time to search for a job, let those in your network know what you are looking for. Be specific. Don’t just say you are looking for a job. Rather, say what position you would like to have. A large number of positions are filled without ever being posted to a job board. Those in your network may be aware of one of these possibilities and could mention you to the hiring manager.

Remember, you are asking a great favor of someone when they recommend you for a job. Make sure you have developed a good relationship with that person before asking. In other words, don’t ask someone about potential opportunities the first or second time you meet them.

Make those personal connections and begin networking now. The process itself will make you a better communicator, and the relationships you build will benefit you long after you start your career.

Continue reading

Getting Over The Experience Hurdle

New graduates are in a tough spot, especially those interested in cyber security. A majority of cyber security positions require one or more years of experience; and thus the difficulty, because experience is often earned on the job. Don’t let this hold you back from applying for one of these positions, because there are many ways to get the experience you need.

Certification

Certification is an excellent way to demonstrate skills, especially when experience is lacking. Certification tests are typically timed, multiple-choice exams that measure knowledge of a specific subject. Some of the mainstream certifications, such as the Certified Information Systems Security Practitioner (CISSP), have an experience requirement but many others, such as the Security+, Certified Ethical Hacker (CEH) and the Holistic Information Security Professional (HISP), do not.

Volunteering

Do you belong to a group or support a cause that might need your help? Experience does not have to be gained on the job. Instead, offer to secure the website code for your scout troop, update the computers at your church or school, teach residents of a local nursing home how to protect their privacy online or configure wireless access points for people in your apartment complex. Lastly, don’t forget to list these volunteer activities on your resume. You can include them in a skills section if you have only volunteered once or twice but if you volunteer regularly, create a volunteer section on your resume to specifically highlight these.

Extracurricular Activities

There are likely professional groups in your area that discuss security such as ISACA, ISSA, ACM, or Infragard. If you are in a major city, there are probably dozens of groups. While some cost money to join, many memberships or attendance of group events are free. These groups might meet monthly to discuss relevant topics in cyber security—join one or more of them and start attending their meetings. After you become comfortable with the members and venue, approach the group’s leadership about helping out. Most groups are always in need of help, and this will also allow you to network with others in the industry and stay current on important topics.

Internships

Most of the suggestions so far have offered ways to gain experience outside of the workforce. Internships, however, offer on-the-job experience that can easily be added to your resume. Internships are advertised in the same places you’d find job postings: job boards, Craigslist, school career portals and company websites just to name a few.

Some internships are unpaid, but don’t be frightened by this. Unpaid internships are generally more geared toward preparing an intern for the workforce. Paid internships, on the other hand, usually involve tasks that are more directly related to the company’s business—there may be less mentorship and guidance.

Either way, internships give you a chance to try your skills out in the real world and to tackle real problems that you can discuss in an interview or cover letter. Also, don’t forget to ask for a letter of recommendation from your supervisor if you did a good job in your internship.

Everyday Activities

The last area where you can demonstrate experience is in your everyday life. This is especially relevant for soft skills or general business skills such as communication, time management, organization, project management and planning. You can begin this process right now. I recommend creating a skills inventory that you can draw upon as you begin your job search. You can start with a simple outline. Create main sections for computer skills, critical thinking, problem solving, leadership, organization, communication and so forth.

Next, think about times when you had to use these skills in your daily life. For example, for leadership you could list how you took charge of a team project for one of your classes. Describe how you divided responsibilities and helped set a shared vision for the group. Make sure to describe the outcome as well.

Armed with one or more certifications, volunteer and extracurricular experience, an internship and your everyday skills, start looking for jobs and create a resume and cover letter tailored to the desired traits indicated on the job description.

Continue reading