In a previous article, I shared the stories of how more than a dozen cybersecurity professionals found their way into the industry. Their non-traditional cybersecurity career paths help to illustrate how personnel of all different education backgrounds and life experiences can become part of the same community. There’s no single certification, degree, qualification, job, age, gender or race that defines the people who succeed in cybersecurity jobs. The possible permutations of such an expert are literally infinite.
Different origin stories don’t detract from the central job of protecting corporate data and users’ information. Quite the opposite, actually. They augment it by adding new ways of looking at shared problems in the industry. That’s what we need if we are to uphold our central job in spite of an evolving digital threat landscape.
Just like the cybersecurity career paths that help to shape them, the way these perspectives end up informing the security work varies from individual to individual. I asked some of the same cybersecurity professionals from last time to reflect on how exactly their individual experiences have shaped their work. Here’s what they had to say.
Caitlin Kiska | Information Security Engineer (Threat Intelligence)
“Like cybersecurity, poker (and even more so online poker) is intensely male-dominated. There have been recent pushes for more diversity, but good intentions do not always equate to a more welcoming environment. Poker helped prepare me for men attributing my success to supposed soft skills or old tropes such as ‘women’s intuition’ instead of analytical skills, raw intelligence or technical prowess. There will always be people who will attribute my success or knowledge to anything except for its root cause: hard work. Being in a related male-dominated field prepared me for the harsh reality that (unfortunately) there are still large numbers of my cybersecurity peers who view me as a woman before they view me as a professional on equal footing.”
“When at the European Union for Agency for Cyber Security (ENISA), I created the Internet of Things (IoT) domain. I used my knowledge and experience to protect cyber-physical systems, particularly in a safety context. I worked with regulators, the public and the private sector. I then led a team and created my own consultancy. This path taught me that you must create solutions that are adapted to non-security people. It’s important to make sure security remains fit for purpose and to not promote advice that does not apply in a given context — even if there are relevant ‘best practices’ in another context.”
“I’m surrounded by people with STEM backgrounds in my current role. This allows me the opportunity to showcase skills that my coworkers might not be as strong in, such as writing and research. This has helped me understand that almost all the skills out there in the real world can be transferred into cybersecurity. If you can read people well, there is a career path for you in social engineering. Like to break into things? You could be working in physical security. Honestly, I’ve come to the conclusion that the field is so massive that there’s literally something here for everyone.”
Justin Kinney | Information Security Analyst
“My path into the industry really showed me that experience matters most. Getting hands-on experience this way shows you have the drive to constantly learn. The best way I can put it is it has made me a forever student. Anyone in this industry will tell you the second you stop learning is the second your company will get breached. As our systems are constantly changing, the adversaries are adapting just as fast. That can be a problem if you’re not learning about new threats such as the latest vulnerabilities and Advanced Persistent Threat (APT) groups.”
Damon Small | Technical Director of Security Consulting
“I started in performing arts and moved to IT, then to infosec, and then again to consulting. People often ask me if I regret spending all that time pursuing music. Without hesitation, the answer is, “No, I have no regrets.” The path I chose was clearly non-traditional by today’s standards. But I ask you to recall that our industry was completely different in the 20th century than it is now.
“Also, and especially in consulting, creativity is a huge asset. Yes, we are computer scientists, but cybersecurity favors people with a creative bent. Yes, I went back to grad school and earned a Master of Science in Information Assurance (Norwich University) in 2005, but I fall back to those creative tendencies often in my role as a Technical Director of Security Consulting every single day.”
“Let me tell you a real story about myself. Nearly every child has a dream career for themselves of being an engineer or doctor. My childhood wish was a bit different. It was to become a police officer. I used to visualize myself with badges on my police officer dress, serving people and protecting society from bad people.
“As I grew up into a young girl, that dream slowly vanished, and I realized that I did not match some of the physical requirements that are needed to become a police officer. So, I chose Information Technology, as it was a new, exciting and booming field back in the late 90s. I studied computer applications for six years in university and started working as a software developer.
“I feel happy that being a cybersecurity professional, I have learned to help protect enterprises, government agencies and society from adversaries like cyber attackers and malicious hackers who are bad guys in this industry. We never know how things change in life, but I do have a strong intuition that when you have a strong desire to achieve something, there is always a hidden force behind you that helps you achieve it in one way or another.”
Haydn Bowers | Senior Solution Architect: Security
“My early career and study were all about abstraction. In physics, there’s a calculation method called perturbation theory where you progressively add greater and greater complexity into a model or equation to get closer and closer to real life.
“Take high school physics as an example. You study an object with no volume falling to earth with no air. Then, you progressively turn that into a football with a surface area and consider air resistance. Progressively, you consider wind. You then consider the football may be ovular, as per Australian or American football. And so forth from there.
“I’ve taken this approach into almost every conversation I have with clients as a security solutions architect. Whether it’s a strategic conversation about cyber maturity, defense-in-depth or something as simple as the tuning of an intrusion prevention system, it’s always featured this methodology.
“The truth is that strategies around abstraction have been incredibly useful when it comes to discussing risk management. The ability to determine the biggest bang for your buck and understand ever-additional perturbations above and beyond an immediate technical vulnerability enables greater conversations with clients around the optimization of business processes and the engagement of personnel. This applies regardless of whether there’s some sort of training involved or whether executive stakeholder management is at stake.
“What I’ve learned from this approach is that customers have a tendency to over-complicate their requirements. They tend to be more concerned about the individual trees that make up the proverbial forest than the forest itself, if you will. The ability to start with the core problem and progressively adjust and adapt a solution has been instrumental in aligning security solutions to business requirements. With this principle, I have found great alignment with the Sherwood Applied Business Security Architecture (SABSA) and Zachman methodologies. You begin with business outcomes and progressively work your way down the architecture layers to de-risk an organization with risk-appropriate solutions.”
Pete Herzog | Managing Director of ISECOM
“Field work challenged me to learn IT, networking, routing and all the troubleshooting one can imagine. My skills only grew from there. Combined with all the English and literature courses I had to take to be a librarian, I could write a mean report, too. That got me into other IT positions dealing with network services like email and web services. There, I learned how to troubleshoot Linux along with DNS, Mail, routing and working in remote shells. The more I learned about how technologies fundamentally worked, the more capable I felt I was at testing and securing them.
“I took a job as a network interface card tester for Intel, where I had to load and reload Windows and Linux hundreds of times and run network tests against the cards. That taught me how to find patterns and break things. Eventually, I landed my first hacker job at IBM in eSecurity emergency response, and that’s where I learned all about creating security.”
“When I started, I wasn’t degreed. There were no certifications like there are today. While there were computer science classes available, they focused more on application development versus security at any level. I literally worked through the school of hard knocks. I read manuals and industry publications like Computerworld and Network World. I saw a need for IT security/cybersecurity skills, and I was eager to learn. So, I moved ahead that way.”
Simon Backwell | Information Security Manager
“My years as a systems and test analyst allowed me to hone my skills for report writing and attention to detail. These are two necessary skills in a security role. Indeed, they’ve assisted me in report writing and internal audits. My prior customer-facing experience also has assisted with customer security questionnaires and calls, tailoring my responses accordingly to suit a variety of audiences. I have learned a lot of skills on the job, especially technical IT and security aspects, and this ongoing learning has continued into a data protection perspective.”
One More to Go …
In the final installment of my three-part blog series, the security professionals featured above will share their recommendations for how anyone — even those without a relevant certification or degree — can work to enter the field of cybersecurity. Stay tuned.