Cybersecurity: How to be Truly Great

Secret Service AgentSecurity people, really good ones, are hard to find. In the U.S, there are maybe a dozen true recognized experts—those with the right technical background, practical experience and mindset to practice effective cybersecurity, along with the curiosity and passion of an accomplished hacker.

See our detailed list of necessary cybersecurity skills

This capability is in such short supply that I’ve tried to do my small part by using my informal position as a mentor to encourage those who have those characteristics to train as  White Hats, or ethical hackers.

For years, I’ve worked primarily in Information Assurance and Cyber Forensics: securing and defending computer systems and networks,  analyzing the results of Black Hat or Cracker activities, and other interesting things.

My customers are usually in the federal government, but also in banks, financial organizations and hospitals. Do I have a CISSP? No. Do I have other security certifications? No. I’ve taken (and enjoyed) several SANS Institute and Global Information Assurance Certification (GIAC) classes, and I’d like to obtain one of the GIAC certifications.  They’re expensive, so I take classes as my budget allows.

The Hacker Mentality

Open Source CodeSo who would be an ideal cybersecurity expert? They’d need to be a hacker and have a hacker’s passion and mentality. They like to take things apart, be it hardware, software or really anything. They like to figure out how they work, identify their weaknesses and then create solutions to make them better. (For more, see my post “You Say ‘Hacker’ Like It’s a Bad Thing… “)

So let’s differentiate between a hacker (or White Hat) and a cracker (Black Hat). Many people—including most of media and government—use the terms incorrectly.

A cracker is someone who intentionally breaches computer security by breaking into someone else’s system or network. He does this maliciously, some for profit, some for what they see as an altruistic purpose or cause. Where hackers may have the same technical skills as crackers, they don’t take part in the same kind of malicious activity.

Ideal cybersecurity experts indeed must be able to think like a cracker. Only then can they strategically and tactically compete against crackers and all that they unleash. In order to defend a position, you have to understand what it takes to attack, recognize and exploit vulnerabilities, and secure the same position.

Today, there is actually a term for this that comes from the military’s use of war games: Red Teaming. It’s the practice of viewing a problem from an adversary or competitor’s perspective. The goal is to enhance decision making, either by specifying the adversary’s preferences and strategies or by simply acting as a devil’s advocate. If you dig into some of the principles behind Red Teaming, you’ll find Game Theory.

Other skills that are part of the cybersecurity toolbox, though harder to quantify, come from the individual’s background: an aptitude for games of strategy like Chess, Go, and Risk, for example. This usually allows them the ability to see patterns of behavior in an opponent’s moves. Though I’m not entirely sure skills like this can taught, I have found them to be evident in colleagues who are considered true experts in the field.

See our detailed list of necessary cybersecurity skills

Education/Certifications

From an education standpoint, most of the experts I’ve encountered have multiple degrees.  One is usually information systems, mathematics, computer science, computer engineering, systems engineering or a related field. They also have at least five years of relevant information security experience.

When it comes to certifications, the overall computer industry likes the CISSP. However, certifications that actually show mastery of the subject are from GIAC. Practicing professionals hold those with GIAC certification in high technical regard.

Other certifications that can be useful are those in Systems Administration and Systems Programming that have practical examinations and continuing education as part of the certification process.

Communications

Key for any security professional is the ability to communicate in writing, orally and through effective presentations. The ideal professional also must—must—be able to communicate both technically and with high level executives. This in itself can be a challenge, but it’s something that can be learned with practice.

They may or may not have published articles on cybersecurity. At the same time, some have published, but without attribution. Still, almost all have written bylined technical articles.

Leadership

In addition to all that, the ideal experts have both hands-on technical skill and the ability to lead other technical people. They have a view of the big picture and how security impacts the business and its customers. They usually actively participate in R&D projects and open source projects.

So where would you find people like this? Events like DEF CON, Black Hat and Chaos Congress. They’re usually the folks who listen and try to blend in.

More Skills

This is a lot. And it’s just the high-level. For a more detailed look at the skills and professional approach the most successful cybersecurity experts take, click here.

Comments

  1. BY Jeff says:

    I enjoyed your article.

    I am currently working on my Master of Professional Studies (MPS) degree in Cyber Security, and work in the IT industry at a software development company doing software and website technical support. In addition, I have my Bachelor of Science (BS) degree in Journalism, and obtained my CCNA, CCNA Security, Network+, Security+, NSTISSI 4011, and CNSSI 4013 certifications.

    Even though I don’t have an undergraduate degree in an IT-related area, do I have a good enough background to pursue Cyber Security jobs after I complete my Master of Professional Studies (MPS) degree?

  2. BY Seeker says:

    I thought that this was a fairly good article. There were a few things I noticed though. Many folks newer to the field of security will defend their not having certifications by trying to tear down the institution. Now to be fair, certification is not qualification …necessarily (unless it involves practical exercise, in which case you have done it at least once).

    And as far as SANS certifications go, I think they are great and their certifications demonstrate an otherwise inexperience practitioner has been exposed to certain subject matter to a relevant degree. This makes the individual functional in the given area, not masterful. You aren’t going to start writing books and hitting the speaking circuit while managing million dollar impacting efforts just because you passed a SANS exam. Also you have to be careful, a lot of that material you are learning there is contracted out and not coming from where you think it is ;)

    On the topic of qualifications, I don’t necessarily agree here either. I have done network monitoring, code review, incident handling/response, risk assessment, architectural review and penetration testing as well as other activities. I didn’t need to be a hacker for all of these, but it doesn’t hurt. Some of the people I worked with were pure policy folks that weren’t entirely “technical” in that they could code or had heavy weight technical degrees, but they were appropriate for the efforts they were involved in. I also don’t agree that sitting around in your childhood playing strategy games reliably translates into a good candidate; the element of mutual exclusion does not apply here.

    I think finding an expert is a common exercise in any number of fields. This person understands the fundamentals of the various sub divisions (specialties) within a field and can convey the structure and importance to their client. This person is technically proficient to the degree that they could “plug-in” and perform functionally within those areas (they are supposed to be an expert right?) I have seen some guys on the speaking circuit that can’t really do all the things they are talking about (or haven’t done them in a really long time), but then they are up there because they are talkers …not doers necessarily.

    I don’t think I have said anything too controversial and since you are coming from the 80′s I’m sure you are more than mature enough to handle someone having slightly different view than yourself and taking from it what you can. I just hope it’s helpful in some way.

  3. BY raphnexx says:

    Great article ! Companies should hire a CyberSec expert to protect their business data and sensitive information against these crackers.

  4. BY jason foley says:

    Ha, I thought that was the whole reason.!

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>