What You Need To Work in Cybersecurity: the secret sauce

I see a lot of rules based ‘quick fix’ learning opportunities in cybersecurity, and by that I mean short, intensive courses that claim to make you ready for a cyber job by taking a couple of courses. These are usually boot camp style condensed programs that promise to turn an accounting or science student into a cybersecurity practitioner in a single semester by showing you how to use tools x, y and z. They treat cybersecurity as though it’s an office job: we show you the cybersecurity rules and you follow them. You can see how well this is working by the ongoing shortage Canada faces in finding cybersecurity professionals.
I got into cybersecurity with my students in 2017 when we started chasing CyberTitan, but I brought something with us that isn’t typical in the world of STEM: a relationship with technology that is based on a willingness to hack. I don’t like the word hack, it has negative connotations to it in English that have been encouraged by the self appointed masters of STEM (the S&M part), but that willingness to iterate and work outside the expected outcomes is the secret sauce in cybersecurity that many ignore, and a major reason for why I’ve taken to it like I have.
‘Necessity is the mother of invention’ has been the motivating factor in my relationship with technology since the beginning. I moved quickly from off-the-shelf to customized solutions based on experimentation and need. WIthin six months of owning my first home computer (a VIC20), I’d figured out how to copy software using a sufficiently low noise audio deck. My first x86 Windows PC was purchased but quickly modified as I came to need more memory and processing power. By the mid-90s I was building my own computers at a time when many people didn’t own one.
This process was initially powered by curiosity, which many training programs eclipse with the promise of ‘we provide the initiative and knowledge so you don’t have to’ approach – something that has never appealed to me and a major reason why I didn’t start collecting certifications until 2001 (I’d been working in IT for a decade at that point). Schools are bad at this too. Many educators feel that it is their job to impart knowledge in a regimented format (that’s why we call them disciplines!) and assess student understanding with examples of rote learning that emphasize compliance rather than their own understanding of a subject. Many in education call this approach rigorous and disciplined – it’s how they demonstrate credibility.
The Indians have a term for austere innovation: jugaad (non-conventional, frugal innovation) which doesn’t have the pejorative connotations of the English ‘hack’. Jugaad celebrates common sense with a solutions focused approach to creative problem solving without needless bureaucracy. It emphasizes an applied approach to making technology works that is especially needed in an industry like cybersecurity where practitioners are often facing out of the box problems. WIRED recently did an article on a Ukrainian technologist who demonstrated this start-up like approach in the war with Russia. There is even an event in cyber that highlights this out-of-the-box rapid response to an unknown problem: the dreaded zero day vulnerability. Jugaad will get you much further than any amount of rote learning during a zero day attack.
Kintsugi has played a part in
my motorcycling.

There is another term in Japanese that takes the derision found in English out of making old things work. I’ve long enjoyed the concept of ‘kintsugi‘ or ‘golden joinery’, which is the repairing of old things using gold to embellish the fix rather than trying to hide it. In typical Japanese fashion it raises what is seen as banal work in the West to an artform. A concept that combines jugaad’s celebration of a fix beyond rules based approaches with kintsugi’s raising of that fix to an artform is where a good candidate for work in cybersecurity should find themselves inspired. When I started in cyber I found my  IT background helped in terms of understanding the mechanics of what was happening, but my kintsugi powered jugaad approach is what has allowed me to thrive.

This ‘secret sauce’ is often ignored in education and especially in cybersecurity adult retraining. There are some disciplines that tend to attract rules focused types, but that fixation on systemic order blinds them in the edge cases where cybersecurity often operates. Rather than retraining an accountant or rigorously compliant STEM student, I suspect that those exploring subjects like detective work in policing or creatives in the arts would find the skills they’ve honed more effective, but that doesn’t stop everyone from demanding a computer science degree for any job in the industry.
In 2019 after the Terabytches went to CyberTitan nationals we got invited on the local radio station to talk about the experience. The interviewer asked me a good question about our DIY approach to computer tech. I was annoyed at the lack of resources, but he suggested it might be what gave us an edge. He was right, we’d been jugaading and it made us mighty!

There are many jobs in cybersecurity. People who lean toward the jugaad end where they can problem solve without restrictions can find a comfortable fit in operational cybersecurity where they are monitoring real time threats, penetration testing where they are attempting to exploit a client’s system to highlight vulnerabilities, or threat intelligence which focuses on gathering reconnaissance data on threat actors. But even in the policy and compliance work, a willingness to consider and understand threats and solutions that are outside the box is a necessity.
This map of cybersecurity domains gives you an idea of the many specializations that the field offers, though I would argue that in all of them (even those up the compliance end) an ability to work from your own initiative and experience rather a rule book is essential.
Sam Sheepdog & Ralph Wolf know the score.

I sometimes describe cybersecurity types as sheepdogs. I think many in law enforcement also fit this description. You can’t send a goat to fend of wolves, but having a wolf of your own will do the trick. Early on in my transition from IT into cybersecurity I found myself leaning on IT administrative habits that don’t work in cyber, and came to realize that the jobs are very different, though the technology is the same. If you have an IT person running your cybersecurity you’re likely to be constantly surprised by the attacks you face because they tend to see systems in an architectural way rather than as an opportunity to be compromised.

It would be easy to say something silly like, ‘there are no rules in cybersecurity!’ but that’s pointlessly reductive. It would also be easy to describe all the people in it as hackers, but this isn’t true either, though a mentality that tackles problems from a place of curiosity and jugaad is far better than a rules compliant myopic who can’t see beyond the framework they maintain. At the end of all this I firmly believe that you need a bit of the wolf in you if you want to consider a career in cybersecurity. I wish more cybersecurity training and especially adult retraining would emphasize that when looking for candidates rather than demanding STEM grads often missing these skills. If it’s a formulaic job that you’re looking for, cyber isn’t it.
STEM students are often missing skills which “include teamwork, collaboration, leadership, problem-solving, critical thinking, work ethic, persistence, emotional intelligence, organizational skills, creativity, interpersonal communication, and conflict resolution.” Adding an ‘A” to STEM doesn’t fix this, incorporating an iterative, resilient, team-based problem solving mindset into STEM subjects would, but that doesn’t tend to be how we teach them.

Another piece of Canada’s cybersecurity puzzle came into focus from the last post on how our cybereducation system is broken. In response to that, Francois Guay from the Canadian Cybersecurity Network followed up with the observation that the cybersecurity talent pipeline in Canada is also in tatters.

I’ve been thinking about that post and believe all of the responses from both new cybersecurity practitioners and veterans are valid. It would appear that when you try to fix a talent shortage with rushed retraining no one trusts the results. Problems such as absurd requirements for entry level positions like asking for 5 years of experience on a tool that only came out last year or demands for that vaunted yet irrelevant computer science degree continue to strangle entry level workers coming into the field, even though they have hacked (cough) their way through our broken cyber education system to do it.
Not to sound hopelessly jugaad, but the simple solution would be to introduce cybersecurity apprenticeships that give everyone a chance to find those with the right combination of fearless curiosity, critical thinking and tenacity needed to do the job. Students with a background in science and technology might find that they are familiar with the medium that cybersecurity operates in, but that doesn’t mean they’ll be able to handle the demanding stochastic message that working in cyber demands.
I’ve always told my students that if they can bring a willingness to explore, experiment and possibly break things in the process of figuring them out, they don’t need to sweat the technicalities, I can teach them those by harnessing the curiosity they bring with them. I’ve had strong technical students fail in cyber because they lean on systemic approaches to do less. Another favourite adage of mine in the classroom is, ‘if you’re looking for a way to do less, you’ll usually find it.’ Those that want to work in a framework often do it so that they can delineate where they can stop; in other words it’s used as a way to limit their involvement. That’s no way to approach cybersecurity. If solving a problem is a nine to five gig for you, go find work elsewhere.

from Blogger https://ift.tt/J23ZnTt