Cyber has exploded. Back when I was a kid it was a bunch of hanging out on IRC and visiting Vegas. The idea you would hire a hacker was laughable to most people. It was a small culture of generalists. At my first job, an oil company, whenever I talked about deploying virus software they would ask me if I meant “anti-virus” software. Yes. Because that was my job. But they were convinced it meant something bad.
Nowadays, some organisations have Risk teams, you have Policy, you have red teams trying to break into companies, you have people sat looking at Splunk trying to figure out what is happening to defend their organisations.
Author: Kevin Beaumont: Senior Threat Intelligence Analyst @ Microsoft Threat Intelligence Global Engagement & Response.
It’s worth keeping in mind most every conversation you have internally in departments will be with somebody who looks at something in a specific way. It’s also worth keeping in mind this with online conversations, too. Lots of conversations online go something like “Just patch!”. Which, from a policy point of view, is absolutely right. From the point of view of the people who actually do the patching at scale and manage the systems operationally, “Just patch!” is a bit like saying “Just phone up Taylor Swift and ask her to be your friend”.
This also swings the other way. I was part of a conversation recently with lots of people at lots of UK companies about how to build a great Vulnerability Management team rather than a good one. A great deal of the people had this opinion; you have a dedicated Vulnerability Management team?! Many organisations are still struggling to resource basic patching. It ties into the broadchurch thing; keep in mind what you see and what the person you’re talking to sees, although in theory you’re looking at the same thing, may look very different depending on their experiences.
This was by far the popular thing people tweeted at me, all negative sentiment. People said they did not realise the political arena they would be entering.
So here’s the spoiler: there’s very few jobs where you will be doing security for the sake of doing security. Smart organisations want security to enable them to operate securely, which can mean getting out of the way (which can include products and deployment configs which allow people to get on with working).
Some businesses play fast and very loose with security. It’s actually really rare to see an organisation with anything near good security. For many organisations they just cannot realistically afford to run anything near top security — that crab paste company you’re eyeing a cyber job at needs to make crab paste, not have everybody logging in using triple factor SSH keys.
My view with politics is — usually — I actually enjoy it. Not always. The key for me has been learning to try to influence people gently towards a desired outcome — that might take time and patience — and to know when to get over myself and compromise on something to get a better longer term goal or standing within an organisation. A really key one is listening. Sometimes what you’re proposing really isn’t possible with the resources a department/team/company has. Sometimes what you’re proposing isn’t workable for reasons you’ve never even thought of. Sometimes what you’re proposing is just dumb in the real world. And sometimes the arguments an organisation will present against doing something won’t make sense. The key thing is you’ve listened, and you can go away and figure what to challenge, and how.
But, essentially, if you’re getting into the industry thinking most companies have great security and you’re there to enforce the best possible practices of security and there will be little politics: you may have a bad time. Most companies now recognise cyber security as a key risk; that does not mean it is a key focus of a company. And rightly so. Cyber security aren’t there to make a cyber security company, they’re there to enable a company to get back to being that company.
The security community is pretty terrible at times
Back in my youth(tm), we would hang on IRC all day, and then meet up at night for drinks. People knew each other’s real life infos when they met. Trusts were formed. Ideas were exchanged. And, well, lots of idiots were around too.
Many of those people got jobs at big companies, or left the industry.
What is left is a weird shell with lots of different angles. Some of it is brilliant. I like InfoSec Twitter, for example, most of the time as I see material I wouldn’t otherwise. I read almost no InfoSec websites; I exist off a diet of animated GIFs and info drops. I try to never take it seriously.
But there’s a weird atmosphere. I think the Infosec community has gradually eroded, and in it’s place there’s a weird dynamic of self importance emerging, especially post WannaCry as companies seek to find talent.
There’s a lot of punching and drama I try to avoid, particularly on Twitter. I tend to avoid LinkedIn as it appears to be mostly people reposting articles from the press, where I don’t think anybody involved really understands the thing they’re highlighting.
I think there’s a very real echo chamber, too.
My overall feeling is the InfoSec community is beginning to punch down. We’re punching at users, calling them thick. We’re punching a individual social media people for large companies, calling them stupid. We’re punching each other, too.
Now, you may say “Aren’t you the guy who highlighted flaws at Equifax?” Yes I am. They’re a multi-billion dollar Group of companies. I wrote about how the problems they had with Struts could be avoided. Personally I think it’s okay to highlight how large corporations can do better, without picking on people. But this is something I introspect on a lot.
I think ultimately, for me, the community now takes itself very seriously — perhaps too seriously. Twitter is a fun distraction, it can also be great info, but look at the fact I have 47,000 subscribers on Twitter and realise: that is nonsense.
Prepare to earn your place
Lots of people are arriving into cybersecurity. Which is great because fresh people and ideas are absolutely needed — since I started many of the same problems still exist, which is embarrassing. I think there’s a very real lack of diversity in every sense in our industry.
But here’s the thing. I think the number one quality people can bring to the arena is also experience. That doesn’t mean 10 years experience. That means existing in a job and a company and doing the hard work. If you’re really in there, delivering, doing, you’re going to be valuable and won’t have problems finding other jobs in the future. Commit. Do. Deliver.
It’s also worth pointing out many companies are still early in their cyber journey, and some need guidance. Sometimes, you may have to do things which you weren’t expecting in a role. Sometimes, that’s a bad sign. In many cases, it allows you to break free from the box you’re in and get involved in something great. Sometimes you have to gamble and take the lead. My rule is that if you’re doing something which truly aids an organisation in being secure, you’re doing it right.
Write it. Shoot it. Publish it. Crochet it, sauté it, whatever. MAKE.
This isn’t for everyone, but if you’re looking at getting into the industry, you can start a blog and write. Or learn to code and then publish said code.
You will be surprised how many basic tools in InfoSec still don’t exist. For example, through its product life there was no easy central way to report on events from Microsoft EMET. Companies are doing things like associating .vbs files to Notepad as a way of mitigating ransomware attacks, but nobody has written a tool to do this better.
Back in 1998 one of my friends got a Cobalt RaQ 3 during school work experience at Cable and Wireless INSnet. He made me the admin of the box, I reworked the Linux kernel on it to include security hardening patches (I wasn’t a usual teenager…), and we used it for hosting friends projects. I installed VMware on it, and we deployed a Virtual Machine Linux box with no outbound internet access — which we posted credentials to in IRC channels, and then used tcpdump to packet capture people owning the box. In hindsight, it was one of the early honeypots.
From Dave’s work experience, I learnt invaluable Linux admin and security techniques.
My best advice is find a niche, explore it and write about it. If it goes nowhere, either keep at it if it interests you, or find another niche. Nobody has yet nailed cyber security, so it’s a fertile land to explore. If you’re out there, people will find you for employment too.
Have interests outside security
The burn out is real. You will hit a wall. So have interests outside security.
I play video games — my Xbox Live account is 16 years old, which is older than most of the people I play against. I play games like Sea of Thieves, a game which requires voice communication and team work to sail a pirate ship. That’s actually helped me with communication skills, as — for example — there’s no on screen map, so you have to tell people which direction to sail in using compasses, and make sure people are motivated to continue otherwise they just quit.
I also play racing games — I have a full steering wheel setup, despite not having a driving license in the real world. Why? Risk and reward. I’ve crashed and burned by taking risks. I’m now better at judging when to brake.
I guess what I’m saying is other interests can help inform your work — while making sure your head isn’t in one space all the time. If you’re only looking at one thing, you will lose the bigger picture.
There is no set path into InfoSec
This debate flares up on Twitter all the time, with people (including me) saying ‘Get a job on a helpdesk’, and others saying ‘No that’s dumb, get a job straight in InfoSec’. The truth is, there is no set path here and the industry is changing so quickly that paths exist now which didn’t exist 5 years ago, and those may not exist in 5 years if there’s an industry bubble pop. Ultimately: show your worth, show you care, and always be yourself. Unless you suck.
Communication skills matter
Work on how you present things. We live in an age of information overload, so if you’re working with somebody who realistically doesn’t care about what you’re saying — for example, security isn’t their job — try to clearly communicate your thoughts. Often with as little detail as possible, unless they ask for it. And engage people. I do things like lean down at desks when talking to people so I’m below their eyeline, so appear submissive — in my first job they sent me on body language comms courses.
Ultimately, remember, you’re the security person. Your opinion matters, but so does an auditors. Help people see value in concepts and they will see value in you.
Not just technical people are needed
That’s right, cyber needs more humanity and people skills. Desperately. There’s way too many bearded Linux dudes like me. The precious resource which people don’t yet value is people with, well, people and business skills.
Cyber can be hilarious. Over the past two decades I’ve been situations people wouldn’t believe. During the WannaCry weekend, while Marcus was trying to fix things (and dodge press by jumping over his garden wall), I sat on conference calls I will likely never detail laughing more than I’ve ever laughed before. It was serious stuff for the UK government, it was ridiculous and fast moving and I didn’t sleep for days.
The day the Locky ransomware first appeared in 2016, I registered a DGA’d domain for it at lunchtime and streamed the failed victims to music from Taylor Swift. Wired Magazine called me for an interview about that. At the time I worked for a company which made bloater paste.
I’m just an idiot with a website, and you’ve just read this, so this industry is hilarious. Enjoy it and all the politics and amazement. Time to die.