A Confederacy of Dunces — The Role of Education and Experiences in Cybersecurity
If there’s anything that will set the tone of this article is that I cringe and pause every time I have to write “cybersecurity” in a non-ironic way in anything. When I got started in my career, that term didn’t exist in the professional vernacular, and to be honest, I couldn’t exactly pinpoint when I started encountering it, but I immediately found it off-putting. However, it’s my adopted career, and it’s what I live with on a day to day basis, even though my career has progressed from one point to another, taking me from a fresh college graduate to, what could be termed in some circles, a tech executive — all in 20 short, weird years. But it’s all be a mix of education, formal and self-taught, and many years of experience.
The Observation
With the recent kerfuffle regarding the suspected qualifications of the former CISO of Equifax in light of the rather disastrous breach, there was inevitable “security community” commentary over applicable skills, education, experience blame game. The Twitter hashtag of “#NotQualifiedForTech”, and snarky variations thereof, are in use by those same individuals, recounting their backgrounds and experiences and why, by using the measuring stick of other social media posts, why they shouldn’t be in the jobs they have if it was based on the formal education metric. Many of these stories range from explaining they didn’t have a formal education, or had a non-technical major, or some other variation of highlighting their success in their career in spite of being “adequately credentialed”. However, one of the gaps in their argument tends to overlook experience in spite of education and credentialing associated with technical and security-centric positions.
Granted, with most of these initial “arm chair” readings of how things went wrong, who’s to blame, how they could have avoided the ultimate outcome, how could we do better as a profession to prevent this, then the next rounds of schadenfreude when things go from bad to worse, and finally the piles of hurt feelings when it all shakes out — we rarely directly address some of the core issues. If they are addressed, or even mentioned, they are drowned out by all of the rest of the hand wringing and finger pointing, and not handled in a more methodical manner that would befall incident handling and response activities. For this discussion, I want to focus on the role of skills, how they are acquired, built and eventually applied to progress through an information/cybersecurity career.
How do I get to comment?
In order to ground my statements that will show up in this mini-essay, I feel providing a little non-public background (unless you’re moderately good at Googling) on myself would help. First, I will check my privilege — of which I am a moderately well-educated, middle-class, middle-aged, white American citizen who happens to be employed. I am however, also a member of the LGBTQ community, I’m married to a same sex partner, female, diagnosed with some minor disabilities, divorced parents (one on food stamps, the other with chronic underemployment as an academic), and deal with major depression. I have twenty years of progressive experience in technology after college, even though I did not graduate with a technology degree (I went from electrical and computer engineering to decision science — and several minors). I’ve worked in start-ups to multiple Fortune 125 companies across a range of industries, and did academia and the public sector, where I currently make a living as a Deputy Chief Information Officer.
When I graduated, I had a long-term plan — within a number of years I knew I would not be a technician, but would by nature of the industry, probably end up a technical manager. I was unsure if my classmates have had similar plans or goals in mind, but Facebook and other social media has allowed me to peer across and see how they ended up, and it too varies from what I had expected. As meandering as my current career has been, I have had very few regrets, and feel that each new opportunity was built on experience and knowledge gained from the past — essentially experiential learning.
So why are you writing this?
One would wonder, “Why bother with a backstory at this point?” With the recent Equifax data breach announcement, the subsequent fumbles in the response and public relations, and the scope of exposure being potentially half the population of the United States — it seems a better time than ever to look at some of the more overt issues that can be adequately discussed regarding those events and shortcomings. Since I started my draft of this, Viacom had a breach of what now is becoming a regular occurrence, an exposed Amazon S3 bucket, and the Securities and Exchange Commission admitted that a breach of their systems could have resulted in data being used for illegal trading.
Immediately after announcement of the Equifax breach, the security community took to Google and other means to find out who was supposedly “in charge” of what colloquially could be termed as a “shit show dumpster fire”. As bad as data breaches go in recent years, including all the healthcare providers, banks, consumer services and even the government’s Office of Personnel Management — this in sheer size and amount of personal data will be hard to top for years to come. Nearly immediately the CISO for Equifax was identified on LinkedIn, and social media posts mocked her apparent obfuscation of her experience and credentials, which focused unfairly and particularly harshly on her college major — music. At first blush, that screamed unqualified to many in order to hold such a C-level position due to “lack of relevance” and seemed even fishier given the lack of detail on her on-line resume and scant professional details available on line. My own red flags went up, but not on those initial details, but actually the unwritten ones.
The Importance of “The Network”
For those who know me, I’m far from a social butterfly and typically could be fingered as an introvert, but I know the power of a social network, and I generally try to cultivate my professional one very carefully. The same system that gave up the goods on finding Equifax’s CISO is the same one I use to background individuals and organizations I communicate with. To that end, Equifax CISO, for having such a high-profile data protection related job, had no shared connections and performing OSINT (open source intelligence), had very little public profile or outreach to security and data management communities, short of one interview on You Tube. It seems a little sketchy, especially when evaluating her peers at TransUnion and Experian, who not only have wider ranging connections via professional social media, but also interactions at conference and briefings. Even when participating in discussions on the topic of experience and education immediately after the breach was announced, many other openly vouched for her peers, but nobody knew of the Equifax CISO personally or socially.
The information/data/network/cybersecurity community tends to think of themselves as a family. We have family reunions in the form of “cons” or conventions, when friends travel into the town we live in they are often willing to grab a drink or a meal with, and occasionally, like a family, we have disagreements and fights. This discussion of the networkability of a high-profile security “leader” and their apparent coyness about publically detailing their experience and credentials threw open the gates of debate among family members. That discussion is what prompted the initial aim of this piece, since the hashtag highlighted above backfired in some respect and also brought up some of the ugly side of those family debates.
Failure comes in all shapes and sizes
The reason I love my career is due to the pace of change and always having the ability to learn something new, novel or interesting that I didn’t know the day before. As an incident responder, I enjoyed the chase and the hunt for answers; as a forensics person I enjoyed finding the clue that was hard to find; looking at malware, I loved seeing how things ticked and the cleverness of the author to exploit vulnerabilities in a system or application; and as a network defender, the fun was trying to make sense of all that data and ensure that we had eyes on the right things and could involve all the right folks when something would go wrong. Inevitably something will always go wrong, and your job at any level of the security career track, it to minimize the occurrence of that “bad” from happening. Knowing that it will happen, and how you make the choice to apply all those afore mentioned skillsets in relation to your operations and mission is “risk management”.
What went wrong, as it appears, is that risk management principles weren’t adequately applied, and a breach occurred. That is a failure up and down the organizational chart, from the security engineer assessing vulnerabilities, to the developer writing secure (or not) code, to security operations staff, to security architects for not ensuring the policies were followed and frameworks utilized, and finally to the CISO (and CIO) for not only instilling a security culture, but also not leading by example. While the CISO doesn’t have to do all of the technical work to secure the environment they are entrusted with protecting, they need to have the competency of using the tools at their hands, the people whose jobs are to ensure that the direct work and application of security processes and techniques are applied. This is the failure.
Hindsight is 20/20, unless you are truly blind
When the information/data/network/cybersecurity field was born, there were no degree programs that granted you with a practitioner’s “expert status” in this area. Many of the senior security people in the field, those that still wear “hacker” as a badge of hard earned honor, learned their trade by building and breaking things, and not even in that order. The kind of people generally attracted to this career path are the insanely curious and the ones who revel in problem solving — the ones who literally look at a clock and wonder what makes it tick, and will seek one they can take apart to actually find out.
Now this field has become formalized with degree programs, various certifications, specialties, job titles and roles, and with that a break between those who learned along the way, and those who sought out paper because it’s now expected. As somebody who’s been on both sides of the hiring table multiple times in their career, it’s still a tough job weeding out the right candidate for a position regardless of the self-inscribed platitudes on a resume, a flurry of acronyms being tossed at you in conversation, or a bunch of letters after a name on a business card or CV. As noted earlier, some of this even gets down to who you know and will they vouch for your skills and experience. In some roles, the skills you use are things nobody can teach you — as it comes from practice and experimentation. Other roles require strict adherence to a framework and guidelines, and can be tested for, since it’s either the existence or absence of a control or policy that needs to be checked. We are in a transitional period in the career field, but I don’t think everybody has received the memo.
Is it a grease fire or a dumpster fire?
Un-ironically, my job has gone from chasing bad guys/gals to now trying to manage all of those people who not only are my proxies for finding the bad guys/gals, but also develop and build the systems and infrastructure that keep my organization running. It is not a job for the faint of heart, and I do think I am one of the very few in this role in the public sector that merely has a bachelor’s degree and no professional certifications. However, I wear this as a badge of honor. I believe that in this career field, if you are engaged, communicate to others in the community, are willing to take in new information and try new things, you can succeed. You do, though, need to know not only your limits, but your organization’s limits. The risk tolerance for organization varies based on a number of factors that change daily, hourly, or even by the minute depending on what the mission is. Understanding the threats, the magnitude of loss from exploiting your vulnerabilities, and the costs to recover is your risk posture. Your senior security official, be it a CISO, CSO, CRO, CIO or even CEO, needs to understand this and get it and buy into the reasoning of how it’s being protected and losses mitigated.
Choosing to be in this role is essentially walking into the job and voluntarily putting a target on your back. The better you are at your job, that target gets a bit smaller, but it will never disappear. Your hope is, that if you have a peer organization in the same field or industry, that you are just a bit better at your job than they are. No stacking of certified professionals will help, as attackers play dirty, and sometimes you need that same level of carnal knowledge they have. A penetration test is no use if you don’t learn from the results and work through fixing your issues. A bug bounty is useless unless you learn to correct the bad habits that went into the creation of the bugs in the first place. As noted earlier, stock your staff with the curious and the problem solvers, along with those who are the meticulous types, and you’ve blended your defenses and also look at solving problems from different viewpoints.
What you wear doesn’t define how good you are
Typically, you could read the above heading and take it to pit the hoodie and black t-shirt wearing crowd against the suited-up consultant types, but that’s only half of the discussion. Some of those hoodie wearing stereotypes are the same ones wearing the suits during the week because they are paying their bills with clients that expect “that look”. The same goes for whether you show up in a skirt as you would in pants.
As we found out earlier this year with commentary by a Google engineer, James Damore, that your gender will also dictate your success (or lack thereof) in technical fields. This is a trope often played over and over again in numbers of op-eds and social media entries that have no actual scientific basis. Sadly the same type of thinking also is often translated in biases and discrimination based on race, skin color, religion, socio-economic status, disabilities and a host of other non-skill characteristics. Often what’s been demonstrated is that these groups often are as good as, or better than those pushing thoughts and stories around.
Somedays I choose to wear a skirt or a dress, others I wear pants or leggings — but it doesn’t change who I am or how I’m able to adequately perform my job. I’ve held or performed nearly all your typical information technology roles in my career (again, by design) and I was never reprimanded, poorly graded, or fired for the quality or lack of skill in performing the duties I was hired for. However, I know many people who have been pushed out from jobs, given less influential roles, their contributions dismissed, and at worst, passed over for jobs for a lesser skilled cis-gender heterosexual white male. Nobody benefits from these situations, and it perpetuates some of the worst perceptions, internally and externally, of the tech and security community.
Strangely, as all of this exists, I spend a lot of my time in the last decade pushing for the diversity of hiring within the public sector, which, at the Federal level has its own quirks that could often keep even the most well-qualified candidates from obtaining a position. There’s been a number of other articles that target this particular issue with employment for tech and cybersecurity, and would make for a follow-up to this essay, but it is another looming issue.
To that end, professionals and others will often point to a woman or other minority who’s been hired or appointed to a role of some prominence, or even just requiring a high level of technical skill, as merely filling a quota or a diversity hire. For some cases, that may have been the target of the employer, and if they weren’t open about their motivations, it’s pretty disingenuous to all involved. This is not to say diversity targeted hiring is bad, especially with the skewed statistics of women and minorities being woefully underrepresented in all levels of tech and security, but not being clear that there is a program for this in lieu of regular hiring practices is almost just as bad.
I feel lucky to just be on the stage
There was a point in my career, a few short years ago, where there was a good chance I’d never advance beyond where I was. I was in a rut, without a real direction, but dutifully doing the work I was hired for. I reached out to the community, read a lot of things, took time to go to conferences, and trained up on things that interested me. While this isn’t everybody’s route, it helped me focus, but also get through a lot of personal things that were going on at the time. However, it is just that — people have lives, things that occur in them that are predictable and non-predictable, and it’s a matter of how we cope and move forward will determine the ultimate outcome. I do consider that my “incident responder mantra” which is akin to “don’t cry over spilled milk” by realizing that by the time you discover something bad has happened (or as I say “lunch has been eaten”) there’s not much to do other than investigate how things went bad, learn how to fix and not repeat them, and clean up and move on. Very much the cycle of life.
The breaches that are now seeming to occur on the regular at this point need to also keep that in mind. But, no matter how much the folks involved will be trying to move on, they will often get stuck in the rut of staring at the situation trying to figure out where to start, rather than realizing there’s an end goal and you can try to work backwards from there. Realize you got popped by a bad policy for addressing vulnerabilities or some other process or practice — then work to include, improve or revise those items going forward and be accountable to ensuring that work is and has been done. Having worked at a major energy company before and after two notable events, we never had or tested a resiliency or disaster recovery plan until after those events proved that they needed to not only be in place, but tested regularly to ensure we could maintain all operations through similar incidents. With Equifax and many other breach and failure subjects within the past few years — I’ve become less interested in public side of their response, but am extremely curious as to how operations changed on the inside. Unless that behavior changes and a culture within the organization the cultivated to avoid similar event from happening again in the same magnitude has been addressed, you’ve failed your organizations and your customers.
Finally a rest bit
The discussions over the last few weeks have, if anything, fostered open and honest communications between various members of the security community. Feelings may have been hurt, things said, and I’m sure words have been exchanged that can’t be hugged out or solved by buying somebody a meal or drink — let alone a simple apology. But what has occurred is that we are trying to face the real problems we have within security and as a larger scope, tech in general by no longer trying to kick the can or pass the buck in hopes that we’ll get around to it. What could happen is that all the acrimony that was stirred up starts to build the tribalism within the community to even further divisions, or now that we’ve aired our issues, we have said our proverbial piece and we work together to solve some of those problems and issues we repeatedly see attributed in these breach and hack attempts. This isn’t a problem a single person can solve, nor any specific area — not through legislation or regulation, nor a single genius fixing a piece of code, or an organization cutting or reducing services or capabilities — in response to trying to address every component.
For one thing, this series of events pushed me to action; to use the years of experience and slow progression up the career ladder, to author what I hope is a reflective piece that can be a jumping off point for further discussion. I will continue taking invitations to speak on topics such as this, but also participate in areas where I can influence some change, even if it’s narrowly in what it may affect, it’s still something and I won’t give up, but rather press forward. As somebody who is now more often a hiring role, leading teams, and making policy decisions — I will work to disseminate cautionary tales as a “lessons learned” and ensure that they will not be prevalent in any organization I lead or influence. One would hope that, even if they aren’t the target of large breaches, hacks, or other major failures of security in their organization would follow similar suit. A community only survives on sharing good ideas and putting them into practice, a sort of herd immunity if you will. We’ll only have time to tell to see if that’s what’s in store for us.
Hey, and thanks for reading. If you lasted this long, you got a lot further than I think the graders did for my AP essay exams — to that, pour yourself a beverage of your choice and enjoy the rest of the day.