Answers to Tribe of Hackers Questions
I have just started reading Tribe of Hackers by Marcus Carey (et al). I already love the format of the book. He takes 14 questions and asks them to prominent people in the field of computer security. Before I start reading the book, though, I want to provide my own answers to his questions and then see how they relate to the others in the book.
1. If there is one myth that you could debunk in cybersecurity, what would it be?
I find the biggest myth about computer security is that it is somehow so mysterious and technical that it is difficult to understand. It does often involve deep understanding of computers, but the fundamentals of computer security look very similar to that of traditional security. And with that knowledge, anyone can learn computer security easily by building up their skills from first principles.
2. What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Easy and affordable access to general security awareness. After all, I started a course on it because I believe so firmly in it. Security has to start with the humans in charge of the machines that hold the data. We need to train these humans with words and materials that they are familiar with, otherwise we are talking to them in another language.
Security people often forget that we operate in a highly specialized, niche world. Few people will understand the entire scope of a company's threat model, and security people need to realize that it is too much to ask. Regular people, outside of the security industry, have their own jobs, passions, and responsibilities. To lump computer security onto it en masse is an egotistical thing to do because, while security is important, so too are the other things people need to do to get on with their lives.
3. How is it that cybersecurity spending is increasing but breaches are still happening?
Because the people with their fingers on the purse strings (the ones that hold the budgets) still don't realize that humans are the path to security vulnerabilities. Humans are the greatest asset and liability to computer security. That doesn't mean we get rid of humans, but we remove them from areas where incidents can occur.
4. Do you need a college degree or certification to be a cybersecurity professional?
Oh gosh, I hope not. We have enough gate-keeping in this industry as it is.
Most of my career was doing security as a value-add to my actual job – namely software development and systems administration. I started doing security before CISSP became a household name, so I never saw the need for the credential. What I do believe is that you want something to get your foot in the door, and for that I have my Bachelor's degree from university. Your journey in life may differ based on your preferences or personal situation, and that's okay too. So long as you stay curious and are never afraid to investigate the darker corners of a system that most people dare not go.
5. How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
My career is a dog's trail of different jobs, and employers often have a difficult time seeing the linkages. The hidden pattern is that I move toward areas where software development – that is, automating manual tasks usually performed by humans – is a new concept. I rarely say the word "security" and instead use the word "failure" and that's what software helps reduce.
My advice is to be curious, ask questions, and never fear going into systems or codebases that people are scared to touch. Every company I've been to has a project or system where people describe it as "legacy" and "nobody really knows how it works." I love those dark, dank places and I go investigate what's going on. I even try to bring someone along so they can see that it's not scary, just misunderstood. Once we bring sunlight into the darkened area, we can improve its security so that it keeps secrets confidential, resists tampering of critical data, and is always available for use.
If there are no dark places for you to investigate, grab a user guide and read it from start to finish. You may find that there are things that can be done in a better way, right in the operator's manual, that nobody realized simply because they didn't take (or have) the time to read.
6. What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I'd say my expertise is in Cloud Application Security. I prefix it with "Cloud" because I believe that nowadays application security doesn't end with source code – it continues on to the system, infrastructure, and network. I deal mainly with cloud environments, namely Amazon Web Services (AWS), and this is where I do my best work. On the engineering side, this would be called "full-stack" but I just see it as building applications.
The best way to gain experience is to start somewhere, like software development. Understand how the code is written to solve a problem. Then when it comes time to deploy the application, don't just chuck it over the fence to someone else (often an Operations team). Figure out how the system is configured to run the application. Then keep scratching away at these unknown pieces of the puzzle until you learn about networks, databases and other types of infrastructure. A common refrain I here from junior developers is that their end goal is to be an architect. I applaud that, but first you need to understand how systems are built, before you can start architecting new ones. So dive deep, even if it's into an open source project, and learn how all the pieces work. Never shy away or get scared away from the unknown.
7. What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Don't start in security for security's sake. Try writing software, doing customer support or performing QA first. Then move onto security. Writing software will show you how systems are built and the struggles that developers have with balancing feature development with security. Doing customer support will show you that humans are the primary things to be secured. And QA will show you how easily the most impressively-built software can fail.
8. What qualities do you believe all highly successful cybersecurity professionals share?
They have a little voice in the back of their head, what I like to call their anti-Jiminy Cricket, that is a bit more skeptical about everything in life. It doesn't override normal brain operations, but it does voice its opinion whenever a new technology or service comes along and says, "Yeah, that's cool, but what about…?" Having this skepticism in turn creates a realistic and pragmatic view of the world, putting a leaf-blower to the smoke and mirrors that is often put up to trick people (e.g. Theranos).
9. What is the best book or movie that can be used to illustrate cybersecurity challenges?
I don't think it has been written. The closest I came was The Phoenix Project, which does seem like an odd choice. While it's about the rise of DevOps, there is an undercurrent of cybersecurity (confidentiality, integrity, and availability) that runs through the book. It will change your perspective on two facets:
- Technology problems are really just people problems.
- People in technology often think they are smart and different than others, when in reality they are just a part of a wider manufacturing industry.
10. What is your favourite hacker movie?
My guilty pleasure is Hackers. It was the first time I watched a movie and felt represented in a way that I couldn't see in other movies (horror, action). It felt okay to be jazzed for discussions around the latest CPU, RAM, and such without feeling like I'm going to be ridiculed. Much of my childhood involved hiding who I was and what I liked, because liking science or computers was ridiculed in real life and Hollywood (e.g. Revenge of the Nerds). I found that I could be a normal-looking, unassuming person, and still be interested in how computers work, writing software, and findings ways that systems can be tricked to fail.
11. What are your favourite books for motivation, personal development, or enjoyment?
A lot of the books that I enjoy reading have little to do with computer security. I alternate my reading between fiction and non-fiction, to keep things interesting. For non-fiction I tend to read books on science, history, or psychology because it is interesting how, as technologically savvy the world is, computer security really comes down to manipulating humans by abusing traits that we evolved over time.
That said, some of my favourite computer security books are as follows (and my reason why):
- Threat Modeling by Adam Shostack (for getting into the mindset)
- CISSP Add-in-One Guide by Shon Harris (for understanding the fundamentals)
- How to Win Friends and Influence People by Dale Carnegie (for understanding human wants)
12. What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Do not jump right in. Take baby steps. Then assess the risks of the new technology and whether you are okay with the trade-offs. Every piece of technology has these trade-offs, benefits and drawbacks. And each trade-off will be different for different people, because everyone's risk tolerance and situation in life is different. If in doubt, ask someone with more knowledge of the technology – but isn't a fanboy – or someone that is just a bit more (but not too much) paranoia.
13. What is a life hack that you'd like to share?
Improve your financial literacy, to the point where you understand – at any moment – how much money is coming in (income) and how much is going out (expense) of your life.
Whether we like it or not, the world revolves around money. If you have too little of it, it can cause strife in your relationships, at work, and even in your mental health. Regardless of how much money you have right now or how much you want in life, becoming more comfortable with money is a path to success.
14. What is the biggest mistake you've ever made, and how did you recover from it?
I created a security department for a company and ran it by myself. I kept doing that for two years, well past a healthy amount of time. I kept asking for, and was rejected from, hiring more people to help relieve the workload. I just kept adding more work to myself and it impacted my mental health severely. And that, in turn, impacted my physical health. I learned to look after myself, then others. I am still learning how to say 'no', and the power that comes with it, but the relief that it brings when I don't have to take on more work than I can handle. Oh, and I also learned to work with people that have more empathy – that's a big one.