To make this book more valuable and help you to excel on your cybersecurity journey, I reached out to some industry experts and asked them how they started their career in cybersecurity and what they would recommend to you to allow you to improve.
I spoke to industry experts from Fortune 500 companies such as Microsoft, Standard Chartered bank, SAP, and FireEye, and experts from Oxford University, Charles Sturt University, army veterans, active cybersecurity consultants, architects, hiring managers, speakers from Black Hat and other tier-1 security conferences, and cybersecurity firm owners, as well as law enforcement professionals. Hopefully, this chapter will help you in your career.
Corporate Vice President, Microsoft
"Our teams must be as diverse as the problems we are trying to solve."
The preceding statement is not an empty platitude, and it is not something that should be trivialized or over-hyped either. We are facing a battle against cybercrime that is impacting all aspects of our lives, including governments, financial systems, food supplies, water supplies, critical infrastructure, and healthcare. Large-scale cyber events, such as those witnessed in the past several years, threaten our very way of life. So, the question becomes, how did we get here? More importantly, where do we go from here? What can you, as a candidate, do to pursue a career in cybersecurity?
To explain, let me take you on my personal career journey. I graduated from college with a dual major in political science and communication, and an ambition to attend law school. I was accepted into law school and had obtained a scholarship for tuition and fees, but I was burdened financially from my undergraduate work and was also concerned about food, housing, healthcare, and so on. I made a decision to pursue a career rather than attend law school. Jobs in Northern Utah were scarce in the late 1980s for a graduate who didn't have a directly applicable degree, that is, one in accounting or medicine, and I ultimately moved to the Los Angeles area. I had one short-term position as an executive assistant in a medical firm, and then found my calling in technology.
My calling came by way of a newspaper ad for a floor salesperson at a wage of $17,000 USD per annum. I knew a bit about computersâas in, I could use oneâand I knew I could talk to people, so a career was born. I attended every vendor training available and was diligent in studying and developing my skills. I was fortunate to have two early career mentors who encouraged my success and taught me everything they knew. I took on assignments related to operations, sales, network architecture and installation, computer repair, storage, partner engagement, customer engagement, and so on. I learned and absorbed all I could. At the time, mainframes and mini-computers dominated the industry, and PCs and client-servers were becoming a thing. Storage systems were massive near-line devices, and the biggest concern for a CIO was a rogue phone line in a data center. There were very few formal CISO positions, and security folks were generally of two types: investigators and network professionals. I entered security somewhat accidentally, but according to a plan.
In 1999, I was based in Chicago and working as a healthcare specialist for Data General. Data General was acquired by the EMC Corporation. I explored my options post acquisition and decided to make a change. The change was inspired by the hardware token I carried for authentication. I was fascinated by the technology, and I pursued a company called RSA Security and was ultimately hired as a PKI specialist. I not only had to look up the term, I had to study and develop an understanding of PKI, which I did. So, in 2000, a new career beganâI was still in tech but in a highly specialized, but very nascent, field called cybersecurity (InfoSec at the time). CISOs were a thing by thenâin very large organizationsâand 2FA was used by about 20% of corporate employees (yes, that was all).
Since 2000, I have once again committed myself to self-study, learning, and growthâdeveloping a deep understanding of the underlying technology of cybersecurity and the methods, modes, and motives of threat actors. I have also come to an understanding that there are simply too few people in cybersecurity roles. We used to joke, circa 2000, that people spent more on their annual coffee budgets than on their IT security budgets. If they had a firewall, a router, and an antivirus solution, and high-value users were using 2FA, everything was covered as far as most organizations were concerned. They were not prepared or adequately budgeted for the hyper growth in anytime, anywhere connected devices; the explosion of mobile devices that are as powerful as legacy servers; cloud-based technologies; the explosion of nation-state funded threat actors; or the explosion of malware and cybercrime as an industry. Universities and colleges were delayed in offering a cybersecurity-based curriculum, relying on a lot of network-based courses to cover the topic. Cybersecurity professionals were largely still from network or investigative backgrounds, and the industry was collapsing under the weight of too many disparate tools and too-many-point solutions.
By any measure, there are currently about 1 million open cybersecurity roles globally that all say something akin to "must have 10 years' experience, STEM degree...." We are becoming a self-fulfilling prophecy as an industry. We claim we want diverse backgrounds and skills, and we have too many job openings; we want to reduce complexity, but we continue to hire the same profiles, bemoan the lack of talent, and choose a single-point solution to add to our growing list of solutions because it solves a specific problem.
This group thinking, as an industry, has limited our options for hiring a diverse set of talent and for deploying the required solutions and technology to solve problems. For example, research shows us that diverse teams make better and faster decisions 78% of the time. Yet, we ignore this in the interest of quickly filling roles and a fundamental lack of desire to train the next generation of cybersecurity professionals due to our immediate need to protect our infrastructure.
As a self-taught infrastructure professional, who also taught myself cybersecurity via vendor and industry training immersion, I am a strong advocate for bringing in new voices from a wide range of backgrounds and different perspectives to drive meaningful change in the industry and to stay one step ahead of the bad actors. In addition, our tooling must modernize. We must fully realize the capabilities of tools such as machine learning to get a handle on the trillions of threats we see daily. We must also operate in partnership with public organizations, private companies, peers, and competitors. We must act like a community; an industry. We must also account for the stress of being a defender who is often working extraordinarily long hours in an understaffed environment.
So, where does this all leave us? It leaves us with an industry that has some opportunities to improve. We have the tools, we have the technology, we have available pools of talent, but we must have the will. We must have the will to take risks; we must have the will to accept that change is needed. We must have the will to hire a wide variety of people from diverse educational and societal backgrounds. We must create a community that takes care of its members and empowers people to be their absolute best. We don't actually have a choice; cybercrime is here to stay. What is needed now is a cybersecurity industry that acts as a community to bring the best tools, people, and partnering together as a robust solution. We can do this through investment in education programs at the grade school-level through to the high-school level, by investing in organizations that fund scholarships and mentorship programs for diverse individuals, through programs that invest in training transitioning military members and retraining displaced workers. We can actually bring cybersecurity to the broader population by simplifying the lexicon of the industry and making it less intimidating. We can mentor broadly, and we can speak publicly and frequently on the need for change and the steps required.
Given the need to evolve as an industry, what can you do as a candidate? I described my history here as a way to encourage you to be creative and to self-learn throughout your whole career. As a candidate, you need to work to describe your skills in a way that translates them to the cybersecurity landscape. Are you an experienced teacher? We need learning materials to explain complex concepts in simpler terms. Are you a psychology major? We need to understand the motives of attackers. Are you in law enforcement? We need to complete investigations. Are you a business analyst? We need to comprehend vast amounts of data. And if you are a programmer, network engineer, or database architect, there is a natural place for you in securityâleverage your existing skills and learn new ones. Take risks and be part of the change that cybersecurity needs to fulfill its mission of securing global enterprises and governments. Seek out mentors and learn from them. Act now to join a quickly growing and highly exciting industry.
Who is Ann Johnson?
As Corporate Vice President of the Cybersecurity Solutions Group at Microsoft, Ann Johnson oversees the go-to-market strategies of cybersecurity solutions for one of the largest tech companies on our planet. As part of this charter, she leads and drives the evolution and implementation of Microsoft's short- and long-term security solutions road map with alignment across the marketing, engineering, and product teams.
Prior to joining Microsoft, her executive leadership roles included CEO of Boundless Spatial, president and chief operating officer of vulnerability management pioneer Qualys Inc, and vice president of World Wide Identity and Fraud Sales at RSA Security, a subsidiary of the EMC corporation.
University of Oxford
What is the place of the general public in the new tech revolution?
Rapid technological progress in artificial intelligence (AI) is about to transform existing business models. Companies are beginning to use AI to help manage their human resources, attract and promote the loyalty of clients and customers, and increase transparency in their supply chains. Companies are also using AI to automate decision-making processes about their employees, customers, and suppliers.
This process began with companies using big data analytics to increase transparency in supply chains and continued with companies using cloud-based systems and AI to process the enormous amount of data collected globally from thousands of workplaces. Efforts to develop AI and blockchain (https://blog.sweetbridge.com/managing-supply-chains-on-the-blockchain-a-primer-1f7dc293e3d9?gi=8bee415e5b5a) to improve supply chain traceability are still pretty new, and the focus so far has mainly been limited simply to ensuring that products can be traced from lower tiers of the supply chain to supermarket shelves. There are even fewer initiatives that focus on sustainability (https://deepmind.com/blog/deepmind-ai-reduces-google-data-centre-cooling-bill-40/), and these have largely been directed toward environmental sustainability (https://www.eli.org/vibrant-environment-blog/environmentalism-next-machine-age); so far, little attention has been paid to the potential of AI to address labor and human rights issues. However, it is clear that AI will have a real impact in these areas and that it will directly affect the existing relationships between corporations, their suppliers, workers, and customers.
Thus, AI can analyze a vast amount of data very quickly and offer a summary judgment that can be used to inform decision-making (https://link.springer.com/article/10.1007/s13347-017-0263-5). However, a primary concern in this context is the extent to which AI analysis can be relied upon to produce objective judgments (https://link.springer.com/article/10.1007/s13347-017-0285-z) that do not simply reproduce and legitimize existing discrimination or inequalities (https://www.telegraph.co.uk/technology/2017/08/01/algorithms-future-must-not-allow-become-shield-injustice/). This concern has prompted discussions about the accountability and transparency of algorithms. And there have been efforts to understand how to mitigate the potentially discriminatory and unfair decisions of algorithms in a range of important areas of life, such as, say, applying for a bank loan or seeking justice.
Revolution for cor...