CyberSec industry experts share what businesses and cyber freshers need to know
There is a lot to think about as a business owner looking to expand cyber capabilities or a cyber fresher looking to launch and build a career in the cyber industry. Where do you start and what do you need to know? Here are some insights from our Think Like an Attacker – Cyber Security Industry Webinar Panel:
Declan Ingram | Former Deputy Director, CERT NZ
Alvin Rodrigues | Infoblox, Field Chief Security Officer
Ajay Kumar | CrowdStrike, Regional Head of Cyber Security Services Asia
Chirag D Joshi | ISACA Sydney Board Director and Best-selling Cyber Security author
Abdur Raheem | MSIG, Senior Manager, Cybersecurity
What should businesses be aware of when it comes to cyber security today?
—
Chirag D Joshi | ISACA Sydney Board Director and Best-selling Cyber Security author
“Let’s start with a slightly different side in terms of what businesses and those entering the industry need to know. I think the first thing we need to know is how integral cyber security is to our economy, and I think that’s where it starts, with our organisations, the countries in which we live in and how they function in terms of society – I think starting there is an important point. But another thing to remember is the actors and the activity, when we talk about cyber threats, when we talk about hacking – I think it’s important to realise that a lot of these activities happen because our societies are largely interconnected today.
The second thing is, our delivery channels, especially in most Western countries and Eastern countries where you have a widespread of internet connected devices that economies largely rely on, which is where money is to be made, and that’s where you see the evolution of threat actors. It has never been easier for a non technical person to launch cyber attacks, and that is because of the sprawling availability of cyber hacking really, as a service available on the dark web, where anybody with fifty dollars and a laptop can launch sophisticated cyber attacks.
So I think that’s become very easy, which is important to understand the world we live in. And secondly, I would also say that, when you think about the threat actors at the same time you have the challenges from novices, but you also have challenges from state sponsored attackers, and I think that’s where you can go above and beyond with your organisations and with what you can do in isolation to actually become a thread sharing environment, where we all share information, where we share indicators of compromise – because we cannot solve these problems ourselves no matter how much money you spend on the problem.
I think that’s why intelligence is important, so I would say that for businesses, understand that you cannot live in isolation, understand that you are a target, even if not directly your third parties may be impacted, and that will ultimately impact you. Your customers now have a lot more expectations, and a recent example is WhatsApp, where the change in their privacy policy has triggered a large scale concern and people are dropping off the platform. People a lot more educated now than they used to be in this environment, so I think it’s important to understand the context for anybody new in this industry as well as businesses.”
What do cyber newbies need to know when trying to secure their first cyber security role?
—
Declan Ingram | Former Deputy Director, CERT NZ | Founder, Principal Consultant, Tomah Limited
“I have brought on a lot of entry level roles, a lot of graduate roles, both for my own companies and working with government and everything else, and there’s a couple of key things that I look for. The three that I spoke about earlier curiosity, integrity, self learning are absolutely key as well, but there are some things that will make me notice a CV more than others, and there are ways of demonstrating self learning and demonstrating the stuff that you are doing and that you can do, but a huge amount of it has to do with networking.
And I mean networking as in personal networking not networking as in IP stacks, etc. When I first wanted to get into information security, I think there was about twelve companies in Australia that had information security or had something to do with information security and I simply contacted every single one of them and said, hey, can I have a job please? And they said no, go away and then a couple of months later I did the same thing. I did that three or four times before eventually one of them relented and we had a conversation on the phone and that kind of got everything started.
Trying to find the personal networks of the people that you know who know others is really quite key and so you know do try and do that, do to try and go through personal networks and professional networks and when you’re going for a role, make sure that you demonstrate that you have really taken the time to understand what the role is. There’s a lot of applications that I’ve received over the years that have been quite generic and I know that it takes a heap of time when you’re going for a role to read into it and to look at it and to go through everything and detail your CV, but it’s hugely important.
I know that’s not a magic bullet – it is certainly not rocket science and there’s probably nothing that I said that you didn’t already know, but one of the things that I have noticed is that there is no shortage of people that want to be in information security and there’s no shortage of people in information security, but there’s a massive shortage of people in information security that really understand information security and can provide a lot of value. So if you can be one of those people and you can demonstrate that you can provide value, then you will have a rich and wonderful and interesting career.”
—
Alvin Rodrigues | Infoblox, Field Chief Security Officer
“Just to add onto to what Declan was saying, I don’t come from a technical background, I do not have a technical background. My background has been all about business but my switch to cyber security stems from the fact that I joined a cyber security company initially to look at marketing and then from marketing I did all the engagements and scripts and support with my understanding about business and the business framework, and the business architecture and also my understanding of technology as a whole. From there I progressed down that cyber pathway.
So when you ask how do you make that switch, you need to think about the switch from two perspectives – number one, switch to cyber security from a vendor perspective or switch to cyber security from an end user perspective. Now from the vendor’s perspective, there are various categories as well, you have the solutions provider, you have the product providers and then you have the likes of the consultants, the guys who actually go through the entire ideation process about the framework and what the cybersecurity strategies actually look like. So identify where you’re at today, the experiences that you have – can you actually take them on board and leverage them to bring you forth into whichever stream and pathway that you actually want to go into.
So Declan is right, you need to understand the job per se, if you’re going to the end user standpoint, there is a huge shortage of people of cybersecurity professionals, but the thing to bear in mind is your ability to contextualise what you know against the business landscape – it’s very important to appreciate and understand the role of cyber security to the business landscape.
One of the things I also ask a lot of existing cybersecurity professionals is not to get so hung up on the types of threats that you’re seeing, that are coming into the organisation because they need to focus on a sphere of influence. We have no influence over the types of threats that are coming in. I’ve got no influence when a hacker decides to do a ransomware attack on me, I’ve got no influence to tell him – don’t do this to me – or give me a malware attack that is just keylogger-based for example, I have no influence if he decides to go after me with ransomware – I have to deal with that, but what I can do is focus on my sphere of influence.
And the areas of my sphere of influence are, what are my vulnerabilities? What is my understanding of the business workflow and where are the potential entry points that a protagonist can exploit to get into my system to get into my company, and what can I do to block that, what can I do to minimise that not only from a technology standpoint, but also from a people and process standpoint – very often in cybersecurity, what I find is whenever I engage many, many of my customers is that there’s a huge focus on technology, some focus on people and not a lot of focus on process. Now, this is not just the security process and the security way of managing policies, but the business process. So the more you understand these landscapes, the more you’ll be able to contextualise, create useful understandings and defend against cyber attacks.”
—
If you’re looking for the fastest and most effective way to break into the cyber security industry – schedule a call here today or learn more here about our practical cyber security training program with UTS, taught by cyber security industry experts and focused on helping you land a job in the cyber market.
You’re invited: attend an upcoming Institute of Data event, just register here!