As some of you may be aware, October is National Cybersecurity Awareness Month. The theme for this week, specifically, is STOP. THINK. CONNECT: The Basic Steps to Online Safety and Security. Part of this week’s focus includes examining “cybersecurity jobs and how to engage young people in pursuing careers devoted to protecting the Internet.”
The weekly topic, and the entire month’s devotion to cybersecurity, compels me to consider my cybersecurity “ah-ha” moment (We’re talking pre-Edward Snowden; pre-cybersecurity “skills gap”; pre-Target). The answer that comes to mind is my experience as the President of TippingPoint, the network security vendor (and now a part of Trend Micro).
The work we did to research, report and liaise with vendors in an attempt to remediate zero-day software vulnerabilities was quite telling. It was very clear (then as it is now) that as long as we write software, adversaries will always find ways to exploit it.
During my time at TippingPoint, it was clear that software was going to explode. Although Marc Andressen had yet to publish his now-famous phrase, the attack surface was growing in volumes. Today, we take this growth for granted. We throw out lingo like “cloud” and “big data” and “IoT”, as if it’s been with us for decades.
As good as the company’s technology and security research was, it was also clear that attempting to protect assets by protecting the network perimeter was not the right answer. This led me to reflect on the value of taking a data-centric security viewpoint, which ultimately helped inform my decision to join what was then Vormetric, and now Thales.
At TippingPoint, I also developed an appreciation for just how challenging it was to remediate vulnerabilities. Although we would notify vendors of problems, time and time again they were slow to respond. This reinforced to me the sheer size of the attack surface and the difficulty in closing known software vulnerabilities in a timely manner. When I overlaid this with the clever nature of our adversary (and the speed and creativity upon which they work), I came to truly understand the task ahead of us.
I do not say any of this to dissuade readers from pursuing a career in cybersecurity. It’s a rewarding and fulfilling career – but it’s also one that will never not be challenging. Very little of my time, and the time of others around me, is spent shuffling papers. Rather, it’s spent considering “what next”? What haven’t we thought of? Where should we expect attacks to occur? What are our customers’ weak spots? What’s our weak spot?
This field isn’t for the faint of heart. It’s not for people who want easy answers, nor those who measure success by the number of items they cross off on their “to-do” list. There will always be a new list, and new items to add onto it.
Rather, it’s is for those who are focused on helping customers and fighting the dark forces that would interrupt society and commerce. My colleagues, past and present, have strong core values they live by. They set good examples; they communicate readily; and they are open and honest, with high expectations. Time and time again, I’ve come across cybersecurity professionals who value the good they do for their customers, the industry and world. This is a core motivation for many who choose cybersecurity as a career – similarly to how some are drawn to law enforcement in the physical world.
With this in mind, I impart the following on those considering a cybersecurity career: Be willing to take risks and get out of your comfort zone. Seek mentors. Give to get. And above all, don’t underestimate the value of outworking the other gal or guy.
Have questions or comments? Tweet me at @kessalan. Or even better, check out our careers page.