Security people, really good ones, are hard to find. In the U.S, there are maybe a dozen true recognized experts—those with the right technical background, practical experience and mindset to practice effective cybersecurity, along with the curiosity and passion of an accomplished hacker.
This capability is in such short supply that I’ve tried to do my small part by using my informal position as a mentor to encourage those who have those characteristics to train as White Hats, or ethical hackers.
For years, I’ve worked primarily in Information Assurance and Cyber Forensics: securing and defending computer systems and networks, analyzing the results of Black Hat or Cracker activities, and other interesting things.
My customers are usually in the federal government, but also in banks, financial organizations and hospitals. Do I have a CISSP? No. Do I have other security certifications? No. I’ve taken (and enjoyed) several SANS Institute and Global Information Assurance Certification (GIAC) classes, and I’d like to obtain one of the GIAC certifications. They’re expensive, so I take classes as my budget allows.
The Hacker Mentality
So who would be an ideal cybersecurity expert? They’d need to be a hacker and have a hacker’s passion and mentality. They like to take things apart, be it hardware, software or really anything. They like to figure out how they work, identify their weaknesses and then create solutions to make them better. (For more, see my post “You Say ‘Hacker’ Like It’s a Bad Thing… “)
So let’s differentiate between a hacker (or White Hat) and a cracker (Black Hat). Many people—including most of media and government—use the terms incorrectly.
A cracker is someone who intentionally breaches computer security by breaking into someone else’s system or network. He does this maliciously, some for profit, some for what they see as an altruistic purpose or cause. Where hackers may have the same technical skills as crackers, they don’t take part in the same kind of malicious activity.
Ideal cybersecurity experts indeed must be able to think like a cracker. Only then can they strategically and tactically compete against crackers and all that they unleash. In order to defend a position, you have to understand what it takes to attack, recognize and exploit vulnerabilities, and secure the same position.
Today, there is actually a term for this that comes from the military’s use of war games: Red Teaming. It’s the practice of viewing a problem from an adversary or competitor’s perspective. The goal is to enhance decision making, either by specifying the adversary’s preferences and strategies or by simply acting as a devil’s advocate. If you dig into some of the principles behind Red Teaming, you’ll find Game Theory.
Other skills that are part of the cybersecurity toolbox, though harder to quantify, come from the individual’s background: an aptitude for games of strategy like Chess, Go, and Risk, for example. This usually allows them the ability to see patterns of behavior in an opponent’s moves. Though I’m not entirely sure skills like this can taught, I have found them to be evident in colleagues who are considered true experts in the field.
From an education standpoint, most of the experts I’ve encountered have multiple degrees. One is usually information systems, mathematics, computer science, computer engineering, systems engineering or a related field. They also have at least five years of relevant information security experience.
When it comes to certifications, the overall computer industry likes the CISSP. However, certifications that actually show mastery of the subject are from GIAC. Practicing professionals hold those with GIAC certification in high technical regard.
Other certifications that can be useful are those in Systems Administration and Systems Programming that have practical examinations and continuing education as part of the certification process.
Key for any security professional is the ability to communicate in writing, orally and through effective presentations. The ideal professional also must—must—be able to communicate both technically and with high level executives. This in itself can be a challenge, but it’s something that can be learned with practice.
They may or may not have published articles on cybersecurity. At the same time, some have published, but without attribution. Still, almost all have written bylined technical articles.
In addition to all that, the ideal experts have both hands-on technical skill and the ability to lead other technical people. They have a view of the big picture and how security impacts the business and its customers. They usually actively participate in R&D projects and open source projects.
So where would you find people like this? Events like DEF CON, Black Hat and Chaos Congress. They’re usually the folks who listen and try to blend in.
This is a lot. And it’s just the high-level. For a more detailed look at the skills and professional approach the most successful cybersecurity experts take, click here.