RSA Conference 2020 is coming up fast! In recognition of this year’s theme of Human Element, we wanted to ask some of the expert humans we know about why they chose a career in cyber security, what they found most rewarding about their cyber security jobs, and what they found most frustrating.
I started in cybersecurity in 1998 when this was a relatively new field. I had just left the military and completed my Masters, so I was very interested in both the business side of technology, but also the idea of defending against the bad person. I started in firewalls as literally no one else in our company wanted to touch security. From there I had a real interest in learning who the bad person was, so I learned more about network forensics, IDS, log analysis and honeypots, eventually creating the Honeynet Project. Back then you pretty much learned everything on your own.
What I love about cybersecurity is how it’s a constantly changing field that impacts every organization in every industry in the world. You know your actions can have a positive impact around the world. One of my biggest frustrations is how so many people perceive cybersecurity as a purely technical challenge. Until we also start addressing the human element, we will continue to lose this battle.
—Lance Spitzner, director, SANS Security Awareness
In 2010, I was simply in the right place at the right time. Cybersecurity was certainly not new, but it had yet to become a priority in healthcare. Over the next decade, I had the opportunity to help hundreds of U.S. hospitals implement the appropriate safeguards to protect the privacy, security, and confidentiality of their patients’ healthcare records. That’s been the most rewarding experience of my career. And frustrations? Frustrations are only challenges that have yet to be met.
—Daniel W. Berger, former president and CEO of Redspin, Inc., currently a healthcare cyber security subject matter expert and consultant
What made you choose cyber security as a career?
My movement to the cybersecurity domain was kind of accidental. I didn’t have specific choice in my school days that I wanted to pursue cybersecurity, but I always wanted to be in the tech domain. I happened to be in my first job when I realized my passion for information security and took it very seriously to build my professional career. Security became a thing that was a part of my job. The more domains I worked in with cyber security, the more I understood where I had look for security issues.
I started to help organizations in their overall efforts to secure themselves against malicious actors. I started from roles that were more of an external consultant to global organizations to working in their internal security teams, where I learned a great deal. Everyone has a different path to follow, and I believe it’s one’s path that leads them to different learning experiences. InfoSec as a career option is no different, but there are few things that, if they had existed then, would have made a big difference. I feel InfoSec communities play a big role in one’s career, as you get to meet, interact and receive mentorship from experienced practitioners in this domain and they guide you to do things the right way. One of the most challenging things in InfoSec is that one needs to stay updated with different areas of technology and their threat landscapes, so learning with a large number of people in communities can make it a bit easier. The turning point came to my career after joining the cybersecurity communities like null, OWASP, and infosecgirls. These communities introduced me to the broader security domain and domain experts.
What are the most rewarding, and most frustrating, aspects of your cyber security job?
The most rewarding part of the job is, one, you get to secure data, information and an organization. Every time you find a new issue and get it fixed in the organization before a malicious actor learns about it, it’s the most amazing feeling. Keeping yourself up-to-date is the key. Someone who has curiosity about every aspect of technology is probably the best suited person. You need to build on that curiosity and spend a lot of time understanding the working of these technologies.
The most frustrating aspect of the job: It cultivates a negative mindset sometimes in our environment, as we have to find to bad things to make sure no one can harm us. The information security domain can be glamorous as well as tiring at times. The key in this domain is that one should constantly focus on how security can be improved by learning and applying the necessary skills. Everything else (career advancement, etc.) falls into place.
—Vandana Verma, security architect, IBM India Software Labs
What are the most rewarding, and most frustrating, aspects of your cyber security job?
Most rewarding: I work with some of the smartest people on the planet who share my dedication to making the internet a safer place. Most frustrating: No matter how much guidance is out there, companies keep making the same mistakes over and over again—resulting in data breaches that affect us all.
—Bill Brenner, director of research, IANS
What made you choose cyber security as a career?
I actually got onto the information security, privacy, and compliance path at the very beginning of my career as a result of creating and maintaining the change control system at a large multinational financial/healthcare organization. … The concept was good. The system was good. The procedures were good. Unfortunately, many of the individuals using my change control system were not so good. I discovered that the programmers were getting around the controls when Directors simply left their computers logged in and unsecured, so that the programmers could go in and make the online approvals on the Directors’ terminals themselves! …
[Later] I spent 7 months performing an enterprise-wide information security audit. As a result of that audit, I recommended that an information security department be created. The executives were impressed with the audit report and assigned me to create the Information Protection department in 1991. I’m so happy I took that opportunity!
I’ve been addressing privacy within businesses since 1994, when I was given the responsibility of establishing privacy requirements for what my business indicated was the first online bank. This was in addition to my responsibility for creating the information security requirements for the bank. There were no privacy laws at that time applicable to online banks, … [but] I convinced my senior vice president at the time to have privacy addressed. He indicated that since I felt so strongly about it, he would give me that privacy responsibility. Another great opportunity to do something that had never been done before within the organization, or at most other organizations.
Since then I’ve welcomed the opportunity to identify privacy risks in new technologies and practices, in the absence of any laws or regulations, in a wide range of industries and also identify the cybersecurity controls to mitigate risks. When opportunities arise, take them! Be the trailblazer and original expert in a new, unexplored field. I am happy that I was always asking questions, raising concerns, and then being the person asked to address issues I explained needed to be resolved when no one else wanted to do them.
Possibly my biggest frustration is that there are not enough hours in the day to do all the cool projects and research that I find so very interesting!
—Rebecca Herold, CEO, The Privacy Professor