Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Good morning everybody. I hope you're set up for a fantastic Friday. Um This is episode 69 of Mornings with Mark. Um and I wanted to um talk to you about getting started in cybersecurity again. Um The reason why we're coming back to this topic again. Um And we will be coming back again and again, it's because I've been getting so many fantastic questions from you guys um about each individual situation and instead of answering everybody individually, which I would love to do, but just based on the volume of questions at the beginning, that's really tricky.
Um I try to take all those uh questions, find the common themes and kind of add them together uh to come back with an episode here and deliver some content like this. Um So what I want to talk about is um perspectives and getting started in cybersecurity. So the challenge um that we've talked about time and time again is that when you are getting started in cybersecurity, it's very tempting and it's very easy to focus on specific technologies on specific issues.
Um We really, you should be developing um the generic um skills that you need. So, thinking about um the ability to learn quickly, um having that, um risk perspective, understanding how to work with other teams. Um, this kind of stuff, you know, um, because the technology you're using today, it is gonna be very different from the technology in six months, from now, in 12 months, from now, in years from now.
Right. Um, when I first started in computers, um, it was, you know, Commodore 64. Um I was a little kid. I started programming um very different time. Uh You know, when I started moving in through the early days of sea and um you know, all these different um things I remember the first time I ever got connected online through an acoustic coupler.
Um for those of you that are rapidly googling acoustic coupler, think headset and microphone for your phone, um You literally plugged it into your phone and then your phone would talk, quote unquote to the uh to the outside world and we would talk on bulletin boards and there was a really great underground community that's a far cry from the fact that now I can haul up my smartphone and video chat um with anybody on the planet.
Um you know, within seconds. So technology changes, but your core principles um really uh will keep you going a long way and have a long and healthy career, but of course, you can't start it at the gate with those. So you do need to focus on some specifics. Um But what I wanted to talk about now was sort of as you've gotten the ball rolling in your security career.
Um You've gotten that first role, you've spent a few months, um maybe specifically working on a set of technologies or in a specific, um you know, uh set of goals within your team. Um The fact of getting a perspective outside of that team is absolutely critical. We have um made a mistake within the security community um within our organizations of isolating the security team.
And getting out of that isolation is probably the biggest challenge for the security team. So once you've got the ball rolling and you've got experience within your security team, one of the things that that team should facilitate or that you should be advocating for is to be able to do a rotation out of security. And I don't mean job shadowing.
So job shadow is normally when you'd follow somebody around for a day. So a lot of uh organizations I know, implement job shadowing for the um security folks. So security can go and follow a developer for a day, follow an operations person for a day or a business person for a day. Um And that's OK, but it's really not under, you're not really not gonna walk away with their perspective, right?
Unless that person is a phenomenal communicator, you are really not gonna walk away with anything other than an inkling of what might be some of their challenges. But if you spend, let's say a quarter, so three months um or more doing something else, doing another role within the organization. All of a sudden, you start to have a completely different perspective on how things work and the constraints and the challenges.
And I know this is very difficult to do initially. Um And as somebody who's just getting started in cybersecurity, um that may be very, very difficult. But this also, I think um opens up new avenues to come in to cybersecurity. Because if you're already a developer or already in operations, I think you're ideally position to transition into cybersecurity because cybersecurity folks need that perspective.
I've had the good fortune in my career to be a software architect, to be a developer and to be a front line support, to be last line support uh to run operations at scale, to do um security architecture, to do uh perimeter design, to do forensic investigation, to do policy, all of these phenomenal roles. And I actually made it um uh my mission for a good chunk of my early career to change roles completely.
Um Basically, every single year, so take a completely different job every year to vary my skill set. Because for me, that was just a way to stay engaged to learn more. Um because I was always curious and as a cybersecurity professional, this has done me so much good that I can't even, I can't even relate it to you.
How much better I feel my perspective. It is because I've spent a year rebuilding a complete system from the ground up. Um, programmatically, right. Refactoring everything, stripping out all the old code, building it up from the ground or I've spent multiple years doing investigations, both, you know, on the people side and on the technical side, um, all these different experiences have broadened my perspective so that when I'm looking at a security problem, I can look at it and go, well, wait a minute while technically, we should be doing a, you know, all of these other factors are contributing so that maybe, you know, the recommendation is not so strongly a but like, hey, we should be shooting for this, but here are some other things to consider to put that risk into perspective.
So what I wanted to leave you with today is that if you're looking to get started in cybersecurity, the question I get a lot of the time is, what kind of degree should you be doing or what kind of, um, training should be doing to, to come in. Um, when you're starting from nothing, you should be taking computer science.
In my opinion, you should be taking something like computer science, something like software engineering, something generic, not necessarily cybersecurity specific because you can pick up that stuff afterwards. Um, the broader, the base, the better, even the business degrees, anything out there that's gonna give you this perspective um and show that ability to rapidly learn and give core principles.
If you're already developer, if you're already in operations, if you're already in business development, a business analyst, any of these kind of things, you're in a perfect position to transition into cybersecurity because you've already got some of that perspective. Again, picking up how to implement an IP S system or how to properly uh layer defense in depth or uh you know, evaluate risk.
This is stuff that can be taught that perspective is really, really hard. So for those of you who are running security teams, I would strongly advocate that you figure out a way to create some sort of rotational program to make sure that especially your junior folks, but everybody within your team has the ability to rotate out into other areas of it in the business.
Um for a good chunk of time, make it a couple of weeks, at least. Um sort of the longer the better because when they come back to you, um you, they will be much better cybersecurity professionals in an ideal world. You would do something like a new graduate program. We've seen, um you know, I've seen this work in multiple organizations um not just targeted for cybersecurity, but just trying to make better team numbers, um is give them a rotation first year in the job, you know, every two months or every three months, they are transitioning into a new role.
Um And yes, you know, they're gonna get a little bit of everything, but they'll get that perspective. And I think that's absolutely critical when it comes to cybersecurity. So for those of you who keep asking, um, you know, what kind of degree should you be looking at out of the gate as broad as possible? Something that interests you, something that you're passionate about, follow that you'll transition in later to more specific cybersecurity skills.
You can do um courses that are targeted cybersecurity certifications, hands on experience, that kind of stuff. That's my opinion. That's my belief. Um For those of you that are already in cybersecurity um are in junior level jobs, push out to get a broader perspective, try to get um into uh an opportunity to rotate into another role, to gain that perspective, to understand and why the ops guys are always dragging their heels on implementing some of your things.
Once you're living in their shoes and working through the challenges they are, maybe you realize finally like, oh it's just not possible to try to implement what the security team has been dictating, right? It needs to be a two way conversation and you gain empathy by being in those roles. And I think that's really a key word is empathy, you gain empathy by being in those roles as opposed to just imagining yourself in those roles um or following them around for a day.
So that's my rant for today. Um I hope that resonates from you uh in with you. Um Let me know what you think. Hit me up online at marknca down in the comments below or as always by email me@markn.ca. I'm curious as to your experiences. How did you get, um Do you feel you have a broad enough uh perspective?
How did you get that perspective? Do you think a rotation is a smart thing? I know it's a challenge from a business perspective, especially with a cybersecurity team is already understaffed, but I truly believe that it will make you a better cybersecurity professional in the long run. What do you think? Let me know. I hope you're set up for a fantastic Friday and a great weekend.
Um I will talk to you online and see you on the show on Monday.
