Recorded in alignment with October CyberSecurity Month. Whether you’ve obtained your skills through a college degree program, through earned certifications, or you are entirely self-taught, CyberSecurity is an outstanding career choice for people who are curious. And now is a great time to start your career path or continue your career trajectory in this highly specialized field. Tune in now to podcast hosts Jason Pufahl and Steve Maresca, along with special guest Michael Grande President of TBNG Inc., as they discuss options you may not have known existed.
[00:00:00.000] - Jason Pufahl
This CyberSound episode was recorded in alignment with October Security Awareness Month.
[00:00:04.310] - Speaker 4
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity with your host, Jason Pufahl and Steven Maresca.
[00:00:15.230] - Jason Pufahl
Welcome to CyberSound. I'm your host, Jason Pufahl. And today, I'm joined by Steve Maresca, as always, and Michael Brandy.
[00:00:22.890] - Steven Maresca
[00:00:23.550] - Michael Brandy
[00:00:24.180] - Jason Pufahl
So we're going to chat a little bit today about a topic that I get asked all the time about, which is that I'm interested in getting involved in cybersecurity. How do I do it? And I think there's a dozen different answers, and there's a dozen different ways to approach this. I think we'll start really quickly because I don't want to spend a ton of time on it.
[00:00:48.180] - Jason Pufahl
There really is that traditional route of just getting some certifications. And there's a variety of entities that can do that, ISC-squared, ISACA, SANS, right? There's a bunch of places to get certifications. Higher Ed has certainly gotten into the cybersecurity realm, right? So I think there's a way to say I've never really been a practitioner. I like to bolster my resume with some certifications and we can do that. They come with pros and cons.
[00:01:15.150] - Steven Maresca
And in a counterpoint, a lot of the security industry is made up of folks who are self-taught and frankly entered into that realm because they were a related field, or they had the interest, or frankly, it just seemed appropriate for their point in life. It's a very interesting field, has a lot of facets to it, and it's a great place for people who are curious.
[00:01:39.120] - Jason Pufahl
I know for me, personally, what always attracted me to the space is probably largely not usually a technical person, was the ability to understand, the requirement to understand sort of all aspects of IT and business. And now I think we're seeing even from migration into requirement to understand some legal aspects, which wasn't the case 20 years ago. Frankly, when I started out on this, it was a, I'm a network person who does some network security stuff, right? Maybe that's firewalls or some other network technologies. It's evolved significantly into its own field.
[00:02:15.210] - Michael Brandy
It seems like there's almost really...I mean, there's some limits on, I guess, what type of area that you can go into, but really, from sales to contracts, the legal soft skills that are needed in a lot of different things. There's really a lot of opportunity. Project management comes to mind for folks who are interested but may not be strictly technical in nature.
[00:02:41.020] - Steven Maresca
One thing I often comment on bouncing off of what you're saying, Mike, is that security as a discipline, has as its underpinning clear communication. It is essential to help translate complex issues, both from a technical perspective and the broader sphere like you're alluding to in terms of the psychology and the regulatory environment. If you can't articulate and you can't describe yourself in what you do, what problems you're solving, it might be a challenge, but that's where people who have those skills are really well-suited.
[00:03:14.540] - Michael Brandy
[00:03:16.010] - Jason Pufahl
So let's try to be a little specific. I think people who are listening probably are thinking, well, I'd like to get into cybersecurity. What does it actually mean? Right? And there really are a variety of skillsets generally at play. I think the term analyst is something you'll see a lot and I call them cybersecurity posting, right? The idea of being an analyst.
[00:03:42.380] - Jason Pufahl
That carries a lot of weight for me when I get somebody who truly has the skills of an analyst. It's somebody who can take large amounts of information, make sense of it, and then convey it back to people in a meaningful way, right? Whether that's through an incident or whether it's through business improvements for security. But that idea of an analyst, I think it's kind of the underpinnings of what a lot of security organizations will require.
[00:04:10.940] - Steven Maresca
And it's the basic role that many organizations that lack a dedicated security staff will really start to get their feet wet in addressing information security at large. Job postings, in general, are fairly widely scoped. People with little experience may find themselves well-suited for an analyst role. And those who have deep, deep experience might be more senior, still in the analyst position.
[00:04:38.200] - Michael Brandy
Is there a sort of an easy differentiation? Perhaps either of you could provide some of the differences between strictly more government-contracting type opportunities when it comes to analysts. You've heard the term. I've heard the term a lot, either in TV shows or in public discourse. I'm an analyst so I work for this organization as an analyst. Or you may have heard of maybe an incident at a large governmental supplier, where an analyst was named, but he's really a subcontractor in some way, versus maybe that strict other definition of maybe a security operation center analyst or something like that. It's a very broad term, seemingly thrown around quite a bit.
[00:05:25.090] - Steven Maresca
So I think I'll address that just from a broad perspective first. Security depends upon good data, and it requires people who are capable of sifting through it. That may mean manually reviewing certain activities, manually reviewing information produced by systems. Or it may mean developing tools to consume it at scale. There are places for each in that spectrum for people and for tools.
[00:05:56.470] - Steven Maresca
And I think that from the governmental organization aspect that you're talking about, they tend to be more sophisticated. They have specialized roles for people who review very specific activities. You may have a security analyst whose sole focus is looking at network traffic just to divine malicious intent in that material. More broadly, you may have a generalized analyst who reviews all sorts of security data produced by antivirus, firewalls applications in general.
[00:06:31.050] - Jason Pufahl
Right. And it differs, I think, from the engineering in terms of reviewing data, maybe versus the implementation of tools, right? The security space tool?
[00:06:40.980] - Steven Maresca
I mean, in the same sense that IT is also specialized, so is security. People who start in the application realm, the operating system space and the network realm are all themselves overlapping in security. The best sort of analysts can settle those lines fluidly. But specialization in those arenas is perfectly fine and normal and desirable in many cases.
[00:07:06.280] - Jason Pufahl
So I think for me, the maturation in this space has really shown itself in security practitioners who understand the balance between security controls and conducting business, right? And I think people who are able to have discussions across the entire enterprise with business people understanding processes and understanding how you have subtle changes on the security side might really disrupt business. It's a really important quality.
[00:07:37.920] - Jason Pufahl
And there's a legitimate technical track, no doubt. The firewall management, some network configuration towards the security goal, using security tools, right? There's definitely a technical track. I think moving into more of the management side, being able to understand security controls and the intersection or the impact potential on the business is really critical.
[00:08:05.230] - Steven Maresca
It's a common perspective if security runs counter to business. Therefore, it undermines revenue goals and things of that nature. A very well-functioning security group within your organization can understand how minute technical details of a software implementation impact revenue flow, impact customer interactions and similar. That type of nuance is, frankly, crucial for any sort of successful person in the security field.
[00:08:35.410] - Michael Brandy
And you talk about sometimes the unintended consequence of maybe IT managers and someone maybe working more on the IT management side or network administration of implementing tools and processes for business efficiency and productivity, sometimes unintentionally flying to security motives and best practices and fundamentals. But sometimes we've seen organizationally, people who do start out in understanding sort of core network security as a technician or entry level position are able to rise pretty quickly, and understand that security is another step to take in that career path for some folks. Pretty interesting.
[00:09:21.280] - Jason Pufahl
Yeah. I mean, I think you got a unique perspective there having spent so long in that sort of MSP space. I think you have been able to see how it's not just about operations anymore. It's not really about, can you install a network that functions and moves packets? I think I'm sure now when you're hiring in that space, it is, how do you make sure that what we design for a client is implemented robustly but also securely?
[00:09:50.180] - Michael Brandy
Yeah. It has to be woven into almost every solution that gets developed from our perspective. And that's sort of that seamless nature of the solutions come into play. We've seen interns coming a lot from the university level, local throughout Connecticut and regionally at the Northeast. There has been, I remember 10 years ago talking to some folks in Higher Ed, a bit of a disparity between the understanding of what a computer science degree meant versus information technology.
[00:10:25.370] - Michael Brandy
And so folks would go to school and come in and they would have some coding background, but they wouldn't really understand just the OSI model. And they wouldn't understand some of the basic core tenants that you would expect, not even just from a network perspective, but IT. That's definitely been changing in recent years.
[00:10:42.470] - Steven Maresca
Yeah, one thing that you may have heard me say in the past is that security is a realm where the rules are broken. And when you come from a software development standpoint or a formal computer science background, your entire academic career is based around constructing things that work properly. And the dirty details of when they fail is actually where we spend most of our time, either planning for, anticipating failure, or alternatively, diagnosing what things look like when those failures are used in a malicious way.
[00:11:20.900] - Steven Maresca
So it's a very different perspective. And a formal background in very detailed computer engineering doesn't always lend itself all that effectively to security, unless specialization toward that goal has been part of the education.
[00:11:37.590] - Jason Pufahl
Let's face it, a case in point. You and I were both English majors. I have a masters in nothing close to security. But I think from an aptitude standpoint, it has suited my personality well for a variety of reasons, right? I think recently analytical. We do a bunch in that incident response space, I like the emergency aspect of some of what we do; it really lends itself to an inquisitive personality. I love that I'm forced in a lot of ways to be involved in almost every aspect of a company.
[00:12:11.240] - Jason Pufahl
If you think about some of the incident response work we do, it's going in and quickly understanding what businesses goals are, what the impact to the event they're having are, how do you quickly bring them back while also trying to either contain a threat or make improvements. There's a lot of dynamic decision-making that occurs. Yeah, having a technical background is helpful, but there's a lot of room in this space for people with nontechnical backgrounds or largely nontechnical focuses.
[00:12:40.860] - Steven Maresca
Or alternatively, nontraditional thinking. I've been heavily involved in security research for the better part of 15 years despite my non computer science degree. And my background through demonstration reaches the same degree of people who spend their eight-year cycle in college pursuing a PhD. There are many, many people like me.
[00:13:07.340] - Jason Pufahl
[00:13:08.100] - Steven Maresca
And that's important from the hiring perspective. If your experience doesn't necessarily, on your resume, match up to what the job is requesting, that's one thing. But experience tends to be something that outweighs actual academic qualifications in the realm of security.
[00:13:30.460] - Michael Brandy
So I'm going to flip the script a little bit on both of you and say, if you were to sort of summarize, someone listening that might be interested, or I think maybe perhaps they know someone who might be interested in a career in cybersecurity or information security, what type of advice would you give?
[00:13:52.580] - Steven Maresca
If you're a sort of person that likes solving difficult problems and has the tenacity to go after things that may not have easy solutions or any solution, then security is probably the right place for you. That's true across the spectrums we've discussed, whether we're talking about technical domains or the far more ambiguous regulatory and business realm, because we have to be creative. Our adversaries are creative, the problems we face are creative. It's an absolutely critical component for anyone that wants to work in this space.
[00:14:31.480] - Jason Pufahl
And I would say you'll find ways to get involved. So I really want to know when I'm talking with somebody, that they aren't just trying to get into the security field because they believe it's lucrative. I want to know that they're doing it because they have a legitimate interest. But if you can demonstrate that in spite of maybe not having that demonstrable work experience by saying, here's the security groups that I'm a part of, right? Or here are the people that I network with in that field to try to get relevant experience, right? If you can show involvement, that goes a long way for me.
[00:15:04.510] - Jason Pufahl
But I do want to see inquisitiveness. I think somebody who thinks differently is really attractive, and there's ways to show that as well, right? So you don't have to have that long-term background.
[00:15:17.340] - Steven Maresca
Right. Case in point. Some of our best hires a decade ago actually had a background in bioinformatics and entirely unrelated fields, or at least they seem to be unrelated. The truth is that the data analysis tasks that they have to pursue are remarkably similar to the challenges that are faced in security. And interestingly enough, the same people are the most articulate in describing the problems that they face. Therefore, they're excellent in producing the narrative and guidance required to translate technical things to a more business-oriented focus.
[00:15:55.110] - Jason Pufahl
So I know we're close to wrapping up here with time, so I want to sort of end this way, which is historically, I've had the opportunity to work with a lot of interns, sort of a lot of college students who have then turned into sort of longer term employees. I'm happy to have a conversation with anybody who's interested in getting to the field around what qualities make for a good security practitioner, what certifications might be reasonable to pursue. And I think those are different for everybody, what internship opportunities or groups might be worth getting involved in.
[00:16:32.380] - Jason Pufahl
So if anybody is interested in having a further discussion around how do I advance my career in cybersecurity, feel free to reach out to me directly at JPufahl@Vancord.com. Reach out to us by Twitter @Vancord Security. Feel free to start a conversation on LinkedIn. I think this is a really important topic. I don't think there's enough serious practitioners in the field. And certainly, we all recognize that there's a lot of opportunity for people. We're happy to have that conversation.
[00:17:00.980] - Steven Maresca
Security is still a developing field that most 35 years old, if you stretch the definition, there's room for vast improvement. There's room for a lot of people to join. And we like to help guide people through that process.
[00:17:17.420] - Michael Brandy
And people from varied backgrounds are looking for different challenges in their professional world.
[00:17:24.750] - Steven Maresca
[00:17:25.250] - Jason Pufahl
What I don't like to hear, candidly, is that, it's maybe 35, you're stretching it at 35 years, and I've been in it for now greater than half of that. So again, reach out to us. We are happy to talk. As always, we hope that you found this podcast today valuable. We appreciate you listening. And Mike and Steve, thanks for joining today.
[00:17:46.180] - Michael Brandy
[00:17:46.640] - Steven Maresca
[00:17:51.130] - Speaker 4
Stay Vigilant, stay resilient. This has been CyberSound.