Investment in skilled people is number one. The market is experiencing a shortage in talented people, which can be challenging for organizations. Having skilled people—or creating them by investing in people and training them in security—can’t be emphasized enough. I’ve been to several organizations that have everything ranging from massive budgets all the way to the smallest. Ultimately, it’s the people who make the difference in how the organization handles threats and builds its security program. I’ve walked into some of the largest security programs with the largest budgets and broken in within minutes—undetected. The difference in organizations where it has been a challenge to break in (and we’ve gotten detected in early phases of an attack) came down to the knowledge of the individuals, analysts, and the overall program and culture.
“Investment in skilled people is number one. The market is experiencing a shortage in talented people, which can be challenging for organizations.”
To me, having a budget for training, education, and awareness, and having skilled people, has the most impact on an information security program—more so than any other investment within a company. It isn’t a piece of technology that makes the difference; it comes down to the knowledge and skill of the team. A team can be built from the ground up or by hiring seasoned individuals to help lead the team. Regardless, having a program that allows advancement, flexibility, training, and the ability to be challenged within information security makes or breaks the security program.
How is it that cybersecurity spending is increasing but breaches are still happening?
There does not appear to be a direct correlation between spending more money and having fewer breaches. Return on investment has always been a hard thing for the security industry because you are either breached or you are not. (And there may be some lag time between when you’re breached and when it’s detected.) It all comes down to how the investment is used and what the intent of risk reduction is. We are a risk-centric industry, and if an organization doesn’t have a good grasp on what they are trying to protect, the risk factors, and the threats toward their organization, then any amount of money will not protect them.
“There does not appear to be a direct correlation between spending more money and having fewer breaches.”
Instead, focus spending on understanding adversary capabilities, threat modeling, and emulation—and having supplemental security programs in place that identify threats. This is where most of the investment should be going.
Unfortunately, too many companies still focus on regulatory and compliance as their primary driver—as well as purchasing technology—instead of investing in people or leveraging what they already have. What most organizations fail to realize is that when you introduce a new piece of technology, it introduces complexity. If you don’t have the people to support that complexity—people with the knowledge to appropriately use this new technology—then it’s a detriment to the organization, not a risk-reduction factor.
Do you need a college degree or certification to be a cybersecurity professional?
The simple answer to that is no; however, this is complex. A degree or certification doesn’t attest to the skill level of someone at any stretch, but a degree or certification does show commitment and dedication to a specific focus area or an understanding of certain topics. This can be beneficial for hiring managers and human resources to be able to identify potential candidates for an organization. It’s often difficult to distinguish between raw talent and a career of degrees and certifications when leveraging human resources. If a security professional were able to interview each candidate and test them on skills and capabilities, the answer would be, “No, degrees and certifications make no difference.”
The truth, though, is that isn’t a reality. So, certifications and degrees do make a difference. They help show your focus as a security professional and that you’re spending time to differentiate yourself from someone else. This doesn’t mean that the skills are there to meet the job requirements, but it’s at least a conversation starter. If someone comes highly recommended to me from individuals I trust, I won’t look at a certification or degree. However, if someone is applying blind, then they do help in understanding the skills and expertise of someone. There are also many certifications that hold more weight, depending on positions. For example, if I’m hiring someone who is technical-centric, I will look more for technical certifications that require applied knowledge to pass (such as lab simulations).
“If someone comes highly recommended to me from individuals I trust, I won’t look at a certification or degree.”
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I started off not knowing really where I wanted to focus my efforts. I was always in technology, starting off programming online video games (called multiuser dimensions, or MUDs), and I learned a lot by self-teaching and exploring. Most important, I figured out how to program at an early age. When I joined the military, I started focusing on cybersecurity as a job. That’s always one pathway into security—joining the military and getting the applied, hands-on experience that way. There are also college courses. I, for one, really enjoy the cybersecurity program at Dakota State University (DSU). The key is finding what you enjoy doing in security; that’s the most important factor.
For most, security becomes more of a passion and hobby than it does a job or a day-to-day living. To stay up to date and learn what you need to, it’s something you need to enjoy doing. Find what specialty within cybersecurity best interests you, and focus on learning that as your tradecraft. This doesn’t mean you can’t learn anything else, but having specializations is important. Pick up books, read them, learn and soak in as much knowledge as possible. Learning from other people’s mistakes and successes can also help.
Also, communication is super important. Being able to take highly complex or technical concepts and communicate them so that everyone else can understand is part of our role. Communication and social capabilities are traits that are often lacking in the cybersecurity industry.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I’m not sure I have a direct specialty. Being in cybersecurity requires knowing a lot of different areas. However, if it was any, it would be exploitation and post-exploitation. I get to focus a lot on understanding attack patterns, researching new techniques, and identifying how an organization can be compromised through multiple means. Understanding attack patterns also allows me to be strong on the defensive front and help organizations build detection and prevention against a large attack surface. Programming is another. While I am a far stretch from a developer, having the ability to write tools—and automate tedious tasks or come up with new attacks—is a huge asset for people getting into the field.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Take risks, trust your gut, and make calculated decisions when it comes to your career. Starting a cybersecurity company in the beginning without a lot of expertise or customers will be difficult at first.
As for getting hired, start gaining experience and differentiating yourself through your passion and drive, and things will happen. If your desire is to be highly successful in information security, going to work from 9 to 5 will not get you there. Going home and researching, taking training, reading books, networking, learning from others, and making security your passion will.
You must differentiate yourself from other individuals within the organization as well as your peers. Climbing the ladder is good, but it can also cause you to become stagnant. I notice a lot of individuals changing companies every few years to gain different experiences and challenges and to become well rounded. I personally haven’t done that; I stayed for many years and then decided to start my own company.
What qualities do y
ou believe all highly successful cybersecurity professionals share?
Passion, dedication, loyalty, ethics, communication, and drive are some of the highly sought-after skills. You can have someone who is technically brilliant but lacks drive or passion, and getting what you need to out of that person becomes challenging. I’m an advocate for the idea that you can teach a driven person anything and train them up. The ability to be a self-starter and learn information without being taught is also highly desirable. Also, being able to communicate with others and work as part of a team shows humility, and it demonstrates the ability to learn from (and teach) others.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
While not directly related to cybersecurity, the book Rework (by Jason Fried and David Heinemeier Hansson) is more of a technology and business-centric book. I think many of the issues we run into are making things so complex that it’s often to the detriment of protecting the organization. Rework was an inspiring book for me in that it is the exact opposite of what we are taught in school (or in business) on how to handle situations or hold meetings—and a lot of that directly applied to me and cybersecurity. Although cybersecurity has technical components, having a business understanding and being able to communicate how to most effectively address risk and communicate complex situations is also extremely important.
What is your favorite hacker movie?
I know this is going to be cliché, but Hackers is one of my favorite movies. The technical aspects are obviously incorrect, but the culture of hackers, the curiosity, and the fighting for what you believe is right is a perfect representation of how a lot of individuals are. The movie, to me, was ahead of its time and showed a lot of what was possible in the ‘90s with computers and what we were going to face—for example, where individuals would hack corporations to extort money and how having a high level of skill can put you in jail if you do things wrong. It was a great representation of what was to come, even if the technical aspects of the movie weren’t accurate.
What are your favorite books for motivation, personal development, or enjoyment?
I really enjoy books from No Starch Press. They have many technical books that I read from time to time to keep me sharp on many topics, ranging from programming to car hacking. I enjoy reading those, even if I may not understand the topic fully, because it allows me to grasp the conceptual aspects around a topic and makes me stronger when communicating to audiences of executives. I also enjoy the book Remote by Jason Fried and David Heinemeier Hansson, which talks about how to build a successful company of remote employees and the things you need to do to have a good culture. For me, people are everything.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
When you’re purchasing technology, know that it comes with a level of risk. The more technology you add to your home or that you wear, the greater the profile and footprint you have. Make sure to change default passwords, keep up to date with the latest patches, and as someone looking to get into this industry, figure out how to take them apart and hack them! Most IoT devices are rudimentary on security and super easy learning grounds for you to learn how to attack things.
What is a life hack that you’d like to share?
Life is all about balance. Maximizing your time to learn requires motivation and passion but, most important, surrounding yourself with positivity. For me, my biggest life hack is always attempting to find positives in life and what I do. Even in bad situations, using them as a way to learn how to not be placed in a bad situation. Family and work-life balance is the most important piece. A life hack that I use is that I will sleep in a little later and stay up later. This allows me—once the massive amount of emails have come in throughout the day—to have quiet and be focused when the kids and family are all asleep. That could be coding, reading a book, playing a video game, or trying to figure something out. You need time away from the distractions of your phone and other things to develop you. Make sure you dedicate time for you.
“Life is all about balance. Maximizing your time to learn requires motivation and passion, but most importantly, surrounding yourself with positivity.”
What is the biggest mistake you’ve ever made, and how did you recover from it?
When I first got into the industry, I remember I was on a penetration test for one of our company’s largest customers. I attacked one of their systems, and I brought their entire network down—causing massive outages. At the time, I thought I was going to get fired and that the company would terminate all communications with us, and due to me, we would lose one of our largest customers. The customer came in highly upset, screaming and yelling—which, at the time, was something I’d never experienced. They had people running through the hallways, and it was mass chaos. It was really bad. After the dust had settled and the company recovered, and once everyone’s emotions were settled, they sat me down to understand what had happened.
After explaining truthfully why these types of attacks were used, the organization found that they hadn’t fully prepared for this scenario in their disaster recovery and were going to incorporate it into their program. They were super thankful and appreciated the work we did. While it caused a lot of pain for the company, calmer heads prevailed. ■
34
Michelle Klinger
“Nothing is going to stop a breach. I don’t think there’s any foolproof plan to stop them. They’re going to happen.”
Twitter: @diami03 • Website: topheavysecurity.com
Michelle Klinger is a director of public cloud security living in Houston, Texas, with a bachelor’s degree in organizational management and security. She has held several roles throughout her career—system/network administrator, security assessor, QSA, and security architect. In the last five years, she’s made it a point to volunteer at various conferences. Michelle is a former board member of Security BSides and one of the past coordinators of the BSidesDFW conference. She can always be located by her distinctive laugh and low-cut shirts.
If there is one myth that you could debunk in cybersecurity, what would it be?
The use of the term hacker to encompass malicious activity or a bad actor.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
I don’t think there is one “bang-for-your-buck” action. I think that’s synonymous with a magic dietary pill. Instead, what’s needed is a deliberate set of actions to create an actual information security program at an organization. This means aligning different security groups and defining what their value to the organization needs to be, as opposed to having different security groups for the sake of having them. We need to build programs, and the groups shouldn’t be working in silos. We need to have dependencies between the groups, and the groups need to know what those dependencies are and establish the programs and processes around them. It’s a lot of work, but I don’t think there’s a single bang-for-your-buck marketing ploy. I think that’s the problem we have with security; everyone’s trying to find that magic bullet, and it doesn’t exist.
How is it that cybersecurity spending is increasing but breaches are still happening?
Nothing is going to stop a breach. I don’t think there’s any foolproof plan to stop them. They’re going to happen. It’s how one responds to being breached—shifting one’s perspective from “prevent and protect” to “respond, detect, and restore”—that is important. But I also think the spending is, again, in those perceived magic bullets, which are usually tools. They’re spending a lot on tools but not developing and building programs around them. The programs should be built first, and then the tools should be identified as fitting the program versus finding the tool and then just operationalizing it without a larger program in mind.
Do you need a college degree or certification to be a cybersecurity professional?
“You don’t need a degree, but you definitely need a certification (one of the well-known certs) to get past the résumé triage process.”
I was a network admin for years, and then when I went into security, the first thing I had to do was get a security cert. That way, when my company bid on jobs, they could say they had “X” cert, or a resource with that cert. I think they’re only good for meeting quotas and/or HR, but I don’t think they provide much value.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I started in IT first. I was a network/system administrator, and this was before InfoSec was an actual profession. I was actually in IT for a security vendor, and I was the admin for their network. Eventually, the company closed down, and some of the people who worked there started their own security company doing consultative security assessments.
I think there’s a benefit to starting in IT. Security is a mind-set; everything functions on some sort of IT function or IT bedrock, so coming through IT is super helpful—as opposed to just coming in and saying, “I want to learn security!”
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My specialty was security assessments. I went to companies and assessed their security controls for maybe eight or nine years. At my current company, I started out running their assessments group, but now I’ve morphed into cyber risk management. Again, having security assessment experience is super helpful for doing risk, but I could not tell you how to get into risk. Risk is seen as like the third-removed cousin of InfoSec. Usually, when you tell people you’re in risk, they’re like, “Oh, okay.” They don’t see it as information security, but it is part of the governance, risk-management, and compliance (GRC) triad. As far as an organization is concerned, information security risk is the centerpiece—where understanding the company’s risks and the business-making decisions based on those risks is pretty key. All of those other security programs feed into the risk program to provide metrics. My advice would be to find conferences that are risk-specific, go to those, network, and get your foot in the door.
Tribe of Hackers Page 20
