Ask the Experts: What’s most rewarding about your career in cyber security?

Ask the Experts: What’s the most rewarding part of your cyber security job?

RSA Conference 2020 is coming up fast! In recognition of this year’s theme of Human Element, we wanted to ask some of the expert humans we know about why they chose a career in cyber security, what they found most rewarding about their cyber security jobs, and what they found most frustrating.

Defending against the bad guys

I started in cybersecurity in 1998 when this was a relatively new field. I had just left the military and completed my Masters, so I was very interested in both the business side of technology, but also the idea of defending against the bad guy. I started in firewalls as literally no one else in our company wanted to touch security. From there I had a real interest in learning who the bad guy was, so I learned more about network forensics, IDS, log analysis and honeypots, eventually creating the Honeynet Project. Back then you pretty much learned everything on your own.

Defending against the bad guys

What I love about cybersecurity is how it’s a constantly changing field that impacts every organization in every industry in the world. You know your actions can have a positive impact around the world. One of my biggest frustrations is how so many people perceive cybersecurity as a purely technical challenge. Until we also start addressing the human element, we will continue to lose this battle.

—Lance Spitzner, director, SANS Security Awareness

Helping protect patients at hundreds of hospitals

In 2010, I was simply in the right place at the right time. Cybersecurity was certainly not new, but it had yet to become a priority in healthcare. Over the next decade, I had the opportunity to help hundreds of U.S. hospitals implement the appropriate safeguards to protect the privacy, security, and confidentiality of their patients’ healthcare records. That’s been the most rewarding experience of my career. And frustrations? Frustrations are only challenges that have yet to be met.

—Daniel W. Berger, former president and CEO of Redspin, Inc., currently a healthcare cyber security subject matter expert and consultant

Helping protect patients at hundreds of hospitals

Staying ahead of the bad guys

What made you choose cyber security as a career?

My movement to the cybersecurity domain was kind of accidental. I didn’t have specific choice in my school days that I wanted to pursue cybersecurity, but I always wanted to be in the tech domain. I happened to be in my first job when I realised my passion for information security and took it very seriously to build my professional career. Security became a thing that was a part of my job. The more domains I worked in with cyber security, the more I understood where I had look for security issues.

I started to help organizations in their overall efforts to secure themselves against malicious actors. I started from roles that were more of an external consultant to global organizations to working in their internal security teams, where I learnt a great deal. Everyone has a different path to follow, and I believe it’s one’s path that leads them to different learning experiences. InfoSec as a career option is no different, but there are few things that, if they had existed then, would have made a big difference. I feel InfoSec communities play a big role in one’s career, as you get to meet, interact and receive mentorship from experienced practitioners in this domain and they guide you to do things the right way. One of the most challenging things in InfoSec is that one needs to stay updated with different areas of technology and their threat landscapes, so learning with a large number of people in communities can make it a bit easier. The turning point came to my career after joining the cybersecurity communities like null, OWASP, and infosecgirls. These communities introduced me to the broader security domain and domain experts.

If you want a cyber security job, communities can introduce you to experts.

What are the most rewarding, and most frustrating, aspects of your cyber security job?

The most rewarding part of the job is, one, you get to secure data, information and an organization. Every time you find a new issue and get it fixed in the organization before a malicious actor learns about it, it’s the most amazing feeling. Keeping yourself up-to-date is the key. Someone who has curiosity about every aspect of technology is probably the best suited person. You need to build on that curiosity and spend a lot of time understanding the working of these technologies.

The most frustrating aspect of the job: It cultivates a negative mindset sometimes in our environment, as we have to find to bad things to make sure no one can harm us. The information security domain can be glamorous as well as tiring at times. The key in this domain is that one should constantly focus on how security can be improved by learning and applying the necessary skills. Everything else (career advancement, etc.) falls into place.

—Vandana Verma, security architect, IBM India Software Labs

Working with the smartest people on the planet

What made you choose cyber security as a career?

I was working in the newspaper industry and it was sucking away my will to live. Fortunately, TechTarget’s SearchSecurity.com was looking for a news writer. I took the job and quickly fell in love with the subject matter. Security has been my focus ever since.

Working with the smartest people on the planet

What are the most rewarding, and most frustrating, aspects of your cyber security job?

Most rewarding: I work with some of the smartest people on the planet who share my dedication to making the internet a safer place. Most frustrating: No matter how much guidance is out there, companies keep making the same mistakes over and over again—resulting in data breaches that affect us all.

—Bill Brenner, director of research, IANS

Being a trailblazer in a new, unexplored field

What made you choose cyber security as a career?

I actually got onto the information security, privacy, and compliance path at the very beginning of my career as a result of creating and maintaining the change control system at a large multinational financial/healthcare organization. … The concept was good. The system was good. The procedures were good. Unfortunately, many of the individuals using my change control system were not so good. I discovered that the programmers were getting around the controls when Directors simply left their computers logged in and unsecured, so that the programmers could go in and make the online approvals on the Directors’ terminals themselves! …

A cyber security system is only as good as the people using it.

[Later] I spent 7 months performing an enterprise-wide information security audit. As a result of that audit, I recommended that an information security department be created. The executives were impressed with the audit report and assigned me to create the Information Protection department in 1991. I’m so happy I took that opportunity!I’ve been addressing privacy within businesses since 1994, when I was given the responsibility of establishing privacy requirements for what my business indicated was the first online bank. This was in addition to my responsibility for creating the information security requirements for the bank. There were no privacy laws at that time applicable to online banks, … [but] I convinced my senior vice president at the time to have privacy addressed. He indicated that since I felt so strongly about it, he would give me that privacy responsibility. Another great opportunity to do something that had never been done before within the organization, or at most other organizations.

Since then I’ve welcomed the opportunity to identify privacy risks in new technologies and practices, in the absence of any laws or regulations, in a wide range of industries and also identify the cybersecurity controls to mitigate risks. When opportunities arise, take them! Be the trailblazer and original expert in a new, unexplored field. I am happy that I was always asking questions, raising concerns, and then being the person asked to address issues I explained needed to be resolved when no one else wanted to do them.

Many cyber security jobs can be found at financial institutions.

What are the most rewarding aspects of your cyber security job?

There are many rewarding aspects:

  • Identifying risks, often that have not yet been discovered for new tech, new practices, etc., and then recommending the technical, physical, and/or administrative/operational ways in which to mitigate them. It is extremely rewarding to be part of the solution for information security and privacy problems.
  • Helping organizations truly better protect not only their information assets but also the personal data of their customers, patients, employees, and often the general public. It is especially rewarding when you see clients suddenly “get it” about the need for data and cyber security and privacy protections.
  • Always learning new things, every day. This is truly enjoyable. There is never a dull moment!
  • Meeting so many great folks: clients, business colleagues, information security and privacy gurus, and those in the general public who want to know more about information security and privacy and are happy when I can pass on some helpful and useful information to them. Related to this are the great opportunities I’ve had to see many awesome parts of our globe that I probably would not have visited otherwise if it were not for clients in those locations.

What are the most frustrating aspects of your cyber security job?

Frustrating aspects are many fewer in the past 17 years that I have owned and run my own business. Before that, doing endless, seemingly unproductive actions that didn’t move the information security and privacy objectives forward could be very frustrating. It is also frustrating still, though, to encounter some business partners who do not understand information security and privacy issues and risks and insist upon security and privacy poor practices.

It can be frustrating when organizations stick to their old ways and don't follow your cyber security recommendations.

Possibly my biggest frustration is that there are not enough hours in the day to do all the cool projects and research that I find so very interesting!

—Rebecca Herold, CEO, The Privacy Professor

[“source=securityboulevard”]