There are plenty of misconceptions, misrepresentations, and lies about cybersecurity or the larger field of Information Security. Let’s take a few and talk through them – keep in mind some of these are subjective and anecdotal based on my experience in the industry. I’ll do my best to source and cite where applicable, but as with most things in security it comes back to our favorite saying: “It depends…”
Myth 1: Cybersecurity is nearly impossible to break into
The truth here varies from individual to individual. There’s quite a bit of truth to the difficulty in crossing that line into your first true cybersecurity role, but there’s also a lot of truth in the statement that almost everyone is doing security work in their roles today. There are a few routes to the industry that I see as pretty typical, but what I continue hearing as “the route” is as follows:
- IT – starting out in a help desk or moving through the sysadmin, network admin, server/storage admin route.
- SOC – Moving to a role where you’re triaging alerts, tuning rules, and gathering enrichment context for a given event and passing it up or acknowledging as a false/true positive. More often than not this isn’t the hands-on fixing but is more of a diagnosis role that still requires knowledge and grants experience a la firehose method – get good at your Google search operators! From here expect to move through titles like Analyst with prefixes like senior, lead, staff etc. Remember – Analyst is not an entry point – it’s a whole career path itself!
- Engineer/Manager/Penetration Tester – This is where you start branching out into specialties. You’d start to hone in on what you’re good at and what gives you energy. Things like DFIR, GRC, Program Management, Architecture, etc. are titles and disciplines further down this advanced path.
However, these days the traditional is giving way to an almost indeterminate number of other ways in to the field. In recent years more and more accredited universities are offering Information/Cybersecurity degrees in both undergraduate and graduate levels. Additionally, some schools or other institutions offer bootcamps or similarly-styled cohorts for cybersecurity and to get you up to speed quickly, as well as placed in the field. There are more free resources and community tools coming out of the big guns like SANS than ever before and even CISA is getting in on the action and putting out lists of places to get your feet wet. Another great option are the “pay what you can” trainings – some of my favorites are from Black Hills Information Security (and their sibling Antisiphon Training) but in recent months I’ve seen others from TCM Security and more offered. Be sure to at least create a creeper profile on LinkedIn and Twitter to look out for the codes.
In addition to this there are some great ways by simply using skills you’ve gained in other fields. I started in retail – so talking to strangers was basically required on a daily basis. I used that skill to build rapport quickly to great effect in my career thus far and heartily encourage others to do the same.
I also see some conversation around degrees or experience in seemingly unrelated fields. I always contend that all experience is experience whether you were a librarian, teacher, accountant, or worked on an oil rig – you have skills and experience, the trick is to find those links to cybersecurity and highlight why they give you a unique viewpoint and insight in a potential new role. I’ve hired folks with lengthy and impressive educational backgrounds, certifications and CTF experience, and a vocabulary straight out of a SANS course – I’ve also hired people in school for marketing and with absolutely zero tech experience (not just cyber/IT). Each of those teammates have turned out wonderful and leverage their skills and experience to great effect. For me, it boils down to those intangible qualities – the communication, personality, drive, and much more that make the long term difference. We can teach technical, we can’t teach you how to be good to work with, for, or alongside. We also can’t teach how to learn – so maybe my best tip before you go crazy with subscribing to services, buying courses on Udemy or really anything else, figure out how you learn best. For me, it’s a mix of reading, watching, and practicing.
Myth 2: You better learn to code/Python is actually King (Cobra?)
I am a terrible coder. I am not a software engineer. I am also not paid to nor expected to be the best developer/coder in the security organization. I’m paid to lead a team of engineers and based on their unique skills and proficiency, to get things done. I caution those that say NO knowledge of coding is necessary – again “It Depends”. I am a firm believer that while you don’t need to be some code guru, knowing what a block of code is trying to do is pretty damn important. I know some Python, PowerShell, Bash, and JavaScript – why? Because they’ve all either served me well in varying degrees during my career or have come in handy in a given role. When I was running IT for a financial services firm, PowerShell helped me automate onboarding and offboarding. At the time of publishing, I’m working around the AdTech space – where JavaScript is rampant. I’ve also had to do menial tasks like reinstating accounts in 1Password using their CLI where Python was the clear winner because it cut time doing the task from a few hours to a few minutes. To each their own here, but I highly recommend at least getting some practice to figure out what variables, loops, functions, and at least a few tidbits of a given language do. I will never stop plugging Automate the Boring Stuff (Support Al by buying a copy!!)
As a quick note - please try to buy direct from No Starch or the authors I recommend. Yes I know Amazon is handy, but they've also been less than honorable in their printing practices.
Myth 3: Companies have Cybersecurity figured out
Working for almost any company will quickly show you that they don’t have their proverbial Sh*t together in one area or another. Maybe they don’t have a mature software development lifecycle, maybe they don’t restrict USB on endpoints, maybe they have far too many local admins on workstations. Whatever the case might be, no one is lights out, 100% defense in depth covering all their bases. Even in those scenarios where the maturity is further down the trail, the reality is that breaches still happen to mature and “security-first” organizations. The sooner you understand that no one is perfect and that risk decisions serve the business objectives first and foremost, the happier you’ll be in your career and the more you can enjoy the journey toward maturing the security posture of a given organization. You are going to lose arguments, not get your way, and the business will decide that a given security control is too costly in more ways than just dollars and cents (implementation cost, downtime, etc.).
Myth 4: Certifications mean employment/promotions
Nope. I could leave it there but let’s go further. Certs CAN help you a ton in your journey be that landing your first role or leveling up – however they’re by no means a silver bullet to guaranteed promotion or hiring. I love certifications because they do require at least some degree of familiarity with the materials to actually pass. Sure, some might be breezed by good test takers but I’ve found multiple examples of certs I’ve taken AFTER gaining industry experience that end up being a little easier based on the relevant experience. To me, that means it’s relevant information and a decent certification. Some go further than others, SANS for example are incredible, however, they’re costly. I love to recommend CompTIA certs for those just getting started or that want the proverbial stamps of approval on their body of knowledge. I also credit the ISACA Certified Information Security Manager certification with playing a huge role in me landing my current position and allowing me to not only know things, but perhaps more importantly speak the language of security and business operations. I’ve got ISC2 certifications as well and regard them highly as well. There are is objectively an obscene amount of information/cybersecurity certifications available – so there’s no way you’ll get them all. My advice here is to get a few that compliment your existing knowledge and/or further your skill set and are reflected in the marketplace – but also are forward looking. You probably won’t go get AS400 certified but looking for Azure/GCP/AWS or Blockchain could certifications could be promising AFTER you make a solid foundation via something like the CompTIA Security+ (and Network+ is HIGHLY recommended), ISC2 SSCP (or the newer CC certification), or if you’ve got a reimbursement program through work or the funds otherwise – the GSEC through SANS. I have a hard time 100% recommending SANS unless someone else is paying for them just because they’re objectively pricey, but also some of the best and most ubiquitous content out there. In short, certifications exist for a good reason – VERY rarely will you find NO value in a certification, however, they’re not necessary in most roles and my advice will always be to go after relevant credentials for your desired path. If you decide not to go for any, more power to you – just gain some experience somewhere.
Just for posterity I’m going to post this link again – it’s so good: Cybersecurity/Information Security Certification Roadmap
Myth 5: Cybersecurity and InfoSec are guaranteed job security
No, just no. Yes we can agree security is important, but security teams are culled at an alarming rate. There’s a disturbing cycle which pops up from time to time where a hotshot comes in and says “I can save the company millions” – what they then do is nuke the internal security and sometimes IT team in order to outsource, typically to a Managed Service Provider (MSP) or Managed Security Service Provider (MSSP). They do save some money over salary, perhaps tooling, etc. in the short term, but nearly always it comes to pass that the external teams lack context, proximity, and dedication to the business operation necessary to perform the duties of the cut teams. I know, I’ve worked at an MSP and I can tell you reliably that the ONLY people at the MSP who had reasonable understanding of a client environment had either been there for decades with that client, or were dedicated to that client as a SME and were not forced to understand multiple client infrastructures. This anecdote only serves as a warning on either side of those coins – internal teams can be fired and MSSP/MSP’s can be fired too. If you go the MSP/MSSP route during your career, be aware that some MSP’s try to be MSSP’s and some MSSP’s are better off being MSP’s. Regardless, always keep your ear to the ground and eyes to the horizon for change or sentiments that might signal a change in the winds. Watch out for pessimism, public/reputational hits to the organization you’re currently at, and most of all keep your eyes on your company’s focus – are they leading or are they chasing a leader? Are big projects just more technical debt and empty promises or are they true value additions to the enterprise? Most of all if your company is transparent about business results, pay attention! Stock price isn’t everything but a mix of that, news, chatter on forums/social networks can help to show you which way this river is flowing – if it’s not turning to rapids and a cliff soon!
Myths & Legends
There are many myths and misconceptions about information/cyber security – and believe me when I say that I’m not even scratching the surface with these five. The challenge with any career or industry you dedicate your working life to is understanding what the truth underneath these myths are, dodging the nihilism problem, and getting small victories. As you work through problems – know that they can’t all be earth shaking, glacier exploding, volcano eruptions of productivity or work. You might just need to refine some email gateway policies, you might have to sit down and evaluate your top level governance starting with boring old security policy, and yeah you might just have to talk to a user about why they shouldn’t have clicked that thing! I heard a quote (I’m almost positive from the Smartless podcast) that I’m going to surely misattribute or butcher, probably both but it goes something like this:
Dave Grohl was working on some songs and was trying way too hard when his bandmate turned to him and said “hey man, they can’t all be ‘Hey Jude'”.
This always reminds me that you’re not going to turn a cruise ship every day on a dime – patience, persistence, and asking “am I right/am I wrong” are crucial to long term success in this field. Among other things like communication skills and mindset – but those are for other entries…until then!
