What Really Matters When Building Cybersecurity Talent

Today’s security article comes to us from Jim Wiggins, the Executive Director of the Federal IT Security Institute (FITSI). With an extensive background in technical education, Jim has spent the last 12 years focused on information systems security. He specializes in security training and certification courses targeted at  government contracting clients. In 2011, the Federal Information Systems Security Educators' Association (FISSEA) named him "Educator of the Year."

Below, Jim weeds through the wild, wild west of cybersecurity training and the important skills needed to develop cybersecurity professionals in an ever evolving landscape.

The cybersecurity market is hot right now when it comes to employment opportunities.  There are more jobs than there are available people and employers are clamoring at the bit to hire cybersecurity talent.  This demand is due to a few reasons.  First, technology has established itself as a vital asset within society.  Each passing year, we consume more technology, which in turns makes us more dependent on it.  Once that dependency is established, we end up realizing how important it has become and that we need to take steps to protect it.

Second, that same technology that we’ve become dependent on seems to move, develop, and evolve at a very rapid pace.  Think about these facts for a moment:  Facebook didn’t exist 10 years ago and Twitter wasn’t around five years ago (at least not as a mainstream service).

Third, to the vast majority of the public, the cybersecurity domain is abstract and difficult to understand.  Advanced persistent threats, social engineering, worms, rootkits, Trojans, and buffer overflows are common terms that we use within this domain.  If you try talking to the average person on the street about how a worm (Stuxnet) was able to target and sabotage Iranian nuclear reactors, they probably won’t be able to grasp exactly how it happened. All they might know is that computer malware does bad things.

These factors contribute to the challenges we face when it comes to educating someone who has decided to pursue cybersecurity as a profession.  Additionally, there is no agreed upon framework on how to educate a cybersecurity professional.  Unlike doctors, lawyers and accountants, the cybersecurity professional doesn’t have a defined body of instruction that is agreed upon across industries, countries or governments.

So this begs the question:  how does one enter the job market when there is so much uncertainty on what makes a cybersecurity professional?

To answer this question, I believe we must first start with the basic assumption that the cyber domain is really an extension of the information technology domain.   To succeed in the cyber domain, one must first succeed in the IT world.  Far too often, cybersecurity professionals try to establish themselves as subject matter experts without taking that first step. Since the mid-to-late 90s we’ve seen how the technological landscape has fundamentally changed our society.  In the late 90s the dot com era began the dependency  discussed earlier, and since that point we’ve never gone back.  Today we see social media, mobile devices and cloud computing all transforming society.  Think about what it was like when we didn’t have all the information that the Internet brings today. To support the 90’s explosion, we had to train an army of IT professionals to meet the rising demand, as networks had to be built and interconnected.

We met those challenges but we missed the bigger challenge on the horizon: how do we protect and defend all these information systems?

The Rise of Cybersecurity Professionals

This brings us back to how we attempt to solve the security workforce problem.  In my estimation, there are a couple of approaches you can take.  First, you can start from the foundation by learning core technical IT skills. This isn’t the easiest approach as it takes time and effort to develop that background. But for a newbie who is pondering a career as a cybersecurity professional, it is really the best and most important first step.

The second approach is we can acquire the talent from those who are already in the IT market.  If you can recruit network engineers, system administrators, LAN operators, etc. and teach them cyber security skills they can become really good cybersecurity professionals. Because IT professionals already have the necessary technical foundation, this makes them good candidates to take up an active role on either offensive or defensive positions in the cybersecurity marketplace.

Now, I realize that some may not agree with me on this approach, but the next generation of cyber defenders really needs to possess the appropriate technical skills.  Anyone who tells you otherwise is fooling themselves. Without these skills, it would be like trying to become a brain surgeon without having gone through the foundational medical classes that covered the respiratory system (oxygen for the brain) and the vascular system (blood flow for the brain).  You’d have to understand how oxygen and blood flow feed and nourish the brain before attempting surgery.  In the same vein (no pun intended), anyone who sidesteps a basic understanding of IT, is ignoring a fundamental question, “How can you protect what you don’t know?”

So how does one acquire a strong technical foundation? I tell my students to focus on learning these four basic areas:  hardware, operating systems, networking, and Linux. But I caveat it by telling them not to focus on classes and content that is overly theoretical.

Hands-on lab work is a key component of any good technical class.  My preferential approach is to recommend classes and certifications around technology.  Pursuing vendor certifications such as the MCITP from Microsoft or the Cisco CCNA/CCNP are great places to start and an example of how to build these hard technical skills. If one is not ready to align themselves to a vendor’s certification program, CompTIA also has a number of foundational IT certification programs such as the A+, Network+, Server+ and Linux+ that help establish the baseline skills that are so important at the higher levels of cybersecurity. (Note: I realize that there is a fair amount of criticism leveled at certifications today because, far too often, a candidate gets certified but cannot perform on the job. But this isn’t necessarily the fault of the vendor or the certification’s body of knowledge).

After a student has developed foundational IT skills, I’m a big proponent of cyber competitions - a kind of sport-like event where IT students break into teams and compete online against others.  For instance, they might try to break into each other’s system to “capture the flag” or they might simply compete against one another for points earned from performing a number of tasks.  This “experiential” learning is great because it forces the students to think creatively and explore the boundaries of their own knowledge, skills and abilities. Obviously, to be successful at cyber competitions, students need to have a good foundational level of IT skills.

Winning the War

In order to win the war against malware and hackers, we need the cybersecurity workforce of tomorrow to be equipped with the right set of knowledge, skills and abilities.  To compete effectively both in the job market and in the cyber domain, students need to think about how to anchor their career to the right foundation to ensure they maintain relevancy in the rapidly changing environment known as the cyber domain. While it may take another generation to formalize the skill-set of the cybersecurity profession, beginning the journey with a strong technical foundation will ensure that you have the necessary background to continue to thrive and develop.

In addition to contributing to Technically Speaking, Jim was also a keynote speaker during this year’s GovDefenders Cybersecurity Virtual Event. You can view his presentation here.