Cybersecurity is a relatively new profession. If you want to get in today, you will need to start with a university degree – or be able to demonstrate serious aptitude and attitude, or experience. But what about our current security leaders? They entered the profession before security-relevant university degrees existed, and without prior experience.
In this issue we ask two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier – how they got started in security. In both cases it was a combination of luck and foresight: being in the right place at the right time combined with the ability to see and take the opportunity.
Mitch’s story will resonate with many security professionals: a combination of high IQ and early attention deficit hyperactivity disorder (ADHD). The high IQ got him through his exams; but the ADHD infuriated his teachers who thought he should do better.
By 2007, he was an infrastructure manager with security oversight in a firm offering a new SaaS product. Potential customers were asking for SAS 70 certification (the predecessor of SSAE 18 SOC 2) – and the task of getting the certification fell on the infrastructure manager (with security oversight). It quickly became clear that the two roles needed to be separate.
Mitch was asked to choose between them. “I was totally hooked on the security side,” he said. “It seemed to be something that was very natural for me. It was a sudden realization that this was the career I should have been in. That’s what got me into the security role.” And the rest, as they say, is history.
Mark got into security at around the same time. He was an IT project manager in the UK, but somewhat disillusioned with the role. Cybersecurity was already mature in the U.S., but still a subset of IT in the UK., belonging primarily to government and the military.
“But I thought, this looks like it has some mileage, and it looks interesting. I got the opportunity to cross train, so I took it – and it set me on my path. My company got acquired by an American company, Honeywell. Being a large military industrial organization, it had a heavy security presence which gave me a lot of good opportunities to pivot from an IT technology background into a security career.” Again, the rest is history.
The moral of both stories is clear – careers are often based on the ability to see and take opportunities. But these stories also explain an apparent anomaly in contemporary cybersecurity. While corporations and HR technically require newcomers to have a university degree and experience (often mutually exclusive requirements), individual CISOs are frequently more concerned with attitude and aptitude. If cybersecurity is the career you really want, you can still get in without certifications if you persist.
Newcomers can use the ‘skills gap’
The much-hyped skills gap in cybersecurity can also help newcomers get into the profession. There are different attitudes toward and definitions of this gap. To Mark, it doesn’t really exist. “It’s really a capacity gap,” he says. “There isn’t enough capacity to fill the hiring requirements — that’s the issue we have now.”
Mark believes the skills exist, but not enough people claim them. The industry demands both qualifications and experience from new hires – but getting one usually excludes getting the other. “So, people with a natural aptitude for the job are discouraged and don’t even apply,” he says.
His view is that companies need to find people with the right aptitude, and then be willing to train in-house. “I think that’s the only way,” he says. “For me, security is first and foremost a people problem. It’s people that cause the problems, and it is people that solve the problems. When you bring someone in — even the most experienced person — they’ve got to learn about the organization and how it works; how you get it to work; who are the right people to help you get to the right place to solve problems. Whether you’re a newbie to the role or you have 20 years’ experience, you’ve got to go through that learning curve. For most people and places there’s a period where you must develop internally before you can become super-productive. So, if somebody’s got the right attitude and willingness and motivation, I’ve got no issue with putting the time and investment into developing them.”
For Mitch, the skills gap exists – but is partly down to geography. He is one of the officers for the local ISC2 group of CISSPs; and it is a subject the group often discusses. Honda Aircraft is located in Greensboro (affectionately known locally as Greensboring), North Carolina.
“Two hours down the road,” he said, “is Charlotte, a big financial center. Similarly, to the east is Raleigh, known as the research triangle.” Both areas can offer higher pay and more opportunities than Greensboro. “It’s hard for us to compete for the grads who would rather go to Charlotte or Raleigh than Greensboring,” he added.
Given this problem, he solves it with a similar approach to Mark. “What I have had to do and be very consistent on, is to look for different home-grown talent. I have three people working for me and I’m about to add a fourth. For all but one, this is their first job in cybersecurity.
“Our security engineer handling all our DLP and all our Windows and Unix server security,” he added, “had worked for 15 years as a Windows system admin and VMware specialist. He wanted to get into security, so I gave him a chance and he has thrived. My workstation security engineer was recruited internally from our service desk. I took a chance that I could train him on the job. For the first six months he was either attending training or doing ‘home’ study. Our GRC person — she was a mature lady who had been the help desk manager, and is meticulous and thorough in developing policies and procedures.”
The moral of these stories is that there are still routes into a cybersecurity career even without prior cybersecurity qualifications and/or experience. For Mark you must demonstrate the right aptitude and attitude, and you could be recruited from outside of the company. For Mitch, the same qualities should be demonstrated within the company, and you’ll get the opportunity to change careers. Both CISOs accept you will not immediately be fully productive, and both CISOs are willing to spend time on in-house training for the people they select.
Working from home
A second route into a cybersecurity job might be found in the growing work from home (WFH) paradigm. Although accentuated by the COVID-19 lockdowns, remote working has been growing for several years. This could be an opportunity for the many people suffering from severe ADHD and even Asperger’s syndrome who have a natural affinity with technology, but a difficulty with conventional offices.
Working from home has nevertheless created a new range of problems for CISOs through the sudden and difficult increase in their companies’ threat surface. Both Mitch and Mark have adopted the same basic approach: providing company equipment for home users. This avoids any pushback from users who might object to having company controls on their own devices.
But Mitch tried to be more relaxed. “I’ve always felt it is my job to educate the users. So, one of the things I’ve had success with is getting buy-in from them; by appealing to them to use me as a resource — not just for work security, but also for home. I’ve got a series of stuff on our security awareness site on ‘how to help your seniors, your parents or grandparents’, ‘how to help your kids online’. I’ve had a lot of good response from this. I say, look, if you’ve got a question at home, go ahead and contact me. It doesn’t have to be work related.”
The result is a workforce with high security awareness. To begin with, Mitch allowed some home use on the company equipment. “We got hit,” he said. “It wasn’t a breach, but a guy did get in. Luckily, we caught him in time — but that was a result of WFH. I had to go through the process of updating our technology internally so that WFH on company-issued devices delivered the same sort of restrictions as staff had at the office.” For example, no Facebook on the company-issued equipment.
“In the end,” he continued, “you need a technology solution as well as user training. You can train people as much as you want. Most people know what they should and shouldn’t do, but ultimately, it’s just human nature. If you can get to Facebook, you will. I understand that. In the one intrusion we had, there was no malicious intent from our user. He had clicked on a Google link trying to find a home renovation builder, but the site had been compromised. When he visited the site, malware downloaded to his device. The malware beaconed the actor, and the bad guy got into our network. Briefly.”
Mitch ended up where Mark started. “As I said,” Mark commented, “security is a people problem. We try to minimize that problem for our people.” He doesn’t want his staff to have to stop and think, ‘should I click on that link?’ If the user shouldn’t click, he shouldn’t even see it.
“Through the technology we’ve deployed on the company-provided devices we’ve taken the need to make such decisions away from the users. A suspect email won’t reach the inbox, or the link has already been screened in a sandbox. So, we look to automate decision-making through our technology. The other problem is around awareness. You’re only as strong as your weakest link, and unfortunately that is the user. This is one of my four pillars of security.”
For the record, Mark’s four pillars are user awareness; strong identity and access management; get the basics right; and make wise investment decisions. The first two are self-explanatory. The ‘basics’ are things like patching, configuration management, host hardening, and good password hygiene. “Get those basics right,” he said, “and you won’t need to worry so much about the rest of security.”
Wise investment decisions include the need for automation in new security controls. “Even if the organization sanctions ten new hires to solve a security problem, I probably won’t be able to find them. But I still need to solve the same problem. So, every investment we make should help us automate and help us make better decisions. If it doesn’t do that, it’s probably not a good investment.”
Both Mitch and Mark have confirmed their willingness to mentor, advise and train new staff. So, we asked both, what is the best advice you have ever been given?
Mitch replied, “I was reporting to the COO at the time. He said, ‘Look, whenever anything goes sideways, you must always be the calmest person in the room.’ I have taken that to heart for years and it has served me very, very well on the incident management side.”
What about your ADHD, we somewhat unkindly asked. “When something first hits the fan,” he replied, “I’m totally ‘hair on fire, running around screaming’. But I internalize it, so it only happens inside my head. I freak out for about five minutes, privately. Then, it’s ‘OK, let’s get to work and solve the problem’.” The appearance of being calm in a crisis is just as important as the actuality.
Mark replied, “Always focus on the data, and let the data drive you on. So, any time you’re going into a discussion to ask for action, or investment, always do it with data. You can’t argue against data — it’s a source of truth. I give the same advice to my team. If you haven’t got the data, you probably don’t have an argument.”
So much for advice received – but what advice would you give to a new security leader? Mitch offered, “Remember that your job is to be the liaison to the entire company as a cybersecurity resource. You must consider yourself as a resource for the whole company. You’re mustn’t go in as Dr No, saying ‘You can’t do this, you can’t access that’.
But he also added, “Never use a regulation as a stick to say you have to do this. If you say, you’ve got to do this because of this regulation, you’ve already lost the battle. You need to be able to convince people of the logic behind the regulation and get them to agree with that logic.”
Mark believes the key is honesty: honesty with yourself, honesty with the organization, and honesty from the organization. “People coming into this job must ask themselves, ‘Why?’. Why am I doing this? What do I expect to get from this job? Many people don’t really understand or necessarily know what they’re getting in to. Depending on how they answer, I would give my perspective on what it is really like.”
Next is an honest conversation with the organization about the true state of risk. “Because that’s what we’re talking about: risk. Take the word ‘cyber’ out of it. At the end of the day, it is organizational risk that we’re trying to manage – so, identify it, control it, eliminate it, or manage it.
“Most organizations haven’t realized this yet,” he continued. “Many just think the CISO’s the guy that’s there, and he’s going to stop it. But given the means, motivation and opportunity, any threat actor is going to find a way in. We know that. They’re going to find a way to breach you. Organizations need to be mature enough to say, OK, it’s going to happen, so how am I going to support the organization to manage and recover through an event — or they’re going to say, ‘Ah, it’s the CISO’s fault. Let’s fire the guy’. Those are the organizations that are not having an honest conversation with themselves or their CISO.”.
Without this bi-directional honesty, Mark believes the CISO will struggle to do the job.
We like to finish our conversations with thoughts of the future: what emerging threats worry you the most? For Mark, it’s relatively simple. “It’s the increasing complexity of IT infrastructures, and how they operate –- and the supply chain that goes into managing those systems. That’s what creates the biggest gaps and risk for organization.”
Mitch agrees that increasing complexity and interdependencies creates the big concerns; but especially in one specific area. “My biggest concern is in the IoT side of things,” he said. “I have a very scary scenario about the security of the aircraft itself. There’s lots of computer systems in there. So, I have this nightmare that I use to scare everyone here. It’s common knowledge that our most famous customer is Tom Cruise…”
“We’re implementing a new system that will handle automatic landing if the pilot is incapacitated. The new system will communicate with ground service, alert them on the emergency, locate the nearest airport, deploy landing gear, deploy everything and land the aircraft.
“But here’s the scenario… Someone takes over a satellite, knows Tom Cruise is in the aircraft, simulates an emergency and makes the plane land in Mexico where a drug cartel is ready to take him hostage. So, yeah, how do we make sure we protect our aircraft from things like that?
“The same thing applies to Honda corporation and its autonomous vehicles. How do you protect them? You’re outside the traditional world of servers and workstations, and you’re talking about small integrated computer systems that are inside a moving vehicle. How do you make sure they stay safe?”
Related CISO Conversation features: