Stark Realities

Imagine having an industry where you can’t be in it without already being an expert in all fields, imagine having to be able to command policy and drive strategy but not having anyone having ever helped you learn how to do this, imagine that if you did all the activities involved with secure service and yet people say you aren’t part of the industry because your job title doesn’t have the word “security” in it and imagine if that you are told you aren’t part of the cyber security industry because you also have to worry about budgets, sales, marketing, new business initiatives, IT services and well anything else!

What would happen if we had this as our cyber security industry principles… well that’s simple?

The industry would collapse
The worlds cyber security posture would be even worse than it is now
No one would want to even be part of an industry with those kind of views

We would be devoid of the very skills, passions, and capabilities that the world needs to transform the current state of cyber risk (it’s not in a good place, even if your company has its posture together, largely the world does not). We also would cut off the very lifeblood of talent that feeds into the industry.

Imagine having no apprentices, no juniors, no starting point…

The picture I paint may seem like fantasy… and sure it’s not all like that… but I can tell you from experience, from conversations with job hunters and aspiring infosec pros… this exists in some places in the industry.

Some professionals in Cyber security and information security seem fixated on creating barriers to entry, on insisting that a set of criteria are applied which excludes people.

Someone literally said, if someone has a focus other than 100% cyber security then they aren’t in cyber. This is frankly wrong. As a cyber security leader, you must consider way more than just cyber security, it’s about business, balance, and security outcomes (within risk appetite and tolerances). You will need to consider how your security capabilities from a business context, deliver both business value and protect and manage confidentiality, integrity, and availability of business assets.

If the above descriptions (which are based on actual conversations I’ve had with people in the industry) are if this is how the general industry wants to be, I want no part in it. But before we go further into that space let’s think about what cyber security is.

What is cyber security?

According to the NCSC:

“Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access – both online and at work – from theft or damage. It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.”

According to NIST:

“The ability to protect or defend the use of cyberspace from cyber-attacks.”

How can you be part of the industry?

This to me is simple, there’s avenues to work in the cyber industry which are far and wide, from marketing through to incident response. The cyber landscape encompasses so much of what we do to:

“Protect and defend digital assets and services from cyber threats.”

Now I’ve had people say, “so everything is cyber” and frankly that seems a little like going from the sublime to the ridiculous. And if that’s the thought process, for me at least, that raises some concerns for their ability for critical thinking.

The Cyber Skills Gap

There’s a bit of a myth created in the CYBER indsutry about skills gaps, there is indeed a skills and experiance gap but it’s not really how the CBT and courseware providers are telling you!

We have gaps in Cyber Leadership
We have an underinvestment in digital security across the board (there is a huge gap between products and having the workforce to operate an evnironment in a secure manner)

We have lots of great talent, and technical skills, but we are however lacking:

Routes to entry
Experiance in the real world (a CTF != real world)

I talk to lots of people, we really need better ways of showing people what reality in most organisations looks like.

Challenges with Gatekeeping in the industry

We are advertising jobs with insane and unrealistic requirements
We are adverting jobs that franky one person alone should not be doing
We are asking junior people to have 5 years experiance and a certificat that might do you as much good at protecting your digital business as leaving in an ANY/ANY rule
The certiication space is filled with circular avenues
We have certifications where you can’t even see a syllabus
We assess people with guidance that frankly is designed to be confusing
People think having ISO27001 will protect their networks, when in reality it normally does the opposite (just buying a policy pack and getting a audit doesn’t secure digital networks)
We have people saying that planning, designing, building, securing, testing and operating technology in a secure manner isn’t working in cyber

You can disagree with me but please go and speak to the younger generations who are trying to get into cyber (shockinlgy I talk to lots of people).

IT vs Cyber vs InfoSec

Ok stop, if you think of things as us vs them then maybe go and talk to the CEO about that, of a doctor or God knows. Defending systems doesn’t work in silos or isolation. It’s an orchestra of people and systems working together to create a digitally defended service, it’s not a game of thrones. Perhaps this is partly the problem, the world of IT and Infosec is new, it’s not like accounting or other very long-standing industries, it’s a new digital realm that’s not existed for very long in the grand scheme of things, it’s also unlike any other industry or activity I’ve worked with/in before. Perhaps analogies can be made with medical services and emergency services, but even then, I’m not sure that really is a good parallel.

Cyber security moves at a pace that is quite frankly, at least in my eyes, unseen before. Friday morning at 0900 your risk profile can be within tolerance, 5 minutes later you can be exposed to a significant level of risk and gain intel that the vulnerability is being exploited in the wild. You may even find you were compromised say 120 days ago.

I can’t think of a parallel industry where this reality exists, there are probably parallels in finance with fraud cases etc. but the part that also makes cyber security so fun and such an interesting industry to work in.

The Future of Cyber

The world has always been an ever-changing place, with technology thought the pace of change is simply nothing I think we as a human race have ever experienced. The rate of change is off the charts. The internet and computing technology, it’s changed the way we live, communicate, work, and interact. Digital and cyber are part of everything now. What we need to do is work out how we keep ourselves safe in Cyber Space. One thing I can say for sure, that’s going to require a hell of a lot more people “In cyber” defending than we currently have! Gatekeeping isn’t the way towards a better industry, inclusivity and diversity is!

The Art of Cyber

Reporting an email as phishing in Office 365 with NCSC SERS