Leadership

Where to start!

Everyone loves talking about how to get into Cyber! It’s like the cliché thing to talk about! Hell, there’s people who have been in jobs for minutes writing guides, It’s odd… my advice, gardening! Seriously you will see the outside, will learn skills that are useful and keep physically fit! Wait you still want to cyber? You sure? Ok there’s some super awesome fun parts of cyber, not going to lie, it sounds super cool! What do you do? I’m a CYBER! See cool AF!

How old do I need to be to CYBER?

Jesus, I mean it’s not that kind of writing, oh ok you mean the Defend computer systems CYBER. great go it (go google 1990s CYBER!). Let’s be honest, it’s largely a mentally challenging vs a physical challenging job so I guess any age should be good right! Excellent, let’s move on, agism sucks (did I spell that write? Who knows!)?

What do I need to know?

If you believe the world, you will find that you need to be a digital wizard, to program in over 900 languages, to be fluent in every single technology previously created and that will ever be created! You will need to buy into memberships to organisations and you will need to learn a secret handshake! People will say you must ONLY do CYBER, if you do ANYTHING else then you are not a CYBER. Guess what? They are well, wrong.

What is a CYBER?

Err everyone knows right? There’s a single scroll of truth? A mystic tome that each CYBER gets a copy of when they reach CYBER ENLIGHTENMENT (free with every subscription and lifetime CPD membership pack!)

Let’s start by being serious (there’s lots of that in the CYBER world, take humour where u can! It’s like gold dust!). What is cyber security? I’m going to use the UK NCSCS definition, you don’t like it? Go and complain to HMG’s finest cyber forces but for me this works:

https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security

“Cyber security’s core function is to protect the devices we all use (smartphones, laptops, tablets, and computers), and the services we access – both online and at work – from theft or damage.

It’s also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online.”

Cyber security is about protecting digital devices and services from theft or damage! That’s a cracking nice and simple way of describing it (IMHO).

Cyber Assets are everywhere

No really it is, think about what in our lives is digital?

A core concept that you will need to understand is protecting assets! The key thing here before we grab our cyber shields is that we need to know WHAT we are protecting, WHAT they do, WHY they do it? WHERE they are? HOW they work? WHO is responsible for them? WHO is accountable for them? WHAT their components are? Etc. etc.

I can’ stress this enough, trying to secure assets you don’t know and understand is practically impossible. So, take a look at the NCSC asset management guidance:

https://www.ncsc.gov.uk/guidance/asset-management

Threats

What are threats?

A threat is (according to the Oxford English Dictionary) a:

“a person or thing likely to cause damage or danger.”

Think about what threats we face?

Foreign Hostile Nation States? Terrorists? Criminals? Fraudsters? Scammers? Environmental? Insider Crims? Insider mistakes?

Threats are everywhere, so we need to know about them! This is called threat intelligence, when we combine that with the magic power of CYBER, we get Cyber Threat Intelligence (CTI).

Let’s go read the information on cyber threats from NCSC:

https://www.ncsc.gov.uk/collection/board-toolkit/understanding-cyber-security-threat

When we look at threats and their impacts we are largely considering the impact to one of the following:

  • Confidentiality (C)
  • Integrity (I)
  • Availability (A)

This together is called the CIA triad (no not the USA spooks), you will hear about this A LOT! It’s fundamental to security and therefore a massive part of defending digital systems from threats!

Vulnerabilities

Ok so far, we have assets, threats and now we have vulnerabilities:

“A vulnerability is a weakness in an IT system that can be exploited by an attacker to deliver a successful attack. They can occur through flaws, features or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal.”

More reading friends, see NCSC make my life easier, it’s super great:

https://www.ncsc.gov.uk/information/understanding-vulnerabilities

https://www.ncsc.gov.uk/guidance/vulnerability-management

Because this is a fast post, here’s some key things about vulnerability management:

  • You probably (almost certainly) can’t remove every vuln, focus on exploitable things!
  • Vulnerability management is hard!
  • Vulnerability management requires teamwork
  • Vulnerability management requires communications

Risk Management

Ok we’ve got some assets, we’ve got bad things (threat actors) that want to steal or damage our assets (threats) by exploiting vulnerabilities to create negative impacts, what does all this mean?

The combination of these things creates RISKS!

Yay, NCSC save my writing hands/brain once again, go and read the NCSC information on risk management: https://www.ncsc.gov.uk/collection/risk-management-collection

Some key points here:

If you are starting out, and that’s who this post is aimed at, please bear this in mind:

There’s lots of ways of managing risks, there’s lots of ways of mapping assets, there’s lots of ways of analysing vulnerabilities etc. Do not worry so much about using the perfect modelling techniques for all things, you will simply end up with analysis paralysis.

Risk management relies significantly on good communications, something which is much easier to say than do!

Real Life Cyber

There’s this thing we talk about a lot in CYBER, it’s called imposter syndrome, we all either have, or have had it (or will again in the future). This is where our brains try and tell us we aren’t doing it right, or that we are useless because we don’t know EVERYTHING… why is this?

I’m not a psychologist, how should I know? But let’s have a stab:

People in infosec often put up a face of “not on my watch” or “it will never happen if I was in charge” etc. I’m not sure why, I think it’s to hide these things:

  1. No one knows everything
  2. Security incidents hit all of us
  3. Vulnerabilities are everywhere
  4. People don’t like to say I don’t know, or I was wrong, or we were wrong etc.
  5. People do conference talks about hacking the Gibson or pwning over 9000 assets, breaking into the FBI or whatever
  6. Self-promotion is now such a part of society I think it’s problematic to humanity (not really, I do!)

Perhaps it’s also because there’s lots of secrecy in cyber, it’s linked to all kinds of things of a sensitive nature, it’s a serious space with real world consequences. Perhaps it’s because it’s such a fast-paced industry and no one can keep up, maybe it’s easier to pretend to know everything? Maybe it’s because it’s such a diverse world of technology, science, exploits, vulnerabilities, intelligence, and gadgets? Who knows, but trust me, you will likely feel you don’t know enough, you will likely worry etc.

This industry is amazing but also it would be a lie for me to say like all industries it doesn’t have negative points. So, remember it’s about risk management, not the absolute removal of all risk (trust me you will sometimes need to have a cold shower after seeing how vulnerable some networks/orgs are!) and it’s largely not just sitting on your shoulders alone. Security functions, let alone other organisational functions like IT are NOT responsible for accepting or rejecting business risk, ultimately that’s a business governance function, you can advise, you can inform, you can do lots of amazing cool cyber things to help manage risk, but risk is not absolute and it’s not always possible to control it. Security can feel like it’s about trying to control a world of chaos from electrons through to people, but security is about balance, risk management is about management of risk, not being in control of the entire world (trust me you can try to be in total control, good luck with that approach!).

Largely what we are dealing with is management of technology and management of risk. Cyber security will vary in the real world between organisation to organisation. People may talk about reporting lines and how a textbook says CYBER should be done, I’ve been to hundreds of orgs from global multinationals, government departments, military and all kinds of private sector organisations and I can say this with confidence, most orgs are unique through how they operate, are structured and how the unique people in them work. Large organisations often function as franchises, sharing common banners and policies/standards (and maybe shared systems) but largely the world of larger orgs is like a big collection of smaller ones. There is a shed load of diversity in how cyber works (or doesn’t) between orgs, roles and responsibilities vary, reporting lines vary etc. Oh, and trust me, not every org has a Security Operations Center (SOC) let alone a Chief Information Security Officer (CISO) and Chief Security Officer (CSO). Sometimes there are risk departments, sometimes IT is responsible for cyber security management, sometimes Finance is, some orgs have legal and compliance departments, often they do not. It really is a box of chocolates out there.

Cyber Life

Ok so hopefully now you have an idea about what cyber security is, who can do it (basically anyone with a brain!) and some of the key fundamentals, some might sound super cool and awesome and other parts might sound a bit crappy/boring/scary, that’s life, however let me give me view, even jaded and getting on a bit here’s my view:

  • I love this industry
  • I love the communities
  • I love the variety
  • I love my friends
  • I love that I get to help people whilst playing with super cool toys (I mean equipment!)
  • The diversity of everything is amazing, people, technology, industries, challenges, this industry is never going away, and it’s filled with never ending challenges and fun!

I also recognise that the world also contains:

  • People whose intent is to do serious harm (think terrorists, paedos, serious crims and other nasty fuckers!)
  • Membership orgs whose sole purpose is to gatekeep and take money off you so you can have letters which allow you to “computer”
  • People (probably on LinkedIn) telling everyone they are amazing
  • People trying to sell anything to anyone
  • A stream of people telling everyone how to succeed in well anything (Jesus the youtube adverts are ridic, go block them with a piHole or use Brave)
  • A pace of technical change that is simply not possible to keep up with on your own

The good for me far outweighs the bad, after all our jobs in the cyber world are to help protect people and things from the baddies, that’s never going to be a world just filled with unicorns and fluffy bunnies!

Routes into cyber

Let’s be blunt, you will hear all kinds of things like:

  • Ex Police make really good cyber people
  • Ex-Military make really good cyber people
  • You need a degree to be good in cyber
  • You need to work for a BIG4 audit firm to be good in cyber
  • Cyber is nothing to do with IT
  • You need this boot camp or other educational multi week fad course to get into cyber
  • You need a CVE to get into CYBER
  • Pentesting is the ultimate role in cyber

All of this is crap, if you want to get into cyber you will largely need (but not for every niche role in the world)

  • Enthusiasm
  • A willingness to learn
  • Good communication skills (verbal and written)
  • Patience
  • Empathy
  • An interest in the area of cyber that is relevant to the tasks/activities

The world of cyber is broad and deep, it’s an industry filled with technical wizardry, human communications, business integration and more challenges than we even realise.

I’ll shut up now

Right, I’ve prattled on enough, hopefully if you are thinking about cyberz and wanted to get a view on what’s involved (at a really really high level) about defending digital systems and what the real world might look like, this post has helped. Everyone has their own journey, i’ll leave with some thoughts about ways to get into, stay and survive in the world of cyber security:

  • Learn
  • Explore
  • Challenge
  • Collaborate
  • Listen
  • Never stop questioning
  • Don’t give up
  • Help people

And that’s my view on getting into cyber! Never give up, follow your dreams, life is hard but can also be fun! There’s always change in the world, and the bad pews (technical term) aren’t going anywhere, and we need all the help we can get!