Sensei School: What do you think the tendency is?
Will cybersecurity be something that companies outsource or a capability they develop in-house?
Barren: “That’s a very good question. I think it’s actually a combination of both.”
Van Booven: The reason being that is in terms of developing in-house I think that there’s such a shortage of people out there who have the necessary skills. Companies have to have people looking at this and a lot of them are focusing on how to train and develop their own internal people. And you have to because the range of things that you need to have to have a good foundation is difficult to get unless you have a variety of experiences or you actually consciously working at it. Companies who work with their staff to form a training program of development that includes these things will be the ones who develop good, well-rounded people. If they don’t do that, if they don’t develop their people internally, they’re either going to have to go without them or they will have to outsource those functions.
But going to that question — the threat landscape is so sophisticated these days that to really have all of the right mix of skills that an organization needs to have can be very cost prohibitive for a lot of companies and especially medium-sized companies. They may not have the money to staff people 24/7 who understand malware, intrusion detection, and all of the different elements of security. You may have a good technical team, but not necessarily all the types of people. Moreover, if they do have it, turnover and attritionkeeping those people there is challenging. A lot of organizations that have a good approach to recruiting, find it difficult to retain people just because of the market position. In these situations continuity of personnel ends up becoming a bigger risk.
If you outsource, or staff out, or hire services to provide some of those, you can get, if you choose the right organization, a more consistent level of service and you can also take advantage of some additional skills that you may not be able to afford in-house. I don’t think that a lot of companies, with the exception of maybe smaller ones, will completely outsource all their security department.The reason why is security is a lot more than just running technical tools. It’s it’s understanding the business, it’s integrating into the businesses IT operations. You’re really a part of the IT department and you can’t do that as you’re sitting halfway across the country from where that stuff is taking place. You have to be in there with the developers and operations, and network guys. You need to have some of those people. You’d probably need both and the mixture of them will be dependent upon the company, the industry and the people that work there.
Sensei School: What do you think is a good place for people to start if they’re looking to launch a career in cybersecurity?
Barren: “I actually get that question a lot.”
Van Booven: One of the things that I suggest, which is very easy to do for people, is to look at vacancy notices and all of the job ads that companies post on job boards, because it gives you an idea for the different types of positions that are out there, how the company describes these positions, what the skills are that are needed and it just gives you some familiarity with what are the different options that are available. Because there are so many different companies looking for people, you will get a good range of what those are.
But in terms of developing the skills, I would say, I’ve worked with people who come from a lot of different fields, some of them are IT people that may have been system administrators, network engineers, or developers, so they have a certain foundation technology-wise and they would need to look at — are they missing any part of their foundation, basic foundation, if they need to really start looking at those security questions. What I mean by that is that you may have someone who is very strong in networking, but doesn’t really know how a web application works. You really have to have that basic understanding because if you don’t, you’re not going to grasp a big piece of the overall threat landscape.
I would call it a triage of your skill set, doing an assessment of your skills, like what do you have and what do you not have. If you are coming in from a completely different field and don’t have any technology background getting that foundation is definitely the most important thing to start with. Understanding the basics of networking, operating systems and I suggest both Windows and Linux. A coordinated approach to hitting each one of these areas, web applications, malware and there’s a lot of reading that somebody needs to do to identify what the best way is to get some of those. It makes sense to get certifications in certain areas more because in the process of getting a certification it teaches you all of the foundational skills. It can take a while to get all those different areas.
But again, it’s hard to do security effectively without at least having some skills in each of these foundational areas, and, if you do, it’s understanding risk management that is very important. What are the risks associated with them? What are the threats? How do you manage vulnerabilities? Some think it needs a lot of people, but it really doesn’t. One thing which a lot of security people don’t necessarily do, which they could do to enhance their careers and focus on areas that the rest of the IT organizations and then, again change management. How the security fits into that. A lot of people may be in the field one or two years and then the next year they want to be a CISO. There is a huge gap there between skill sets as far as what you need, and just having a coordinated plan that you work on is important, making sure you hit on each of the areas.
Sensei School: Is there anything else you’d like to share for people who are looking to get into the cybersecurity space?
Van Booven: I would say probably the biggest thing that I found to be most useful is to actively manage your career in that you always have a development plan, which has a few different aspects to it. One is the technical aspects. The other one is just the overall career goal. Do you want to be a technical expert? Where do you see your career going? Actually documenting that and creating goals around it, so that you can work towards those things and course correct as needed and talk to a lot of people.
People actually will reach out to me on LinkedIn with questions. And I may not have all the right answers, in fact, I know I don’t, but I will give them my opinion based on my experience and if they talk to a lot of different people, they’ll get a lot of different perspectives. And then they’ll have some good input to base their own career decision on. Being open to talking to others, learning from others who have gone through some of the same things, same challenges, networking, going to conferences and events, participating in forums online. They’re very important.. This field is very big into information sharing, you really have to network and somebody who does that and has an open mind I think will be successful.
And not everybody does that. Everybody’s in charge of their own career. It’s great when you have a management team who supports your career, but as an individual you want your own career. You may be in an organization where there is not enough headroom to get promoted to a certain model, but you really are ready then sometimes you have to look at moving to another organization. That’s another thing, which some people are willing to do and some aren’t. If you sort of stay in the same place in the same job for 10 years, you’re not getting that diversity of experience that you need.
Sensei School: What are you currently working on?
Van Booven: At the moment I’m starting a new professional services company, Nereus Systems, with my partner. It’s designed to focus on changes in the technology landscape and the need to keep pace with those changes from a security perspective. And also to understand how they impact technologies that are currently in use, including changes in the application, development and operations world, which is really transitioning to a model of delivering applications — using microservices and containers in the cloud. A lot of organizations have started that transition, but there are a lot more that haven’t or don’t necessarily have the skill sets and the know-how to do that.
With that comes a change because applications are being delivered a bit differently — security people have to look at how to secure those things properly. It is a little bit different from your typical monolithic application. And then helping organizations to navigate that and the security map, as well as the underlying processes in that organization. Such as — how to do DevOps and how to get from development to production. It’s one thing to know the technology, but it’s another to understand the process underneath it. Helping them with the process change and security is built into that process as well. There’s a lot of organizational change management that has to occur.
The next area, which you hear a lot about is machine learning and artificial intelligence. The reason that is out there quite a bit is because the machine learning algorithms have been really hit, with what I would call fine time in terms of being able to actually solve real business problems. People that know both the technology side and are able to think abstractly and answer business questions are in short supply. Someone may know what the technology is, but they may not know how to use that to solve business problems and vice versa. A combination of these and the proliferation of IoT (Internet of Things), how to network those things and secure them properly is another part of the whole computing environment. Knowing how to do that and provide assurance over their operation as company or organization can be challenging for a lot of people because they haven’t really incorporated that into their security. These may appear to be three completely different areas, but really I think the importance is to effectively manage security and provide assurance over information. You have to understand how people use technology and that really involves getting into understand why are they choosing technology, how they are using it and be able to consult on that.