As the chief scientist at WhiteHat Security, I oversee all research and development for the WhiteHat Sentinel product line, defining and driving the underlying technology. Under my guidance, the Sentinel R&D team takes a no-nonsense approach to providing continuous product updates to customers in a fast and efficient manner, a process that serves as a model for development teams across the company.
I also lead the WhiteHat Certified Secure Developer program, which provides free training designed to educate and certify developers on secure coding and application security best practices.
The beginning of the journey
People often ask me what are the main skills and training requirements for a career in cybersecurity. So I’d like to take the opportunity to explain how I got to where I am now and hopefully provide some insight into what I think are the most important skills and qualities required for this type of work.
Like most people my age, I came into cybersecurity after discovering the internet in my teens. I found that with certain software, people had the ability to crash anyone’s connection to the internet—and this was exciting. Having knowledge of that capability when I was younger made me feel empowered.
Having caught the bug, I wanted to do more with that concept. Back then, in the late 1990s and early 2000s, there was no formal education for subjects like software or coding. Even at college, where I studied Computer Science with a track in security, the options were limited. There might be some practical work involved with updating patches, but there was nothing around more complex areas like application security. The unintended benefit of this state of affairs was that it encouraged people to do their own research and discover vulnerabilities independently.
When you’re younger, hunting for vulnerabilities on your own can be very exciting and a real power trip, but as you get older and more mature, you realize there is more to security than finding vulnerabilities. It often becomes about your personal interactions and relationships when you’re engaged with helping people trying to build cool software that’s secure. It’s no longer about boosting your teenage ego but about the fact that what you’re doing can be a make or break point for the people you’re working with.
What you’re trying to do is help them achieve the functionality required for their software as securely as possible. One of the ways to achieve that is to build a repeatable automated service that makes life easier for the people building cool software.
What skills do you need?
I began my career as a consultant engaged in supporting business development activities, developing and establishing repeatable service offerings, along with internal automation capabilities. After five years, I built on my experience to become the founder and managing partner of Infrared Security, a company with a focus on giving developers the guidance, resources, automation and services to produce more secure code.
What I have learned over the course of that 13-year journey is that it’s very important for people engaged in cybersecurity to have a development background. Having that as part of their day-to-day activities is an absolutely critical skill, I believe. I say that as someone who is biased towards application security– but there are other key skills that people need in this part of the IT industry.
One very important skill that tends to get overlooked is the ability to communicate and articulate solutions, concepts and problems with your target audience. Too often, people are communicating in their own language rather than the language of their audience. When it comes to security, in particular, teams have to be able to articulate problems and risks to each other. If they can’t communicate that properly, there’s little, if any, value in their engagement with each other.
Is there a skills gap?
People often claim that cybersecurity is suffering from a skills gap, but I’m not convinced. As someone who is skeptical by nature, I don’t fully believe that. What we’re seeing isn’t necessarily a lack of skills as much as it is an inability for practitioners to communicate properly to their audience. As evidence for this, you only have to consider how many leaders in our space used to consider cybersecurity almost like magic. Why was that? It might seem great to astound or astonish your audience – and it definitely feeds the ego – but that approach still leaves them in the dark.
It’s much better if you can explain and articulate cybersecurity in a way that they can understand and appreciate what you’re doing. I think many practitioners have the skills for the job, but it’s more of a training problem because they’re not being taught how to use those skills to communicate properly with their audience.
It’s dangerous to assume that’s something that will come with experience because it acknowledges that, in the meantime, practitioners can get away with not doing their job as well as they should. Working in cybersecurity is not about pampering your teenage ego, it’s about having the maturity and understanding to help people achieve their goals and do the best they can with the software they’re trying to build.