Cybersecurity Career Q&A with CIS’ CISO
To celebrate this week’s theme of 'Educating for a Career in Cybersecurity' during National Cybersecurity Awareness Month (NCSAM), we wanted to get an inside look at what it’s like to work in the field. So, we sat down with our Chief Information Security Officer (CISO), Sean Atkinson to get his thoughts on careers in cybersecurity and trends for the future:
CIS: Give us an idea of the education you have that led you to your current position as CISO.
Sean Atkinson: I am a professional student so I have multiple degrees. The one that really started my journey was an MBA in Technology Management and a course in business network engineering. After that, I knew I wanted to move into IT and cybersecurity.
I have multiple certifications to assist with my immersion into different technologies and subjects. I am a big proponent of SANS GIAC and hands-on training. My first certifications were CompTIA’s Network +, Security +, and ISACA’s CISA – Certified Information Systems Auditor.
CIS: What qualities do you think individuals looking to start a career in cybersecurity should have?
SA: Starting out, it’s about questions; ask, re-ask and then ask again. The ability to fully understand a concept and apply it in different situations is key. You will need to have an agile mind and be able to absorb information quickly. If you have a willingness to learn and not stop learning, then this is a great career path for you.
CIS: What advice would you give a high school senior interested in studying information/cybersecurity?
SA: Start with broad strokes and look at all aspects of cybersecurity. Begin with a solid base using the CIS Controls™. Find out what they mean and look at how they are applied in organizations. Also look to social media. Twitter is a great resource for security leaders because you can find out what their interests are, what is on their mind, and what challenges they face.
One of my favorite exercises is to pen test. There is no better way to start than using VulnHub. It provides users with a hands-on experience with a standalone OS. Get a free copy of Kali Linux, Oracle’s Virtualbox and download one of these vulnerable systems. This is a great way to support your cybersecurity development and even contribute by creating walkthroughs for others to use.
I also recommend having a GitHub account and to start coding. Coding and scripting skills are a great commodity for cybersecurity professionals. Python and Bash are great places to start.
CIS: What certifications are the most important for industry professionals to have?
SA: This is a good question. In some cases, you will find people that are not certified, but who are nevertheless experts. The certification is a validation of your understanding and test-taking capability. I like it because it shows you have set a goal, understood and conceptualized information, and can answer questions under exam conditions like a time limit.
The most crucial certification would be the introductory certifications CompTIA provides, as they are a great starter to the field. With experience you can move into ISC2 and eventually the CISSP. If you look at job postings in this field you will see that CISSP is usually a requirement. I have it, and it certainly allowed me to move into the position I am in. As you start to specialize, the SANS- GIAC tracks will provide introductory, specialized, and advanced certifications for you to pursue.
I previously mentioned hands-on training and certifications. Offensive Security is a market leader in this area. Their OSCP (Offensive Security Certified Professional) provides excellent training and a 24-hour hands-on exam for proving and applying knowledge.
CIS: What advice do you have for someone who doesn’t have a background in cybersecurity, but wants to make a career change?
SA: Given the overwhelming need for cybersecurity talent, I would start with informal education, such as an online Coursera or EdX course to see if this career is a good fit. Given the requirements and skills within cybersecurity, an existing need in the industry doesn’t translate to a person being a good fit for the positions.
Once you have established the fit and that you would enjoy the work, it’s time to address getting experience. This can be in a current position and expressing a desire to work in the cybersecurity area. For example, do some technical research and present it to your CIO/CISO or representative of the team. It may not be a direct hire into a technical role, but it’s a foot in the door.
It may then be worth investing some time and money into a certification to demonstrate your knowledge and capability. In my case, as mentioned, I started an MBA in Technology Management. This was my move into being an IT professional. I saw an opportunity based on my background and a need for a Sarbanes-Oxley (SOX) auditor. I asked about it and demonstrated knowledge in the cybersecurity area; this became my first real job and career change. I studied, looked at upcoming regulatory requirements, and made sure I could present myself as someone eager to assist the organization and with answers to move forward to compliance.
CIS: What are the biggest challenges you face as a CISO?
SA: It’s a moving target. The analogy I use is this: physical security. I know where the doors are, how big they are, and if can I monitor them with a guard or camera. In cybersecurity, the door can change location, there are doors we don’t even know exist, and the door can change size. I may have a small vulnerability or I may have an entire wall of doors that are all open. The CISO and cybersecurity professional’s job is to know where the doors are and make sure they are closed. When opened by a vulnerability, the CISO should ensure doors are closed as quickly as possible using good security controls.
CIS: Where do you see the future of cybersecurity heading, be it threats, technology, or trends?
I think the next trend will be a push towards automation and using systems to monitor systems to provide quicker responses and resolution. One aspect of the future of cybersecurity that I found very interesting was DARPA’s Cyber Grand Challenge. It provided what I think is the next wave of security tools and automation that will help discover and mitigate threats to an organization’s infrastructure.
Taking a look at the entire supply chain is another trend I foresee in cybersecurity. That is, not only looking at the cybersecurity posture of an organization but of the entire supply chain to form an understanding of the weakest link and risk management.