In a time when cyberattacks happen at an alarming rate and everyone is talking about privacy and security, the demand for infosec specialists is higher than ever. But the industry has a problematic shortage of cybersecurity talent with 53% of organizations reporting a lack of cybersecurity skills between 2018 and 2019, a study has revealed.
Cybersecurity is rapidly expanding and every specialist’s input becomes so valuable as we grow as a community. Those who work in this industry are focused on having a positive and real-world impact and educating others on how to stay safe online.
If you’re one of those who landed a job in the cybersecurity industry, be confident that you’re in a place where there are massive growth and learning opportunities every day. In the early stages of our careers, asking lots of questions stimulates curiosity and drives knowledge growth in ways we might not entirely realize. Questions also help us put things into perspective and better understand our day to day roles.
We put together this list of cybersecurity questions you might be afraid to ask if you are an infosec beginner. But they can help provide a larger picture of the cybersecurity realm and even uncover solutions (and valuable insights) to your dilemmas.
1. How could I explain my infosec role to friends and family in a way that will make them more aware of the risks of oversharing personal information on social media?
The best thing to do is to take a few steps back and try to describe your current job in plain terms, so a 5-year old kid could understand it too. As someone who’s working in the infosec industry, you have a better understanding of how social scams work on the Internet and you can provide real-life examples (studies, stats, numbers, etc.) so they can be mindful about the consequences of oversharing.
You can teach (and show) them how to check the privacy and security settings for each social platform, use strong and unique passwords for their online accounts, and be careful when clicking links or attachments which look suspicious.
Explaining netiquette rules in a clear and realistic way about and how vital is to keep their sensitive data safe will (eventually) help them be more aware of the online dangers.
This is a good practice for the time you’ll have to explain to your colleagues who are not interested in cybersecurity why it’s essential to promote a cybersecurity culture in the workplace. Every employee needs to be trained about cyber threats, how to recognize a phishing email or basic things about encryption and password management.
2. How do you prepare for handling a cybersecurity attack or incident?
We all know that prevention is the best cure and strategic planning could help both companies and regular users to avoid compromising (and, even worse, lose) their most valuable information.
In order to prepare for an upcoming cybersecurity attack or incident, it’s critical to:
- Have a crisis management and communication plan which clearly states everyone’s role in this matter and how to address it
- Have an understanding of the systems, data, and operations that are vital and need to be protected
- Learn through training and educational courses on how to detect emails with suspicious links or attachments and other forms of threats.
- Assess the level of the incident and its real impact
- Stakeholders and key decision-makers should provide clear instructions and guide their teams to respond efficiently
- Practice and practice until you and all team members understand what are the key issues they should focus on when dealing with such an incident.
Lessons learned during a breach (directly from a CISO that experienced a breach):
1. Don’t deploy technology without business context. Technology on a network with no business context will only indict you in a breach.
2. Drive your program from external industry experts 1/
— Jake Williams (@MalwareJake) June 27, 2019
If you haven’t agreed on a cybersecurity strategy and a security attack catches you unprepared, it’s really important to:
- Maintain clear internal communication with other departments and inform all employees about the cyberattack
- Contact a security expert you might know and provide details about the incident so he can give actionable tips on how to react immediately
- Have basic knowledge about the cybersecurity legislation so you can better understand what you should do first to protect your infrastructure and secure sensitive data
- Make sure you are informed about the organizational structure and identify key team members you can address this incident and talk about the next steps
- Prioritize security risks of and manage them before other issues generated by internal politics. The goal is to make use of all the key assets and resources and handle them in a way that you’ll mitigate this incident in the best possible way.
A key aspect for good preparation is developing a good understanding of the threat landscape, as well as identifying the root causes of these attacks, and how they happen.
With these things in mind, your company can build better cybersecurity resilience and handle these attacks.
3. Who can I talk to when I doubt myself as an infosec specialist?
Even the best people in the industry are caught in a vicious cycle of self-doubt. The problem with impostor syndrome is that it stops you from learning and making progress on the path you’re pursuing. It can impact both our personal and professional lives if you don’t take immediate action.
I was born in country in my grandmother’s house.
Outhouse, gas tank, chicken coup, etc.
Some of y’all can relate.
You can’t get more country than me.
If a country boy like me can have career in Cybersecurity anything is possible.
Chase your dream.
— Marcus J. Carey ?☠️ ?? ?? (@marcusjcarey) February 11, 2019
It’s important to talk to a close group of friends about this problem because they can offer unconditional support and remind you of everything you’re capable of and how you can achieve your goals.
Besides your friends, have the courage to reach out to infosec specialists you admire or follow on social media and learn from their ups and downs in career.
If you are under-represented in information security, and you’re looking to get into the field, please consider me a personal resource to you getting your first job.
My email is firstname.lastname@example.org, and while I might not always be timely, I will respond to ever email I receive.
— Daniel Miessler (@DanielMiessler) June 10, 2019
It might also help to go to therapy or coaching sessions and seek to understand what blocks you from being more confident about your skills and qualities. Also, join a community of infosec specialists and talk about the turning points in your career. They will surely share valuable insights and personal stories you can learn from.
4. What else should I study besides technical know-how and applications to become a well-rounded infosec specialist?
Being a professional infosec specialist requires more than having a solid technical background. It helps to combine the tech skills with the soft ones so you can become more successful in your career. You should learn and develop soft skills like problem-solving, interpersonal communication, analytical thinking to see the bigger picture, attention to details or adaptability to change.
What might also help and contribute to becoming a well-rounded infosec specialist is to thrive being a leader for others, to inspire and grow new leaders in the industry. Leadership skills are essentials, whether you are in a management position or not, and you can develop them through reading books or attending courses, but mostly through hands-on experience and repeated practice.
Always remember that cybersecurity is a journey, not a destination, and you should make the most of it!
5. How do I talk about my job to increase cybersecurity awareness in my company in a way that appeals to colleagues who are not interested in the topic?
Employees are an organization’s most valuable assets, but they can also one of the biggest security risks. Studies indicate that human error is the root cause of data breaches that continue to wreak havoc.
Promoting cybersecurity awareness in your workplace is paramount to foster a security-first culture. You can stress the importance of security at work by using real-life examples of other organizations that were targeted by cyber incidents and how costly are for the business.
You can be specific and simulate a social engineering attack in which you explain how malicious actors try to collect tons of sensitive data, explain the dos’ and don’ts, how to spot a phishing email, set strong passwords and other basic security measures.
It might be a good idea to use interactive exercises or engaging materials to point out how cyber attacks work and rapidly evolve.
The goal is to make them understand that everyone is a key asset for the organization and make them realize why every colleague should develop a security-first mindset that will contribute to a safer workplace and help the business.
Remember to make them feel valued and encourage them to be open and ask you any type of questions on this topic.
6. How can I show the ROI of my work in cybersecurity in a way that could stir interest to my business-minded colleagues?
In cybersecurity, the ROI might not be clear-cut, but with the right approach, you can ensure the cybersecurity investment is beneficial for your company. It is important to quantify your work by adding value to the security investment and show (with examples and numbers) how it can contribute to business success.
You can measure cyber attacks or data breaches that could have happened, but they didn’t, because of your valuable input and work in cybersecurity, which prevent these attacks.
It might help to show how your day to day efforts aimed at promoting a security-first culture with long-term results. Also, try to make your business-minded colleagues understand the perks of cybersecurity investment: preventing the company from being breached or victim of a ransomware attack and the aftermath of it translated into enormous al financial loss, data loss, business disruption, the negative impact on brand reputation, cyber crisis management, and communication, and more.
Security is about loss prevention, not about earnings.
said Bruce Schneider about Security ROI.
Also, time and money spent on good security are better than money spent on recovering after a cyber incident with complex implications.
7. Who can I trust unbiased recommendations for security solutions?
A good starting point for handling this would be to use the power of the security community and ask your trusted network of security professionals for recommendations. Depending on your specific needs, they will share valuable insights, useful links and recommend security solutions they’ve been trying out.
If you have friends who work in the same industry as you, don’t hesitate to ask for an honest opinion and unbiased recommendations. Based on their personal experiences with particular security solutions, they could also help.
Remember to be specific about you’re looking for so that people can recommend a product or solution that is suitable to your own needs.
8. How can I develop those skills that are required to find software vulnerabilities like hackers do?
If you’re interested in diving deeper into the area of vulnerability research, one of the most important things to do is to start developing strong coding skills and learn as much as possible about programming languages, operating systems and machine architecture.
Understanding security vulnerabilities also requires soft skills such as attention to detail, patience, and tenacity to test and search for software bugs.
Reading security books, as well as news on Twitter or Reddit, joining a community like Peerlyst will help you explore this area and gain experience in this niche. To better develop your hacking skills, it might be a good idea to volunteer to fix bugs in open source projects to get a better understanding of software bugs.
What’s also very important is to figure out how a hacker’s mind works and learn to cultivate such a mindset and be creative and innovative in your quest to find software vulnerabilities.
Think like a hacker, but try to stick to the ethical side of hacking 🙂
Nevertheless, don’t miss the opportunity to attend security conferences, such as DefCamp, Black Hat, or Def Con and engage with like-minded people, and learn more about software vulnerabilities.
No matter your role in cybersecurity, remember that you’re part of a wonderful community where you’ll find awesome people you can always rely on to ask any security questions or dilemmas you might have!
This article was written by Ioana Rijnetu. You can get in touch with her on LinkedIn or say hello on Twitter.