Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Jonathan Gonzalez, Principal Technology Security, AT&T, John Hogoboom, Lead Technology Security and Tony Tortorici, Associate Director -Technology, AT&T.
Jonathan: There's no such thing as an entry-level job in cybersecurity.
Tony: Jonathan, you had a story about entry-level jobs and what skills you need for day one. Do you want to go into it?
Jonathan: Yes, definitely. You know, we usually do vulnerability stories and things that are being hacked and I thought for those watching that might be interested in the field, that might not be in it yet, this may be an interesting topic. I found this blog post by Daniel Miessler about what the expectations of a potential-hiring manager will be on day one. Right. But first of all how do I get to day one and be hired and what are the things that they might be looking for?
This ties to the “skill gap” notion in cybersecurity.
Miessler has other articles about the skill gap. In this article particularly, it seems he's indicating there is really no entry-level position in cybersecurity, because cybersecurity is not a single field.
Jonathan: There is this cybersecurity domain mapping that I found very interesting that breaks down every possible job that you could end up in cybersecurity and it's overwhelming. Right? So someone in this entry-level world says, "I want to do cybersecurity." The first thing they need to figure out is what area of cybersecurity?
John: This is interesting. I'm not even on this list. I don't see any incident response.
Jonathan: There is, on the bottom left, security operations and incident response, investigations...
John: Oh there it is, okay. Security operations.
Jonathan: ...forensics is my team, there's awareness, there's user education. Also, internally we have governance and risk assessment. We have career development, we have security architecture. As a person in this entry-level world, what you need to understand is you're not doing cybersecurity. You're doing something within the field of cybersecurity. And, this article particularly, some scenarios can be built and some tasks that are expected? I'm gonna pick on auditing. I learned on the job was preparing for an audit.
John: Everyone's favorite task.
Jonathan: Right. But usually, a junior entry-level person might end up on that team. And they need to understand what it means to do that and as a person hiring, that might be the thing that you want them to understand. And if they don't even know what that is then you're immediately going to eliminate them without considering their skills. They've just never done an audit. And I think what we get to in here that is not about the skill to do the audit, it's about the skills underneath you might be able to bring them up to an audit level speed.
Jonathan: And this is very interesting because it's things like understanding which kind of audit it is. Right? Is it an application security audit, for example? What is the audit? That's one of the things that you might ask in an interview. Like, have you done X type of audit, not just a security audit in general because there are many different types. We have situations like, let's say, five different places where we get blacklists from, where you need to write an API for it. So, that might be simple programming but that programming requirement is still there.
And I thought what was interesting in this is that the gap is between the people that are asking the questions and the people that are applying for the jobs. And we need to find a way to meet skills versus the job - because you might be able to teach the job if those skills are there.
I always go back to this cybersecurity career path that's in cyberseek.org. It's very good because what they emphasize on is that you can't be a cybersecurity person without “feeder roles”. Things like networking, some type of software development, at least knowledge or understanding of it, systems engineering, and so on. Some risk analysis, some security intelligence is useful. These are things that are pre-requisites to an “entry-level” cybersecurity position. So saying that they're entry-level positions is kind of misleading, I will say.
John: Most people don't jump into cybersecurity as their first job. They're usually some other job in a related field like software development, or system administration, or some networking type of thing that's not necessarily cybersecurity in itself but you get some experience in these related fields. And then you go into cybersecurity and apply that knowledge into that field. So it's kinda hard to jump into cybersecurity right out of college, so to speak. Usually, there's some other in-between job between you get to it.
Jonathan: Because you need other things because you can even get to that point.
John: Right, to be really good in whatever cybersecurity track you take you need other skills. I never had this formulated in my mind but just seeing what you put up there is really interesting to me because I know this is true for myself and a lot of the people I've worked with. We had jobs either in networking or another field. I was a developer for 10 years before I ever did any of this. System administration is also another point of entry, I think. Having those skill sets and then pivoting into security is a lot easier when you have a lot of good fundamental knowledge of those areas. Those are the kinds of things I look for when people are coming in at entry level. I want to know, "How much networking background do you have? Do you understand how machines communicate with each other? Have you ever run Wireshark? Have you ever reassembled a stream and figured out what was going on here? What is your development background? Can you write simple scripts so we can do some automation of tasks or some security level functions?"
Those are kinds of things that I, in an incident response role, look for when interviewing people. What's really interesting is there are people who want to come out of college and jump into cybersecurity. Not to say it doesn't happen but having some other training ahead of time, or working in the field in some other respect can really help you along to be a superstar in cybersecurity.
Jonathan: Right. And in this article you can kind of tell the kind of things that you could do on your own, right? So, you know, like you said maybe knowing how to write small scripts. You don't have to be a software developer, but you should be able to do Python or Go and like be able to type something to automate specific tasks.
John: Take one set of data and massage it in a script that outputs to some other report. That's a very typical incident response kind of thing.
Jonathan: Be able to understand protocols in general. You know what DNS is - just simple things that they're not emphasizing in some academic programs. But that when someone is interviewing and the hiring manager is looking for this talent, they might not understand it that well. I was telling Matt Kaiser, who's usually in the show, that when I'm interviewing for software development, the first thing I ask is, "You know what cross-site scripting is?" And if the answer is no, then we have a problem.
John: Yeah, it's not right. You're not coding with security in mind then.
Jonathan: So I would tell him what it is and tell him that that's something that you should learn next time you go to an interview. But, to me, I need them to already understand what it is before you are even in the ballpark to be given a position. In the case of cybersecurity you have to find certain skills. Go to the Daniel Miessler site - he actually has a blog article about how to do this. So he walks through it and it is very cool and you can pick info on how to move from being a regular person all the way to becoming a security professional. It's a very interesting article. But in general, I think the skill gap is there because I don't think we're letting people understand what “entry leve”l is. I guess that's my opinion on it. Do you have any thoughts on it Tony? I think you're a hiring manager?
Tony: Yes, and everything that was said makes a lot of sense. If you’re someone coming to a company wanting to get into cybersecurity, you need a background in something. You can't just come in and say, "Try me." You have to do some sort of development work or come from a different function within IT. John was talking about being a developer and he did it for 10 years. The stuff that John works on is very, very heavy in that and it's excellent for incident response. I came from the administration side. So I came from one vertical - John came from another, but we were able to shift into the security realm based on our core foundation, our knowledge. And then start to evolve that into looking at security.
I went from making sure that servers were up and down to how do I harden them? How do I make sure that security control that will work like antivirus? And vice versa. John with networking: how does the whole network function? How does DNS function? And then pivot into how to secure it.
How to use your knowledge with those verticals and go into a security environment and use those to do cybersecurity work? You're right with the entry level ideas - that you need other experiences and information within cybersecurity to be effective. I think it's going to take time for that idea to be ingrained into the process. When you’re hiring for cybersecurity - it's cybersecurity for what? Is it audits? Is it hardening? Is it a security control? You know, there are so many different flavors.
Jonathan: One thing in a footnote in the article that I was looking at was that in his explanation of why there's a skill gap, he mentions that there are some positions that you could get. I looked it up, right after I read this, and found something like a SOC analyst. That is something that gives you a preview of everything that could be happening and you might not need to have that much experience.
John: Many times, we'll draw from our SOC analyst team to bring them into incident response or some other type of function. Our SOCs are more tier one, seeing the stuff coming in and then pitching it off to whoever can take care of it. But some of those guys, when they really step up, you're like, "Oh this guy is pretty good," or, "This girl's pretty good. Let's bring them in to the next level here."
Jonathan: So for those that already have their masters and their certificates, there are positions that you could look into. Unfortunately, the thing of it is, it’s not just entry level.
John: Sometimes you have to pay your dues in another related field for a few years in order to gain some experience that you can apply to cybersecurity.
Jonathan: Depending on how you want to proceed with your career, you need to figure out, "Okay it is cybersecurity but what area of cybersecurity?" I think that's what a lot of people leave out when they're trying to search for a job in cybersecurity. There's more to it. And that's what's led us to this skill gap of people applying for jobs and hiring managers saying applicants don't meet their qualifications. I think that as an industry we should try to figure out a better way to connect the two.