At BlueCat, we freely admit that we are not deep experts in cybersecurity, and we are certainly not as knowledgeable as our customers who man the front lines every day. What we are experts in, however, is DNS, and that's how we know the true value of DNS data for cyber defense.
Officer at MAD Security
This got me thinking about the experts, and just how infrequently I come across articles about the people versus the technology. With the unemployment rate for cybersecurity experts effectively at zero, it seems there should be more written about the people behind the job: the security architects, the incident response managers, the forensic analysts, and others who actually design systems, monitor activity, and react to events every day.
With that in mind, I'm pleased to introduce BlueCat's Cybersecurity Spotlight series, aimed at shedding some light on the people behind these roles. We'll chat with people in cybersecurity about how they got into their role, how they see it evolving, and what advice they would give to others who are considering the profession. I think you’ll find some surprising answers along with a few common themes.
Our first interview is with Jeremy Conway, the chief technology officer of MAD Security, which provides managed security services and cybersecurity consulting. Based in Huntsville, Ala., Jeremy, who once wanted to be an anesthesiologist and is quick to say that he reads until his eyes bleed, is a U.S. Army veteran. His interest in cybersecurity was sparked by learning and then teaching new recruits x86 assembly programming and digital logic for missile guidance systems. He was then a security engineer for the U.S. Department of Defense and played a key role in establishing NASA’s security operations center a decade ago. Today, he oversees teams conducting technical testing, assessment audits for compliance mandates, and remote monitoring and incident response for security operations centers and enterprise networks.
What common misconceptions are held about cybersecurity and how do you counter them?
One of the biggest misconceptions right off the bat is that cybersecurity is a field. It’s like saying doctors are in the medical field. The medical field’s very broad. You say medical, but there are neurosurgeons, general practitioners, nurses, admin, all that. Cybersecurity’s very similar. Folks think that every person that’s in cybersecurity is a brain surgeon or a general practitioner or an administration person—just whatever they need at that point in time. You have incident responders, you have forensics, you have technical testing, you have red teams, you have vulnerability, you have governance and compliance. If you’re an incident responder, you’re likely not going to do technical testing. If you’re a technical tester, you’re probably not going to do incident response. I used to teach at a university, and that was something that I would preach to the students there. They go, ‘Hey, I just want to get in cybersecurity.’ And I’d say, ‘So what do you want to do?’ Because it could be anything.
“There’s so much FUD [fear, uncertainty, and doubt] out there. A lot of folks think they need a lot more than what they need, and other folks don’t know that they need it.”
What do you care about the most in your job?
It’s extremely important to me that we don’t give our customers something that they don’t need or that we are able to understand what they’re looking for to improve their cybersecurity. There’s so much FUD [fear, uncertainty, and doubt] out there. A lot of folks think they need a lot more than what they need, and other folks don’t know that they need it. The most important thing in all of our delivery and all my work is that we’re giving them what they need, versus what we want to give them or what they think they might need.
What are some of the biggest challenges facing cybersecurity?
Definitely qualified resources. There’s a lot of money associated with cybersecurity, and it’s become one of those fields where people are just like, ‘Oh, I totally want to do cybersecurity because I can make a lot of money.’ They’re not really dedicated to it, so they don’t want to learn the fundamentals, they don’t want to learn how to get really good at it. There are way more jobs than there are people, so you start taking round pegs and forcing them into square holes, and it causes mass failure. And you see things like the last attack on Equifax where we found out the chief security officer was a music major. And you’re like, ‘Huh? How’d they ever get into that position and make these decisions?’
What advice do you have for others looking to get into the cybersecurity field?
Don’t get caught up in today’s hype and technology. Learn the fundamentals of computing, learn the fundamentals of computer logic. Learn exactly how things go to disk, how things go to memory, how network communication works—understand TCP/IP, understand UDP, understand all those basic protocols—and you will be extremely successful at cybersecurity. Everybody wants to learn the greatest, newest tool and wants to use that to do something sexy. And the reality is all those tools are built on top of the fundamentals. And when something doesn’t work in one of those tools, or you’re doing an investigation, or an attacker does something differently, or you’re trying to do something differently, you have to understand those fundamentals.
“Everybody wants to learn the greatest, newest tool, and wants to use that to do something sexy. And the reality is all those tools are built on top of the fundamentals.”
What products do you wish someone would design?
Where I see some really cool stuff—and maybe it’s because I’m in it right now—is in the orchestration of notification and response in cybersecurity. Something happens, I get alerted to it. Okay, so how do I orchestrate and automate the response to that? Through integrating software and notification technologies, whether it’s a phishing thing with an end user or a database on a critical system. When they get it right, it’s really cool! I think every vendor out there is learning that they are not the silver bullet, so you see them publishing these very extensive APIs to integrate very easily between multiple technologies so you can do that orchestration. With a lack of resources and people, you need to automate more things. A person that is learning cybersecurity can be as effective as somebody that has embedded that knowledge in some type of orchestration software that could help them make decisions.
What are your go-to resources for the latest info?
I do a lot of searching on Amazon. I have alerts that come out for new books in areas that are of interest to me, like technical testing and cybersecurity, things like that. One book that pops into my head is “The Tao of Network Security Monitoring”–Richard Bejtlich wrote that. It’s 13 years old now, but I still make my team read it because it’s so fundamentally correct. I subscribe to the Verizon Data Breach Investigations Reports, and I watch those types of things, but I don’t use it as my information source. One good way to find out the newest information is to look at who’s presenting at some of your major conferences, like your BlackHats or your SchmooCons—the really technically sexy conferences—and see if they’re publishing any books. I don’t really mess with the news outlets because it’s just so much about hype and not really solving any problems. They’re just trying to get people to read their website.
For Jeremy, knowing the fundamentals of computing is the key to giving customers just what they need and effectively recognizing and responding to cybersecurity threats. Those in for a quick buck aren’t going to get far. Read books to stay on top of the latest info, and then read some more. Recognize that specialties ranging from incident response to forensics make for a far deeper and broader field than lumping it all together as just ‘cybersecurity.’