On a day-to-day basis, we hear about new digital security threats that are growing in frequency and in sophistication. Responding to this ever-increasing number of challenges makes a career in information security challenging. But it's not all bad. Infosec is also profoundly rewarding to the extent that security personnel help protect businesses', organizations', and private individuals' sensitive data. To get a better idea of what an information security career looks like, I approached several infosec professionals and asked why they were initially drawn to the industry, including Jamie Rees, an information security leader, thinker, and speaker; Teij Janki, CISO at Sunnybrook Health Sciences Center; and David Shipley, cybersecurity speaker, writer, and leader. Together, those three industry leaders provided me with valuable responses that I feel are worth sharing with others in the field. Here are their stories.
What event/experience in your life made you feel you belong in infosec?
Jamie Rees: How cliché is it for me to say I'm reminded that I belong in cyber security all the time? I've had job titles with 'security' in them for 16 or so years now, and it really still does happen. I am driven by learning, tinkering and problem-solving. My career has been about doing all those things with and for people. How cool is that?
"There is very little that fascinates me more than examining the mechanics of how and what has changed over time. I don’t log into machines and troubleshoot individual issues now like I did all those years ago, but I am solving big architectural and program issues, as well as helping people understand the value of cybersecurity as a business capability."
Just this morning, I was in a conference room chatting with people about cybersecurity, answering their questions and building their awareness. That was one of those moments for me. Every time I help someone, I am helping the organization and – I believe – our profession as a whole. Teij Janki: In the late 90s, working on a variety of healthcare technology projects, I witnessed the direct and indirect impact on patient care due to gaps within infosec (people, processes and technologies). Closing these (evolving) gaps, not to mention how the respective lessons apply to any industry, is one of the reasons why I am excited to be a part of this industry. David Shipley: After the University of New Brunswick suffered its first major public breach on Mother’s Day 2012 when a hacktivist group exposed credentials for a co-op employment database and some non-public budget information, and after I spent the day seeing the incident through to its closure – including communicating with affected parties about the issue, remediating the exploited vulnerability and assisting with the recovery of operations – I realized how much I loved being part of making my university safer from this growing threat.
What mistake helped you improve your career in cyber security, and what did it teach you?
JR: Generally speaking, don’t be afraid to say you don’t know. I know when I was younger I felt pressure to always know and to be on top of things, but it's more valuable to admit to yourself and others that you don’t have an answer. That course of action is certainly better in our line of work than winging it. Once you've admitted that to yourself, you can go and find out the answers, research, write, present, etc. I took a "Train the Trainer" course a long time ago when I taught college IT courses, and one point that stuck with me is the notion of just saying, "I don’t know, but let me take a note and I will find out and get back to you." Being able to say this (and follow through on it) has far more value than stumbling along trying to make something up. Really anything else does a disservice to both sides of the relationship. Integrity and honesty have value; we help protect information or critical infrastructure, after all, so we need to respect those principles in our daily lives. TJ: One of the most useful mistakes I made was underestimating the due diligence and due care involved with analyzing the relationship between value propositions and solution delivery of proposed solutions. Simply, take the time to clearly define the problem and the solution should be clear. DS: My most valuable mistake came after acting on what seemed like solid threat intelligence regarding an IP that was being referenced by a piece of malware. Without digging further into the specifics of the IP and what was being communicated, I blocked it, assuming it was a command and control node. In fact, it turned out to be content distribution network IP that was being used by the malware to access Adobe web fonts, which also were accessed by thousands of legitimate websites. By blocking that IP, we inadvertently slowed down or interfered with connectivity to websites. What I learned from that incident was to take the time to explore any doubts before taking action that could have negative consequences to users, particularly when the impact of an unknown risk is moderate or low.
Conclusion
In my next blog, I will present some questions and answers that focus on advice for infosec newcomers. You can also learn more about the types of jobs available in information security here and here.
