One of the ways I try to give back to the community is by using my writing to be the resource I wish I had earlier in my journey. I have constraints on what I can publish due to the nature of my work, but I’m passionate about sharing career advice that can positively impact the industry. I’ve made my desire to be a public resource, so people ping me for guidance all the time. Most of the responses stay in my inbox because they are links to questions that have already been answered. However, I occasionally receive an inquiry that compels me to publish an article that I hope inspires creative new solutions to move the discipline forward. I get really excited when students reach out with thought-provoking questions like the one below. I wanted to share it to help others who are also contemplating security testing tools or looking for general direction on where to focus research for the best post-graduation outcomes. I also hope this sparks important dialogue between academia and the public/private sector.
Question: "I am a third year IT Security student thinking of a security test tool. On what aspect of security should I think about in order to avoid recreating the wheel?"
My Response:
When I was in graduate school (2015-2017), I always pursued research opportunities that would increase my knowledge about the sector that I’m most passionate about: critical infrastructure. To prepare for future projects, I was trying to educate myself on secure architecture and engineering strategies for advanced metering infrastructure (AMI). To my surprise, available research on securing AMI was very limited. At the time of this writing, this is still an emerging challenge that could benefit from new creative solutions. Speaking of advances in tech, companies like Georgia Power are building the future of energy with innovative Smart Neighborhood Projects. They are building entire neighborhoods while integrating future functionalities into the design. According to Southern Company COO Kimberly Greene, these research projects will allow them to understand “how distributed energy resources interact with the electric grid and how emerging technologies will improve customers' lives.” I am willing to bet a certification voucher that security is not in the architecture process. I’d love to be proven wrong. The key here is to view emerging technology as opportunities for security research. There are other areas that will continue fueling the need for skilled security talent well into the future, including:
- Industrial protocols
- Cryptocurrency mining
- Internet of things (IoT) security
- Autonomous vehicle security systems
- Rapid quarantine of polymorphic malware
One approach is to start by evaluating the type of company you want to work for (and/or create) after graduation. I work in critical infrastructure, so I am an advocate for young people to consider ICS/SCADA security as a career option. Since Russia is actively targeting our critical infrastructure, there will be lots of career opportunities in this sector for the foreseeable future. If you’re interested, Robert M. Lee wrote an excellent blog post about getting started in ICS/SCADA security careers. If you have no interest in critical infrastructure, that’s ok, too. What is important is that you choose an emerging issue (or existing problem that keeps us up at night) and create a viable solution. I encourage you to think past today’s challenges and start thinking about improving the security and/or testing of products that have/are slated to ship to market with functionality as a priority and security as an afterthought.
- When you develop a tool to solve any of these problems, do not keep it behind the walls of academia. In fact, I encourage you to engage with people in your local security community to get constructive feedback, mentoring, and build mutually beneficial relationships along the way.
- When you’re able, share your work with the community in person and on social media. If you don’t have a blog, LinkedIn is a great place to share progress and lessons learned.
- Submit to calls for papers at security meetups & conferences near you. If you’re not comfortable with public speaking yet, go sign up to be a volunteer.
- People hire and refer opportunities to people who they know and trust. Therefore, building your network is just as important (if not more) as finishing your education and building that tool.
- Being an active contributor will also make you stand out as a results-oriented problem solver and position you to write your own ticket prior to graduation.
- People earn degrees and certifications all the time. Very few take the initiative to build tools, produce content, volunteer, and share their passion for the discipline.
- Stand out from the crowd.
- Follow through.
Don’t just ask about it. Be about it.
