In this episode of Infosec’s Cyber Work podcast, host Chris Sienko spoke with Chris Triolo, VP of customer success for Respond Software. They discussed the Federal Cybersecurity Reskilling Academy and the top soft skills that can help you break into a cybersecurity career.
Getting started in tech: The military is an option
Like many cybersecurity professionals, Chris Triolo got started as a temp — in his case, a position as a temp at a defense contractor. He had a computer with an active internet connection that helped him learn networking details such as how to get people on the network, how to configure their email clients and how to get access to file shares, and so on. Filling a space while learning on the job, Triolo used to help people because there was no IT person on the premises. This turned into a permanent position at Schriever Air Force Base to do information assurance (IA).
Reading books to augment his knowledge, Triolo worked with an IT department based back on the East Coast. This allowed him another valuable source of support, as he was able to reach out for explanations when things got too difficult. Having a support network when one is beginning is not mandatory, but it is a great way to avoid some common newbie mistakes.
The day-to-day work life of a VP of customer success
Triolo says the primary goal of his current position is to get customers up and running on the company’s software in order to get them trained up, understanding how to use it, making sure that it provides the value that they set out to provide when they sold them the product. This intersects with sales work but goes beyond simply selling the product; it focuses on ensuring that the customers know what the product will realistically provide and whether it will solve the problems that they currently have.
The biggest cause of the skills gap
According to Triolo, “tech adoption has been so fast, the size and scope of the problem of the data that we have to process and manage has just exploded. It’s gone up exponentially. And the human population has not caught up with it.” With IoT creating a much larger attack surface and more and more companies migrating to the Cloud, there’s simply more places for criminals to get in, more analysis to be done, more breaches that need to be remediated across the board.
Beyond training or learning issues, part of the raw problem is simply this: there’s a skills gap because there’s simply so much more work to be done.
What is the Federal Cybersecurity Reskilling Agency?
The program was first announced in November 2018. The primary goal of this agency is to offer federal employees the opportunity for hands-on training in the cybersecurity realm. People who have other federal jobs can also apply for this training, especially if they are looking to diversify their skill set or make a lateral move into cybersecurity.
How do you display communication and collaboration skills in your resume or interview?
Triolo says that security is teamwork. One is rarely doing it alone. As an IT professional, you are not only communicating and collaborating with your IT department, but also with other departments like PR, legal and human resources.
Having the ability to communicate well and to collaborate with others is a very important skill set in terms of effective cybersecurity. Though it’s often referred to as a “soft skill” (as opposed to the hard skills of coding, security analysis or pentesting), it’s one of the most important. No department wants to work with a security “expert” who is unable to communicate their findings or recommendations to the rest of their own department, let alone the C-Suite.
What methods can help to develop an analytical mindset?
Triolo cites several methods to develop an analytical mindset.
- Training programTraining security analysts, if the opportunity presents itself, is a great way for higher level security professionals to strengthen their analytical skills and knowledge. It’s one thing to know how to do a job. If you are able to understand the job to the point that you can explain it to someone else and they are able to follow your explanation and do the job well, your analytical skills will grow significantly.
- PublicationFor those who are looking for new jobs, Triolo recommends writing or publishing materials such as a research paper. Writing independent analysis or materials is beneficial in several ways.
First, learning to clarify your own thoughts in a long-form piece of writing helps you to become a better, more analytical thinker.
Second, a report or research paper such as this shows potential employers that you truly do understand the concepts you claim to. Anyone can say that they understand cybersecurity foundations, but if a potential employer can see it demonstrated on paper, there can be no questions about the qualifications of the candidate.
Emotional intelligence is innate to certain people. Is that a skill that can be developed?
Triolo thinks that collaborative human behavior is innate in certain people. It is something like emotional intelligence that people can learn, but it can also be studied.
Criminology is a good example. One can study criminology and understand how criminals work and how they think, at which point one starts to see that humans have many repeatable patterns and qualities. They do the same things over and over and over. So once you start to understand their motivations, you can apply these findings to future interactions.
According to Triolo, “I do think you do learn over time. I would love the person, if I were hiring, that has that innate emotional intelligence.”
More methods for displaying your writing and research skills
Triolo has this to say to success-minded security professionals: “Do your research, put together examples of your writing. Take the time to do that. But it’s usually going to work best when you’re able to collaborate with others when you get to share this information. So my suggestion would be to hook up with people that would give you that opportunity. That’s going to take the time to read what you have written because it’s hard to get motivated to write stuff if no one’s going to read it. So whether that’s building networks, people in your company or local groups. Because there is all that kind of thing, especially in the security industry. We’re very welcoming.”
Ways to further expand your curiosity and creativity
Curiosity and creativity are derived from passion, says Triolo. It’s easy to see the passion in people who are best in security. They will come with that even if they have no security experience or knowledge. They will have a passion to learn, to want to know how things work, to want to know how to break things and put them back together.
Assessing the real skills gap in your organization and the actual skill level of your staff and applicants
Triolo reminds us that you assess candidates by giving them questions. For example, if you ask one of them to build Twitter, how would he or she go about doing that? Do they build a web app first, or sit down and think about what need the app is supposed to fulfill? If you ask candidates to conduct a vulnerability assessment, do they know how to do a vulnerability assessment? Ask candidates to explain processes. That is a great way to kind of pull out that knowledge.
It’s important not to miss technical questions. For example: what is the difference between TCP and UDP? This is probably the most basic networking question. Since security is based strongly on networking and how networks work, this would be very useful information for anybody who is trying to get into the field of securing networks. Triolo says you’d be surprised if you’d look at a resume that looks like it had all the right moves and then you asked that question only to get a blank stare in return.
2. Avoid explaining questions that you don’t know
Triolo dispels an important myth during the talk, the myth that any level of uncertainty in an interview is seen as weakness: “Quite honestly, I would always be happy if someone said, ‘I probably can’t explain that to you. However, I have an analytical mindset and I want to learn and I think this stuff is great.’ As opposed to someone who doesn’t know and then they try to start explaining to you what the differences between TCP and UDP are when they don’t know. The bluff means they end up disqualifying themselves immediately.”
So how DO we solve the skills gap?
Triolo believes that automation is a key factor in solving the skills gap. Many security experts advocate for automation to reduce the involvement of manpower on large-scale but mundane tasks as much as possible. Several tools have been developed to automate manual and mundane tasks, including the Security Orchestration, Automation and Response (SOAR) tool.
What’s going to happen to the skills gap in 2020 and beyond?
Triolo is bluntly honest here. “I honestly see the gap widening. I just don’t think we can catch up and it’s getting worse. I think these efforts like the cyber thing, the reskilling … These are good steps and we need to do these things and keep pushing. But ultimately, I don’t think it’s going to be fast enough.”
While this answer might not necessarily offer a lot of sunny outlooks, it does at least remind us of the urgency of the situation and the need for more people talking about the problem and suggesting solutions.
About Respond Software
Triolo says the products at Respond Software are trying to address this skills gap problem head-on. The software essentially builds a virtual security analyst, emulating the judgment and the reasoning of what would essentially be a SOC level one analyst — the work of the guy you have sitting in front of the console looking at security alerts all day.
That’s a tough job. It’s hard to find the bad guys in all of those alerts, and there are mountains of false positives in those alerts. Getting humans to stare at consoles all day is just not the way it’s going to work. You’re not going to stay on top of real threats that way.
You can find more information about Chris Triolo on his LinkedIn page.
To watch the entire episode and hear the full conversation, you can see it here on the Cyber Work YouTube page.