Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
Hello, Infosec Resources readers! I’m Chris Sienko, and if my name isn’t familiar, I’m the host of the Cyber Work Podcast. Since 2018, I’ve talked with guests from the spectrum of cybersecurity jobs and careers. I’ve talked to CISOs, pentesters, incident responders, red teamers, secure coders, cybersecurity startup founders, and cybersecurity professionals at all skill and experience levels.
In this new monthly column, I’ll be highlighting key points and insider’s expertise about — you guessed it — the work of cybersecurity! (Cyber … Work. Get it?) I hope this column will provide tips for your career, get you excited about exploring past episodes and maybe even entice you to check out a subject or a guest that you didn’t think was relevant to your work specialty or career aspirations.
Nearly every guest I’ve spoken to has said the same thing: knowing as much as possible about every facet of cybersecurity is vital to staying fresh and relevant in this industry. Time spent learning new things is never time wasted! Besides, you never know when someone’s inspiring words or example will set you on a new career path!
With that in mind, here are some insights I gleaned from my guests in December and January. I hope you’ll also find them interesting and actionable, or maybe they’ll help you see your own tasks from a new perspective!
Ameesh Divatia on the perfect triad of skills
In December, Baffle CEO Ameesh Divatia shared what he considers the perfect triad of skillsets to keep aspiring cybersecurity professionals relevant for the long haul. He says he sees “a big paradigm shift from bare metal to virtual machines.” With more companies requiring personal data collection, security practitioners will be ahead of the pack if they are fluid in three skills:
- Best practices for data collection and storage
- Methods of securely using data without making it a business liability
- Implementing security systems for cloud-based transmissions of data
In short, newcomers who want to deepen their skills simultaneously within cloud security, file security and data privacy will be front and center in building a safer future.
If you’d like to hear more about these skillsets and Divatia’s pro bono volunteer work on his city’s technology council, check out the full Cyber Work Podcast episode.
Ken Jenkins on the US Cyber Games and kicking Imposter Syndrome
December also saw Ken Jenkins return to the podcast to discuss his work as the head coach for Season II of the US Cyber Games.
The US Cyber Games bring together young adult cybersecurity students, ages 18 to 25, in a spirit of friendly competition as they work individually and collaboratively on a series of Capture the Flag (CTF) events and challenges ranging from forensics to web app pentesting to real-time exploitation/defense challenges.
Even though we talk about these as “Games,” Jenkins is quick to note that the skills learned will be vital to professionals entering the security space:
“Being able to continuously hone your skills through competition and through a team of events really helps overcome imposter syndrome,” says Jenkins. “You can come out and compete with like-minded folks, similar academic backgrounds, and try your hand against all these different specialties in capture-the-flag events or the more real-time Red Team vs. Blue Team challenges.
“Learning to write code in a computer science class, but never dealing with a determined adversary during incident response; that’s quite a gap to close from a classroom. Many of the athletes will go on to work at product companies, cybersecurity companies, or data science. They may develop behavioral analytics, machine learning or AI from what they’ve learned through capture-the-flag challenges. It just moves the whole profession forward, in my opinion.”
Whether you want to listen to some good stories of the US Cyber Games or learn how to take part yourself, check out the Cyber Work Podcast episode! If you’re short on time, jump to the 40-minute mark, where Jenkins explains how to get involved as a player or a coach, as well as strategies to build up your own problem-solving muscles around minute 48.
Matt Lorentzen on “intelligence-led pentesting”
In January, I learned a term that was new to me: “intelligence-led pentesting.” I asked Matt Lorentzen, principal consultant at Cyberis, to explain what it represents for the pentesting industry. Matt said it’s basically red teaming but with a twist. Rather than an all-out assault on an organization to simulate a full-scale internal and external attack on a network, intelligence-led pentesting narrows the focus to industry-specific and location-specific types of attacks to specifically strengthen the security posture in the places where it’s most likely to be hit.
I love hearing red team “battle stories” as much as the next career advice-focused cybersecurity podcast host, but Lorentzen’s description of using red team operations not simply as an indicator of where a threat actor could get in but what would happen if they were already there seemed like a more practical and less scattershot approach.
“That’s kind of where we as a company placed a lot of importance on that initial access factor,” says Lorentzen. “If an attacker is successful…then what? That’s always a good place to start: ‘then what?’ Because that’s going to be the starting point for whatever good or bad will happen.”
The rest of the Cyber Work Podcast episode moves into suggestions and recommendations for school districts that want to protect students using school accounts. We also discussed the right way to think about doing CTFs, and the uptick in your skills when you learn not just how to capture a flag but how to approach that same problem from many different directions.
Even more inspiring is Lorentzen’s passion for post-pentest reporting. He says, “In the last ten years or so, there’s been a huge influx of people open to sharing [their insights] and bringing other people along. That makes for a great time to be in here. I don’t have to be the smartest person in the room. Quite often, I’m not. But I love learning, and I’m always enthusiastic about learning and will learn from anybody. I think you need a very open mind when it comes to this industry as to how you’re going to build your skill set.”
Capture the flag, capture the gold, or capture the perpetrator?
Whether you’re trying to future-proof your cybersecurity skills with advanced data privacy and cloud skills, solve the trickiest head-scratchers the US Cyber Games can concoct, or use your Red Team skills to document industry-specific exploitation strategies, I hope this month’s episodes of Cyber Work get you excited to start 2023 with a renewed determination.
If you don’t have an hour of listening time or you have a particular question, we’ve also launched a brand new series of shorter episodes aimed at answering your specific work and career questions. We call it Cyber Work Hacks! At the time of this writing, we’ve released three episodes focused on:
- Acing tricky cryptography exam questions
- Understanding recent ISACA CISM exam changes
- How to set up a digital forensics lab (featuring Paraben’s Amber Schroader!)
Have a topic you’d like us to answer? Drop us a line at email@example.com and let us know how we can help.
Keep listening, keep watching, and keep learning! And please comment on our YouTube pages about other topics or guests you’d like on the show.
Talk to you next month!