My cybersecurity journey: 20 years of nonstop learning
When I graduated with a bachelor’s in computer engineering, the internet was still relatively young. It was 1999, and email was this new, edgy technology. I remember my college professor giving an assignment to send an attachment via email — a daunting task as we used the text-based Pine email system at the time.
After hours of work (and some help from my friends), I finally figured out all the keyboard combinations and sent the email, with attachment, to my professor. It was a big moment.
I took many other classes and labs during those days, and I learned a lot about computers, programming and hardware. Much of what I learned hasn’t changed, like converting binary to decimal to hexadecimal, applying statistics to a variety of number combinations, and discovering the laws of thermodynamics. But a lot has changed, including the way we send email attachments.
How cybersecurity continues to evolve
Over the past 20 years, one of the most important lessons I’ve learned is this: if you want to stay relevant in cybersecurity, you can never stop learning. This is true in many areas of life, but it is especially true in cybersecurity.
In the early 1990s, as computer networks became popular, there was a growth in network security threats. Security experts developed firewalls to stop the spread of attacks, such as the Morris Worm and other early viruses. At the time, computer security was basic. Not many users understood the need to secure their computers or their networks. But as viruses spread (e.g., ILOVEYOU) security awareness began to spread as well.
Secure Sockets Layer (SSL) and Hypertext Transfer Protocol (HTTP)
By the mid 1990s, scientists at Netscape Communications developed the Secure Sockets Layer (SSL), a security protocol that encrypts data between a client and web server. The first publicly-released version of SSL (v2) was so insecure it only lasted one year before it was replaced by SSLv3. Since then, many changes have been made to the protocol, and we are now in the process of implementing version 1.3 of Transport Layer Security (TLS), which is significantly different and more complex than SSLv2.
Another example of the ever-changing nature of computer technology is the Hypertext Transfer Protocol (HTTP). HTTP version 1.1 was released in the late 1990s, but HTTP/2, which was released in 2015, is now widely-used. HTTP/3 is in draft form and should be put into use very soon. Each of these revisions included major changes and improvements, and they’re just one example of how quickly things change over twenty-plus years.
Internet-of-Things (IoT), web applications and the cloud
In 2000 there were a half-billion internet-connected devices in the world. Now there are 50 billion — a 100x increase in just 20 years! With this explosion of internet-connected devices, we have seen a massive increase in the number of web applications as well. Web applications are moving away from monolithic architectures where everything is built to be self-contained and hard to scale. Today, web applications are built-in containers (like Kubernetes) using microservice architectures, and the development, operation and security of applications are automated. We see zero-trust models where web applications inherently do not trust anyone or anything.
Web applications are also moving to multi-cloud deployments using services like Amazon Web Service (AWS), Microsoft Azure and Google Cloud. These cloud providers are not that old — AWS was released in 2006 and Azure in 2010 — yet 85% of all major companies in the world are racing to deploy their web applications in these cloud environments.
Cybercrime now affects everyone
We’ve also seen a huge increase in cyberattacks and data breaches in recent years. It’s fair to say if you’re reading this article, your personal information has been breached in some way, shape or form. Said a different way, it would be very difficult to find an internet user today who has never been affected by an attack or data breach. This reality has led to updates in standards like PCI DSS and new regulations like GDPR and CCPA that affect the way we interact with each other and with our data.
Learn to love learning
With all these moving parts and changing technologies, it’s important to take a step back and think about the most impactful skills you can learn for your career. However, with cybersecurity constantly evolving, it’s important to recognize you’ll never run out of new skills to master.
I became an Infosec Skills instructor so I could help people in their journey to never stop learning. I teach the OWASP Top Ten Learning Path, but an Infosec Skills subscription includes access to 1,300+ IT and security courses, so you’ll always be able to learn the latest and most relevant skills.
The other thing I want to encourage you to do is to get involved in one of your local security organizations. Two good examples of local security organizations are OWASP and Security BSides. I live in the St. Louis area and participate in my local OWASP chapter. You can also check out the TechExams Community and other online groups to connect with your peers from around the world.
Go to these meetings. Meet the people there. Talk about the things you’re learning in your Infosec classes and gain additional insight into the skills you are developing. These people will help you. They will mentor you. You’ll learn new things, strengthen the things you already know, and keep yourself relevant in this ever-changing world of cybersecurity.