We have all given lip service to developing the future cybersecurity workforce - but how many of us practice what we preach and develop others and ourselves? You don't have to hack the planet - just your career.
I will take you on a journey what matters to take control of your adventure in the cybersecurity profession - for newbies to pros alike. We will visit where the intent for the cybersecurity workforce started, where it has morphed, and planning your next advance.
Presented at BSidesCharm 2019 - Career Track
2. B. Andrzejewski
Disclaimers
Yup, I must say these things…
Personal Views
These do not
represent my
employers
(past or present)
Personal
Experiences
Nobody’s journey
is the same
Results may vary.
Lots of
Memes
Lots of memes,
all the memes
(I like memes)
2
3. B. Andrzejewski 3
About Me
• 20+ yrs IT w/ 10+ yrs InfoSec
(1099, Academia, Healthcare,
Military, Federal, Large Enterprise)
• Help customers through “bad day”
events (…and preventing them)
• Former 8yr Fed in DoD & DHS
• Specialize in Incident Response,
AppSec, DevSecOps, CloudSec, &
VulnSec (fluent in Dev, Ops, RMF)
• Interview and phone screen at
least twice a week (or more…)
4. B. Andrzejewski
My Journey Into InfoSec
Web Developer
Dot Com Boom (and
bust) for Content
Management and
eCommerce systems.
Again for military.
IT Support
Home, college
computer lab,
residential dial up,
and small business.
IT Procurement
Standardized IT
vendors, goods, and
services. Set policies
and processes for IT
asset lifecycle.
System Admin
System admin
supporting 400+
servers, 10,000
endpoints as Tier 2 &
3 support.
Military Outreach
Public Affairs and
Community Relations.
Conferences,
communications, joint
exercises, and vendor
demos.
4
5. B. Andrzejewski
How I stepped into this…
○ 2008 - Ran proxy and endpoint security as Healthcare SysAdmin
• Fought Conficker backdooring our network and finding Child Porn from employee
○ 2009- Accidently landed at largest government Digital Forensics lab in the world
• Hired as DoD Contractor to develop PHP applications (for more pay!)
• Programmed and organized DF exercises to general public for DoD, academia, & non-profits
(US Cyber Challenge, NCCDC, CyberPatriot, CSAW)
• Helped defined DF Knowledge, Skills, and Abilities (KSAs) into public Outreach programs
(CDFAE, CNCI-8, NIST)
• Took the “opportunity” as organization’s RDT&E Program Manager and technical lead for cyber
threat information sharing between DoD, DHS, US CyberCom, FBI Cyber, Dept. of Energy w/
MITRE + JHU APL – became v1 of STIX and TAXII (CNCI-5 / ESSA)
5
6. B. Andrzejewski
How I stepped into this…
○2015 - Leveled up as a Lead Security Engineer
• Defended the biggest immigration systems in the world – in the cloud!
• Developed “Trust, then verify” purple team exercises to validate blue team
tools, processes, procedures (TTPs)
• Organized requested audits from DHS IG, GAO, and congressional inquiries
• Represented DHS as technical SME - taught others in DHS and Fed space about
CloudSec, AppSec, Incident Response, and DevSecOps – even to RMF
• Spoke at OPM on Cybersecurity workforce needs
○2018 – Left Feds for commercial security consulting
6
2016 DHS CISO’s Security
Engineer of the Year
8. B. Andrzejewski
NICE Cybersecurity Workforce Framework
8
https://niccs.us-cert.gov/
Analyze Collect &
Operate
Investigate Operate &
Maintain
Protect &
Defend
Securely
Provision
Started as CNCI-8 with DoD, DHS, IC, & NIST
Morphed into DHS US-CERT as NICE Framework in 2010
Lays out knowledge, skills, and abilities needed to each cyber profession job type
Grew “legs” starting in 2017 with Executive Order 13800
9. B. Andrzejewski 9
InfoSec’s
Continuous
Dumpster Fires
• HR job description dysentery
• Exodus by exclusion of
individuals and burnout
• Security “curmudgeons” vs.
resources & budgets
• Internal org promotion
• Imposter syndrome
10. B. Andrzejewski
Now What?
“No battle plan survives contact with the enemy.”
- Helmuth von Moltke the Elder
• Infosec is not:
• A linear path or planned progression
• Certification(s) and degrees(s)
• Culture of “no” w/o risk assessment
• InfoSec is:
• For those that like to ask “why” –
either to break, build, or resolve
• Focusing on the outcomes
• Continuous evolution to your threats
• InfoSec requires:
• Keeping work-life balance in check
• Watching for burn-out
11. B. Andrzejewski
The Adventure - InfoSec “Guilding” Pathway
Opportunity to Grow
Apprentice
Learn and train to a
specific skillset to learn
the craft with
supervision.
Refining Skills
Journeyman
Able to work
independently without
supervision, add
additional skills, and
mentor apprentices
Artisans
Master
Able to work
independently, mentor
others, and lead teams
11
No one way in Generalize & specialize
(Pivot or rabbit hole)
Sorcerers and
sorceresses
12. B. Andrzejewski
• Passion for your tradecraft
• Use blogs, competitions,
classroom, online learning
• Sharing experiences back
• Mentoring & blogging
• Writing down how you
solved problem X with
methods A & B
• Presenting & volunteering
• Teamwork over “rock star”
• Translate “security-esse”
into tangible risks & costs
• Processes
• Resources vs. time
• Ability to communicate
• Verbally
• Written
• Presentation
• Depth
• Basics (OSes, Networks)
• Security Tooling Experience
• Security Concepts
• Bonus: Automation
• Breath
• Types of hands on
• Individual vs. team efforts
Planning your Next Advance
Continuous Learning
12
Soft Skills Abilities Tech Depth & Breath
What Recruiters are looking for
13. B. Andrzejewski
Execute your Next Advance
○ Evaluate where you are vs. to go
• Look every quarter where you are
• Figure out what “is next” to learn
• Keep an eye out for new opportunities
○ Know your worth
• Apply & interview often to “market set” - even
if happy or to use to counter for promotions
• Ask for a salary “where you will not laugh”
• Never disclose your current compensation
• Look at the *total* package (salary, stock,
healthcare, time off, 401k match)
13
14. B. Andrzejewski
On Resume and At Interview
○ For Resume
• Place your key, most recent skills at *top* of resume
• List about your experiences – both personal & professional
• “Elevator pitch” one liner on what your position does
• What you are working on (without giving away confidentiality)
• Where you went “beyond the call of duty” – not long hours
○ At Interview
• Respond about experiences in STAR (situation, task, action,
result) format
• Talk about *your* contributions to the team – not what team did
• Ask interviewers about their challenges and “team” environment –
these are *early* indicators of organization’s culture
14
15. B. Andrzejewski
○ There is not one linear or
“wrong” path
○ Include and raise others to
teach the guild’s “tradecraft”
○ Continuously learn via home
labs, competitions, CTFs,
training, Bsides, blogs, etc.
○ Always re-assess your career
every 2-3 years for the next
“best” hop and to know your
“market” worth Summary
No journey into InfoSec is the same