Whether you are just kicking off your career in cybersecurity or are in the process of building a security team, it can be difficult to know where you should focus your attention to avoid potential missteps along the way. To help, we asked some seasoned pros to share what they’ve learned over the course of their careers that would have made a significant impact if they were just setting off at the starting gate. Here’s what they had to say:
1. Brandon Condarco, Network Analyst at FIS Global
The biggest pain points are not how many vulnerabilities are out there, but rather how many of those are exploited because of internal user ignorance. Train up your staff to learn how to spot phishing attacks and that not everything needs to be clicked. Come up with a game plan to attack vulnerabilities, and really put forth the money for great software. PILOT, PILOT, PILOT!
2. Pedro van Herten
Security is not just an IT issue—the whole company must be aware of security.
When setting up your security team, have a CSO who is responsible for all aspects of security, including traditional infosec, compliance, physical security, and operations. Having one person where the buck stops helps ensure harmonious coordination of policies and operations. Also, having a member of senior management responsible helps ensure that security is seen as an integral component of security operations, and not just some CIO overhead to doing business. Security is a requirement.
Security responsibilities should reside within those teams that are responsible for the operational compliance. This means that IT sysadmins should perform and share audit reports with the security team on backups, configuration management, and patch management. These reports should be owned by IT operations and delivered to the infosec team, not the other way around. The infosec team should review/approve the policies and procedures, and validate the facts via testing (including vulnerability scans to validate that the configuration and patches have been applied), but these checks and reports made by the security team’s tools should not be the primary source of information—IT admins should be expected to know what they’re doing.
The infosec team should be recruited with an attitude that they are there to serve the business. They should work with the business to accomplish business objectives and be solution-enablers who find secure means to perform business functions. They should not be the people who are dreaded for putting up roadblocks at the end of a preparatory process just before a service goes live, but should be knowledgeable and involved at the inception of the projects. The security team should comprise makers, not breakers. For any vulnerability discovered, the security team should be involved in countermeasures or mitigations, and not just drop a block on operations. The security teams should know how to secure the company, not just point out weaknesses.
4. Steven Maske, Principal Security Engineer
Consume as much information as possible. Subscribe to RSS feeds and podcasts, join Slack channels, follow other security practitioners on Twitter, and attend local user groups. Additionally, don’t try to reinvent the wheel. These resources, along with the myriad frameworks out there, have a substantial amount of tried-and-true methods available. Last, be a compass, not a hammer. Instead of trying to force security on your organization, guide it toward safer practices.
5. Chad Kliewer, Information Security Officer, Pioneer Telephone Cooperative, Inc.
I have a few pieces of advice that apply to security and IT in general:
- Choose your battles wisely. This is No. 1 for a reason. As security practitioners, we tend to fight battles constantly. Choosing the correct battles is how you make yourself an enabler instead of a roadblock.
- End users are not the problem with security—they are the reason for it.
- Know what you know, know what you don’t know, and NEVER confuse the two.
Having the initiative and know-how to find answers to questions you can’t answer or to learn something you don’t know is one of the most valuable traits you can have in IT. None of us know everything, but great IT people know where to learn what they don’t know.
Have any questions you’d like answered about your own career? Looking to share some of your own pieces of advice? Please drop us a line in the comments or on Twitter (@Rapid7).