An open letter to a fresh cybersecurity hire
Congratulations on your first cybersecurity job! Whether you are just entering the workforce or pivoting to a new field, here are some inside tips that may help you succeed.
- Never say "that isn't my job". The colleagues I've seen advance and realize success in their cyber careers were willing to pitch in and help without regard to job description. This will be magnified if your employer is a smaller company, but the general idea is that companies and cultures are forged by the people who chip in and get things done. I used to teach this to new hires as "if you see something, clean something". I used an example of walking by the break area and seeing a spill, and not waiting for the maintenance crew to mop it up. I then talked about popping into a live system and noticing the hard drive was about to fill up, and not just ignoring it because it isn't your job. Always help grow and operate the business.
- Make friends throughout the company. In cybersecurity you are at a unique intersection across all departments, and you should not let this go to waste. In an entry level job you will often be fielding employee questions, complaints, alerts, or phish reports. Pick up the phone or Slack to get some context. Ask people about their daily tasks and what they do to keep the company moving. Learn about that remote field office in Wichita that was inherited during an acquisition in 1993, and meet Jane who still keeps that grain store running for the last farm left outside Scranton. Scooping up business context, history, and personal connections will massively amplify the value you bring and opportunities you recognize.
- Ask for forgiveness a lot. Every company will have a unique culture, and you certainly need to learn how to navigate it and your direct manager's personality. But in general the biggest accomplishments of my career all started with asking for forgiveness instead of permission. I'm not talking about asking forgiveness for violating corporate policy, plugging your personal Linux laptop into the corporate network, or hosting your incident management platform in your personal AWS account. Those are career-killing moves. I'm talking about asking forgiveness for booking a flight and visiting a newly acquired company without asking for permission. Forgiveness for installing a 75" flatscreen with live visualization of your security events in the break room. Forgiveness for having security awareness flyers printed and hanging them up yourself on the inside of the toilet stall doors. There are a lot of questions that get a "no" response simply because you asked.
- Live in a big world. Don't put blinders on and limit your professional circles to your coworkers. Meet your peers at competitor companies. Join information sharing groups and professional networks. Not allowed to? See number 3.
- Be humble. This can be easy when you are starting out and recognize how little you know, but even as you grow preface every bold statement with "I could be wrong, but...". Because we will be wrong - and frequently. Sometimes the environment we work in changes, and other times we were just wrong to begin with.
- Question everything. Most cybersecurity axioms are invalid groupthink memes that were foisted upon us. Writing a password on a post-it note? Not really so bad. Ransomware operators don't hang out in your cubicle, and the people that do are too scared of going to jail to do anything with them. Cleartext protocols are totally fine, and snooping on even a classic telnet session from your laptop in starbucks to an Internet-connected VAX server would take a Hans Gruber-caliber heist to break into AT&T's network and get in a position to capture packets. Strong passwords aren't saving anyone - they get captured in keystroke loggers just the same as short ones. Using public WiFi is 100% fine unless you are a dissident middle-east journalist and blindly accept certificate errors in your browser. If you find a group of security nerds all rolling our eyes the minute a particular topic comes up, take a minute to question it with a fresh viewpoint.
- It isn't China. It's a PC at a Chinese elementary school that has some malware on it that enrolled it in a botnet, or it is some vendor update server hosting legit code if it's what your IoT device is talking to. More specifically, don't chase the most sensational conclusions. The burden of proof rests upon the unusual.
- Never hoard. Always share your knowledge, data, and network of experts. Always invite help and welcome collaboration. If you are the only one who ever knows something, it will soon be be all you ever know. I've seen too many people work on the same legacy system for over 20 years because they hoarded that knowledge. Job security? Maybe? Career growth? Absolutely none.
- Treat people as you want them to be. Give people the benefit of the doubt, and expect great things out of them. People will often live up to the expectations you place on them.
- Finally, just be nice. Whether you are right or wrong, there is no place for being mean. Don't call out people in group meetings to prove how wrong they were. Let people save face by contacting them one on one sometimes. Remember that non-cyber coworkers are prized and paid for an equally noble skill that you are terrible at, and don't denigrate them for their weak ipv4 routing game.
Speaking of that... you have a strong ipv4 routing game.. right?