Saturday, 25 November 2023

What You Need To Work in Cybersecurity: the secret sauce

I see a lot of rules based 'quick fix' learning opportunities in cybersecurity. These are usually boot camp style condensed programs that promise to turn an accounting or science student into a cybersecurity practitioner in a single semester by showing them how to use tools in a formulaic manner. They treat cybersecurity as though it's an office job: we show you the cybersecurity rules and you follow them. You can see how well this is working by the ongoing shortage Canada faces in finding and retaining cybersecurity professionals.

I got into cybersecurity with my students in 2017 when we started chasing CyberTitan, but I brought something with us that is atypical in the world of STEM: a willingness to hack. I don't like the word hack, it has negative connotations to it in English that have been encouraged by the self appointed masters of STEM (the S&M part), but that willingness to iterate and work outside expected outcomes is the secret sauce in cybersecurity that many ignore, and a major reason for why I've taken to it like I have.

'Necessity is the mother of invention' has been the motivating factor in my relationship with technology since the beginning. I moved quickly from off-the-shelf to customized solutions based on experimentation and need. Within six months of owning my first home computer (a VIC20), I'd figured out how to copy software using a sufficiently low noise audio deck. My first x86 PC was purchased but quickly modified as I came to need more memory and processing power. By the mid-90s I was building my own computers at a time when many people didn't own one.

This process was initially powered by curiosity, which many training programs eclipse with a promise to provide the initiative so you don't have to - something that has never appealed to me and a major reason why I didn't start collecting technical certifications until 2001 (I'd been working in IT for a decade at that point). Schools are bad at nurturing enthusiasm for self-exploration too. Many educators feel that it is their job to impart knowledge in a regimented format (that's why we call them disciplines!) and assess student understanding through a system of providing both the questions and the answers to minimize any frustration. Assessment success is often a measure of compliance rather than cultivating enthusiasm and curiosity.  Many in education call this approach rigorous and disciplined - it's how they demonstrate credibility, and a reason why I haven't continued pursuing academia.

Indians have a term for austere innovation: jugaad (non-conventional, frugal innovation) which doesn't have the pejorative connotations of the English 'hack'. Jugaad celebrates common sense with a solutions focused approach to creative problem solving without needless bureaucracy. It emphasizes an applied approach to making technology work that is especially needed in an industry like cybersecurity where practitioners are often facing edge cases that the people who designed the network never thought of (which is why we're having a cyber problem). WIRED recently did an article on a Ukrainian technologist who demonstrated this start-up/rapid response approach in the war with Russia. There is even an event in cyber that is all about extreme edge cases: the dreaded zero day vulnerability. Jugaad will get you much further than any amount of system think during a zero day attack.

Kintsugi has played a part in my motorcycling.
There is also a term in Japanese that takes the derision found in English out of making old things work. I've long enjoyed the concept of 'kintsugi' or 'golden joinery', which is the repairing of old things using gold to embellish the fix rather than trying to hide it. In typical Japanese fashion it raises what is seen as banal work in the West to an artform. A concept that combines jugaad's celebration of a fix beyond rules based approaches with kintsugi's raising of that fix to an artform is where a good candidate for work in cybersecurity should find themselves inspired. When I started in cyber I found my  IT background helped in terms of understanding the mechanics of what was happening, but my kintsugi powered jugaad approach is what has allowed me to thrive.

This 'secret sauce' is often ignored in education and especially in cybersecurity adult retraining. There are some disciplines that tend to attract rules focused types, but that fixation on systemic order blinds them in the edge cases where cybersecurity often operates. Rather than retraining an accountant or rigorously compliant STEM student, I suspect that those exploring subjects like detective work in policing or creatives in the arts would find the skills they've honed more effective, but that doesn't stop everyone from demanding a computer science degree for any job in cyber.

In 2019 after the Terabytches went to CyberTitan nationals we got invited on the local radio station to talk about the experience. The interviewer asked me a good question about our DIY approach to computer tech. I was annoyed at the lack of resources, but he suggested it might be what gave us an edge. He was right, we'd been jugaading and it made us mighty!

There are many jobs in cybersecurity. People who lean toward the jugaad end where they can problem solve without restrictions can find a comfortable fit in operational cybersecurity where they are monitoring real time threats, penetration testing where they are attempting to exploit a client's system to highlight vulnerabilities, or threat intelligence which focuses on gathering reconnaissance data on threat actors. But even in the policy and compliance work, a willingness to consider and understand threats and solutions that are outside the box is a necessity. The need to nurture and respect those out of the box thinkers working in unexpected end of the cyber-workforce is essential for management. Those industries that thrive on status quo compliance are the ones you see being hacked most often because they don't respect the skillset.

This map of cybersecurity domains gives you an idea of the many specializations that the field offers, though I would argue that in all of them (even those up the compliance end) an ability to work from your own initiative and experience rather a rule book is essential.


Sam Sheepdog & Ralph Wolf know the score.
I sometimes describe cybersecurity types as sheepdogs. I think many in law enforcement also fit this description. You can't send a goat to fend of wolves, but having a wolf of your own will do the trick. Early on in my transition from IT into cybersecurity I found myself leaning on IT administrative habits that don't work in cyber, and came to realize that the jobs are very different, though the technology is the same. If you have an IT person running your cybersecurity you're likely to be constantly surprised by the attacks you face because they tend to see systems in an architectural way rather than as an opportunity to be compromised.


It would be easy to say something silly like, 'there are no rules in cybersecurity!' but that's pointlessly reductive. It would also be easy to describe all the people in it as hackers, but this isn't true either, though a mentality that tackles problems from a place of curiosity and jugaad is far better than a rules compliant myopic who can't see beyond the framework they maintain. At the end of all this I firmly believe that you need a bit of the wolf in you if you want to consider a career in cybersecurity. I wish more cybersecurity training and especially adult retraining would emphasize that when looking for candidates rather than demanding STEM grads often missing these skills. If it's a formulaic job that you're looking for, cyber isn't it.

STEM students are often missing skills which "include teamwork, collaboration, leadership, problem-solving, critical thinking, work ethic, persistence, emotional intelligence, organizational skills, creativity, interpersonal communication, and conflict resolution." Adding an 'A" to STEM doesn't fix this, incorporating an iterative, resilient, interrogative, team-based problem solving mindset into STEM subjects would, but that doesn't tend to be how we teach it.


Another piece of Canada's cybersecurity puzzle came into focus from the last post on how our cybereducation system is broken. In response to that, Francois Guay from the Canadian Cybersecurity Network followed up with the observation that the cybersecurity talent pipeline in Canada is also in tatters.

I've been thinking about that post and believe all of the responses from both new cybersecurity practitioners and veterans are valid. It would appear that when you try to fix a talent shortage with rushed retraining based on incorrect assumptions about the skillsets needed in cybersecurity, no one trusts the results. Problems such as absurd requirements for entry level positions like asking for 5 years of experience on a tool that only came out last year or demands for that vaunted yet irrelevant computer science degree continue to strangle entry level workers coming into the field, even though they have hacked (cough) their way through our broken cyber education system to do it.

Not to sound hopelessly jugaad, but the simple solution would be to introduce cybersecurity apprenticeships that give a more diverse set of potential candidates the opportunity to see if cybersecurity is a field of study that suits them. Those with the right combination of fearless curiosity, critical thinking and tenacity might find their way into it instead of continually opening the doors to STEM grads who are good at being told what to do and enjoyed the privilege growing up of being able to handle the enormous homework loads STEM subjects demand as part of their compliance regime. Students with a background in science and technology might be familiar with the medium that cybersecurity operates in, but that doesn't mean they'll be able to handle the stochastic demands that resonate across cybersecurity work. It's better to find those with the right jugaad mentality; technical familiarity will build quickly powered by enthusiastic initiative and tenacious problem solving.

I've always told my students that if they can bring a willingness to explore, experiment and a fearlessness in breaking things in the process of figuring them out, they don't need to sweat the technicalities, I can teach them those by harnessing the curiosity they bring with them. I've had strong technical students struggle in cyber because they lean on formulaic approaches to computing (they are often maths strong coders) that let them do the bare minimum. If your natural talents in mathematics and computer science have blessed you with a compliance based work ethic, cyber with its changeable success criteria isn't for you. Another favourite adage of mine in the classroom is, 'if you're looking for a way to do less, you'll usually find it.' Those that want to work in a framework often do it so that they can delineate where they can stop; in other words it's used as a way to limit their involvement. That's no way to approach cybersecurity. If solving a problem is a nine to five gig for you, go find work elsewhere.



Much of this comes back to the reductive way we have approached digital skills development (when we're not ignoring them entirely). Cyber Education is the hidden, much larger part of the digital skills iceberg.