So, you want to help secure this new digital world we live in by starting a career in cybersecurity? If you have researched how to start a career in a security-related field, you’ve probably heard and read plenty of discussion about the cybersecurity skills gap. Maybe you’ve even seen studies suggesting that as many as four million cybersecurity jobs could be unfilled. However, if you’re out looking for your first role, you’re likely among those who’ve been on the job hunt for more than six months.
If you’re nearing graduation or looking to make a career change, you’ve probably asked, “How do I get started in cybersecurity?” Unfortunately, if you’ve gone looking for that answer, you’ve likely discovered that no single generally accepted answer exists.
As a cybersecurity professional with over 15 years of experience, I’ve hired some terrifically talented people into their first cybersecurity roles. I’ve watched teams I’ve built blossom from humble beginnings into powerful and effective cybersecurity groups. Yet for all the success I’ve experienced in hiring and developing talent, I’ve also watched the security community struggle to define a clear career path from entry level to advanced roles. I’ve witnessed the worst in hiring processes, bad advice for beginners, and gatekeeping by long-established professionals.
The good news is you’ve purchased a copy of this book. In the pages to come, I’ll help you understand the unique nature of what is commonly referred to as the cybersecurity industry. I’ll take you on a journey that starts by defining the field you’re looking to become a part of. I’ll use interviews with various members of the cybersecurity community to demonstrate how seemingly unrelated skills and backgrounds can be an asset to a security career. I’ll leverage surveys I’ve conducted of over 1,500 cybersecurity professionals and aspiring professionals to analyze paths you can follow to help speed your transition into a security role.
Over the course of this book, I’ll analyze the value of education, training, certifications, and mentorships in landing a job. I’ll share insights on how to interpret job postings for security positions and how to analyze and emphasize your unique experience to best position yourself to get hired into that first role. I’ll give you a glimpse of the types of interviews that are typically used in the hiring process and share techniques for maximizing your performance. I’ll even share my insights on how to ensure your continued success in your chosen career path after you’ve landed your first job.
The first step in the process of getting you that cybersecurity job is to understand what cybersecurity is, what the roles within cybersecurity are, and how they apply within different contexts of our daily lives.
highlight, annotate, and bookmark
You can automatically highlight by performing the text selection while keeping the alt/ key pressed.
Cybersecurity is a term that has become ubiquitous in modern society. From news media, to politics, to the business world, cybersecurity is a topic that comes up daily in most people’s lives. For all this discussion, however, it can be quite difficult to find a definitive answer to the seemingly simple question: what is cybersecurity?
No single generally accepted definition exists. Most will agree, however, that cybersecurity is an extension of what is often still referred to as information security. In 1961, researchers at the Massachusetts Institute of Technology (MIT) created the first password-protected system known as the Compatible Time-Sharing System (CTSS). For many, this is considered the birthplace of information security, which is the practice of protecting information and the electronic systems that process it from unauthorized access.
Fast-forward about a decade from those early days, and researchers were beginning to connect computer networks to the Advanced Research Projects Agency Network (ARPANET). This network was designed to allow other computer networks across wide geographic areas to communicate and share data quickly and reliably. ARPANET, as it turns out, would be the beginning of what we know today as the internet.
In 1988, however, three years before the internet was made available to the public, a researcher named Robert Morris wanted to highlight security risks in research computers that were connected to the internet. He designed a piece of software that spread itself across the computer systems connected to the internet. The software used security flaws in the UNIX operating system to install itself and then continue replicating. For all intents and purposes, Morris had created the first internet worm. Unfortunately for Morris, the worm spread out of control and made the infected systems unusable. This not only resulted in Morris being the first person convicted of a felony under the Computer Fraud and Abuse Act of 1986, but also led to the creation of the Computer Emergency Response Team (CERT) at Carnegie Mellon University under funding from the US federal government.
The creation of CERT can be looked at as the birth of what we now call cybersecurity. Therefore, a reasonable working definition of cybersecurity is the domain of research, technologies, and practices used to protect connected technology systems, data, and people from attack, unauthorized use, and/or damage.
discuss
The objectives of cybersecurity shift significantly depending on the context in which it is being applied. When cybersecurity is talked about in the media, it is often from the perspective of protecting business and commerce from cyber criminals and attackers. However, almost as common are discussions of how cybersecurity is applied across society at large. From securing our elections, to national/international security, to individual online privacy protection, cybersecurity is the common thread responsible for ensuring that all aspects of society function without disruption.
A solid understanding of the breadth of the cybersecurity world begins with understanding how cybersecurity fits into these various aspects of our lives. Cybersecurity has become so ingrained in everything we do that it can often be taken for granted or overlooked altogether. Taking a step back and examining in detail some of the diverse ways in which cybersecurity is relied upon will enable a stronger discussion when it comes to the disciplines and even job roles that are a part of this domain.
In business organizations, the goal of cybersecurity is typically to protect the company’s financial interests. Organizations operate on a model of assets, the elements of the business that hold or create financial value, and liabilities, elements that decrease or carry a risk of decreasing financial value of the business’s assets.
From the mid-twentieth century, information technology (IT) has been adopted by businesses to enable faster and more advanced capabilities. IT is the use of digital systems such as computers to manage and process information assets of a business. As IT systems have evolved, especially developments over the last decade, more and more business assets have become a part of the digital domain.
The term digital transformation has been adopted to describe this phenomenon of businesses digitizing their critical assets and becoming more reliant on IT systems. For example, health records that used to be stored in paper files and in images on physical film have increasingly moved to electronic medical record (EMR) systems. Storing all that information digitally in computer systems makes it easier to access, view, and share. In fact, an entire marketplace of IT products and services has formed around this digital transformation, to assist organizations making these conversions in just about any industry—from healthcare to education to transportation.
As businesses transform their assets to the digital realm, the risk of cybercriminals attacking those systems for those assets increases. These threats of attack can range from attempts to steal data, to attempts to make the systems unavailable for use. Information assets that at one time were at a low risk of being attacked now in the digital realm face the risk of attack from threats around the globe. The connectivity and immediacy of data access and interactions across the internet have enabled an explosive growth of assets in the digital domain, but have also enabled the emergence of new threats to those assets.
Cybersecurity technologies, practices, and resources are in turn relied upon to ensure that the risks posed by those threats are minimized. So cybersecurity’s primary objective within business then becomes defending this ever-growing landscape of digital assets.
As discussed previously, businesses operate under risk management models to ensure their overall success. Leaders of companies large and small are always weighing the risks that the business could be negatively impacted by an event or shift in conditions, and then trying to minimize those risks. For example, an organization like Facebook may have to weigh the potential revenue from selling user data to a partner versus the potential liability of violating privacy laws. In addition, a business and its leaders must consider the potential cost if a threat successfully impacts an asset versus the cost of reducing that risk. These are complex decisions that drive financial decisions as well as other organizational strategies. So as digital assets become more a part of this landscape, it really is no surprise that cybersecurity would be subject to those same forms of risk analysis.
In this way, cybersecurity becomes a crucial input to the risk management process within an organization. Cybersecurity practitioners are often looked to for their expertise in assessing the level of risk to specific business assets from the various threats that could target those assets. This creates responsibilities for security teams that go beyond just technological capability. Security staff must be able to understand the threat landscape and effectively communicate the characteristics of those threats to other areas of the business that don’t have the same level of technical knowledge. We need to be able to explain threat actors in terms of nation states, hacktivists, internal threats, and so forth, that are all a part of the threat landscape. Security staff must also be able to understand how assets fit within the overall business in order to more accurately describe the risks that threats pose to the business.
Since IT systems have become such an intrinsic part of the business model, their criticality to businesses has increased as well. A failure of a system that makes it unavailable for use can have enormous impact on a business. Think of some of the nation’s biggest retailers and how much it would cost them if their cash register systems were unavailable even for a half hour. Healthcare facilities, financial institutions, logistics companies, and just about every industry imaginable has become reliant on IT systems to keep their businesses running.
Because of the criticality of these systems, which in our modern age are typically interconnected in some way, cybersecurity also plays a role in ensuring the stability and availability of those systems. Attackers seeking to do damage to an organization might attempt a denial-of-service (DoS) attack, trying to make the business’s systems inaccessible for a period of time. Cybersecurity professionals are tasked with preventing the success of these types of attacks as just one of their items on a long list of responsibilities.
Typically, this type of defensive approach is done in conjunction with a team that is primarily responsible for the day-to-day ongoing functioning of the systems. In IT, these teams are typically referred to as operations teams. As it applies to cybersecurity, teams that focus on the day-to-day functioning of security defenses are referred to as security operations teams.
As business models become more heavily dependent on digital assets and IT systems, yet another trend has emerged. The level of government regulation and industry compliance requirements surrounding the use of IT systems has grown at a breakneck pace. Many of these regulations and compliance standards include detailed requirements for the way organizations secure their systems, respond to breaches or data exposures, and go about protecting consumer privacy.
Once again it is no surprise, then, that the cybersecurity employees within an organization play an important role in the way the company achieves, maintains, and demonstrates compliance with these various regulations and standards. To begin with, the security personnel are often called upon to digest and even interpret what the requirements actually mean. This may be done in collaboration with other areas of the business such as the legal team, risk management team, or audit team, but the expertise that security brings to those discussions is crucial.
Following this interpretation, security expertise is needed in designing and implementing the various controls that will ultimately ensure the organization’s compliance with these requirements. These controls can take the form of processes, practices, policies, and technologies that are all intended to help the organization protect its data and systems sufficiently according to the requirements.
Looking at the role of cybersecurity within a business setting, it becomes clear that security personnel have become involved in just about every aspect of the business. Whereas traditional information security teams were often able to focus exclusively on technical IT access controls and countermeasures, the modern digital world has forced security to be a part of every business conversation.
Moving from the business world to the broader perspective of society changes the focus of security professionals. As intertwined as cybersecurity has become in the day-to-day motion of conducting business, it is equally or even more so a regular part of our everyday lives. The functioning of our government, our national security, law enforcement and crime prevention capabilities, and even personal interactions have all come to depend on the digital realm within our twenty-first-century society.
All levels of government have become incredibly reliant on computer and mobile applications, digital data, and other technological capabilities that are part of the digital world. If there is any doubt about just how important IT systems have become in the daily functioning of our government, we need only look at ransomware attacks, in which malicious software is installed on a computer to make the data unavailable until a ransom is paid to the attackers.
One of the more notable attacks against a local government happened in Baltimore, Maryland in May 2019. Portions of the city’s government were shut down, some for more than a month, as email, payment, and other systems were suddenly unavailable. The lost revenue plus recovery efforts cost the city over $18 million. Many other local, state and national governments around the globe have experienced similar attacks.
Of course, daily functions are not the only way that the government relies on IT systems. The use of electronic systems to handle voting is also growing rapidly. With the public demanding faster and more accurate access to results, governments across the United States and around the world are turning to digital voting terminals. However, the threats to these voting terminals have also been well-documented. Security issues and potential hacking attempts have been identified in past elections, most notably the 2016 and 2020 US presidential elections. Ultimately, the US Cybersecurity and Infrastructure Security Agency (CISA) and independent security firms all concluded that, thanks to the efforts of cybersecurity professionals, no attempts to hack those systems were successful.
Security professionals and researchers are regularly sought after by government agencies for help in defending against attacks. The stakes couldn’t be higher. Little within the government space can be considered low risk if it is impacted by a cyberattack. Even when parks, museums, or other government-managed services are affected by an attack, the negative public reaction can be swift and powerful. No political candidates want their name attached to a cyberattack occurring on their watch. As a result, momentum is growing for concerted efforts—which many security professionals would say are overdue—to shore up security within government agencies.
But the problem extends beyond civilian government matters. Militaries around the globe have also become increasingly dependent on technology systems in their efforts to defend their nations and those of their allies. Everything from military vehicles to communications to monitoring systems leverage increasing levels of connected technology. Beyond any other application, cybersecurity within the military is at the peak of life-and-death significance. As new technologies are introduced, governments and their contractors turn to security researchers and practitioners to help ensure that those systems are sufficiently protected against attacks, from design through their use in the field.
A natural extension of military use is the enforcement of laws at a domestic level. From active patrols and dispatch to investigations and criminal justice, computers and other connected electronic devices play a key role. Attacks against these systems could have detrimental effects on the departments they serve and make enforcing laws and prosecuting violations of those laws impossible. Additionally, given the ever-growing interconnectedness of our society, many crimes are committed using electronic means. Having skilled security professionals to not only defend the department or agency’s systems but also assist in investigating crimes is vastly important.
Finally, the daily lives of individual citizens around the globe are completely intertwined with connected technology. From social media, to electronic communications, to mobile apps and even so-called smart devices, human beings on this planet have largely become inseparable from technology. This creates an ever-growing pool of targets for cybercriminals to attempt to exploit. Many who use these technologies are unfamiliar with practices for using them securely and not exposing themselves to attack. As a result, security researchers and professionals are looked to for their expertise. Whether it’s through increasing awareness or developing and implementing countermeasures or even identifying security vulnerabilities in consumer electronics and software, cybersecurity is looked to as the answer for protecting every person on the planet who is connected through technology in some way.
settings
For decades, a community of people committed to goals of deconstructing, investigating, and defending technology has been growing and evolving. This community has developed a culture and many subcultures that have shaped much of cybersecurity’s structure today. From hackers and researchers to security practitioners and corporate security leaders, a unique and sometimes difficult-to-navigate set of norms and values have come to be associated with the security community.
It would be impossible to list every core value or ideology that has been adopted by the security community. They not only are far too numerous, and in some cases ethereal, but also are not universally adopted by all who would identify as members of the security community. However, several values are widely held that should be examined to provide better context for anyone trying to become a member of the community.
Key tenants in the ideology of those within the security community are personal liberty and privacy. In the early days of hacker culture, individuals around the world gathered on dial-up server communities (known as bulletin board systems, or BBSs) to share information and discuss new discoveries. To gain access to these systems, participants often had to demonstrate proof of a “hack” they had conducted.
That often meant showing data they had stolen from a business whose systems they broke into or demonstrating that they were able to manipulate other technology to cause it to function in a way that wasn’t intended. Since these activities were often viewed as illegal, the ability to protect their personal identity and remain free from watchful eyes of governments and officials by maintaining anonymity was highly valued.
A significant portion of the members in these communities were treated as outcasts in their daily lives. What they found in the anonymity of these early communities is described by many as a feeling of being among people like themselves. Stripped away were labels of gender, ethnicity, social class, or other ancillary characteristics that led to rejection from mainstream society. Instead, each was valued almost exclusively based on the knowledge and skills they brought to the table. They could have meaningful discussions about topics they wanted to discuss with others who had similar interests without stereotypes or prejudices getting in the way.
As the internet began rising to prominence, the early design and capability limitations of internet technology enabled continued anonymity plus greater convenience in connecting to vast communities of like-minded individuals. However, the secretive, often clandestine nature of these early hacker groups in many cases began to erode. They became more visible to the general public, and interest in their activities grew.
At the same time, as discussed earlier, within corporations and government agencies, the ideas and practices of information security were also growing. Industry, law enforcement, and government groups that focused on information security practices began to cultivate their own communities of security professionals.
Over time, these two very different groups of individuals have developed a tenuous, if not strained, relationship. Through meetups, organizations, and even formal security conferences, the two groups have found ways to share information, ostensibly with the common goal of making technology better and safer for all. It’s the ideological view of what makes technology “better” that often still differs between these groups.
This leads to a continuing distrust and sometimes outright animosity between the two factions. As a result, protecting privacy and liberty has been reinforced as a value particularly among the more idealistic hacker/researcher portion of the community. Still today, many in the community use handles, nicknames meant to protect the actual identity of the person and operate under general anonymity.
One of the key elements that brought early hackers together was the ability to share information freely with one another. These hackers weren’t the cybercriminals we hear about today; they were simply people who sought to better understand technology so they could learn and create even more innovative technology. However, this information sharing was sometimes accompanied by a level of hubris. Bragging about a recent hack meant greater credibility in the community. Regardless, the value of sharing information and building on others’ discoveries was and is important to the community.
This type of information sharing isn’t exclusive to the hacker culture. Academic researchers also have long valued the concept of open information sharing, and indeed that continues into cybersecurity research.
This culture of sharing information to help improve technology for the good of everyone is seen, in particular, in the number of independent security conferences hosted annually. Thousands of conferences are held around the globe in the interest of sharing information about security vulnerabilities, defenses, and other topics. A week-long series of security-focused conferences, colloquially referred to as Hacker Summer Camp, takes place in Las Vegas each August and attracts an estimated 30,000 to 40,000 people from around the globe.
The importance of this ideology within the security community is manifested in the way its members have reacted to the commercialization of the internet. In its infancy, the internet was a new frontier that would enable the free sharing of knowledge on a level never before possible. For a time, that ideology seemed to be holding true. However, it didn’t take long for businesses to realize they could enable new revenue streams and reach customers in a way never possible by leveraging the internet.
To protect competitive advantages and establish markets, businesses maintained their corporate secrets even as they exploited more of the capabilities of the internet. New technologies that enabled more secrecy and controversial defense of certain intellectual property rights conflicted with this open information-sharing ideology. The security community in turn has continually fought to tear down those barriers and gain more transparency from businesses in terms of their business practices on the internet.
Early hackers quickly understood that their capabilities could be used to improve the quality of technology for all. As they began discovering security flaws in systems, they sought ways to share this information with the owners of those systems. Unfortunately, those system owners and ultimately law enforcement viewed the activities of these hackers as criminal rather than helpful.
Slowly, however, businesses and even law enforcement agencies began to realize that understanding the perspectives and skills of friendly hackers could help them defend against the actions of truly malicious attackers. From this, the term ethical hacker emerged, describing someone who used hacking techniques to help discover security flaws for the purpose of reporting those flaws so they could be fixed. While this term has fallen out of favor, the concept is alive and well.
To aid in establishing legitimacy, the ethics of friendly hacking needed to be carefully established and adhered to. This allowed good hackers to define rules, practices, and standards that differentiated them from malicious attackers. Imperative to this ethical code was the ethos of do no harm. This formalized rules of engagement for testing systems, ensuring that while vulnerabilities would be discovered, they would not be exploited in a way that caused damage to a system or a person.
In today’s cybersecurity world, this code lives on and is applied to many of the activities that security researchers, hackers, and practitioners engage in every day. Debates rage when ideas of offensive security and cyber warfare seem to cross the line and inject truly harmful behaviors in the name of protecting security.
highlight, annotate, and bookmark
You can automatically highlight by performing the text selection while keeping the alt/ key pressed.
Whether it’s in the business world, in the media, or in political discourse, the term cybersecurity industry is often used to describe the full collection of people, technologies, and practices that are part of defending the digital world. Security, from the early days of information security professionals, has been viewed as a separate discipline.
We have this concept of cybersecurity careers, which is likely why you’re reading this book in the first place. Governments, corporations, and other entities have built cybersecurity teams. Software and hardware companies have released cybersecurity products to try to defend against every imaginable type of attack. But uncertainty is growing over whether cybersecurity should be looked at as a separate industry at all.
Cybersecurity has been well established as a commercial market. Various studies indicate that $170 billion to $250 billion was spent globally on cybersecurity solutions in 2019. Additionally, colleges and universities have created degree programs that focus on cybersecurity. Training organizations offer cybersecurity bootcamps and classes. For years, as information security teams stood as lone silos within corporate organizational charts, viewing security as an industry was convenient and made sense.
However, cybersecurity has evolved into more than simply protecting IT systems from unauthorized access and damage. The implementation of its practices is no longer solely a matter of technical countermeasures. The focus on security has permeated into every area of business, international affairs, and societal dialogue. Calling cybersecurity an industry connotes a standalone silo—something that exists and merely interacts with other facets of our world. That connotation fails to recognize that security is a fundamental concept in every part of the digital world.
definition
As discussed in section 1.2, digital transformation has resulted in the conversion of many elements of daily life to an electronic and digital realm. Technology is no longer a part of our lives; in the words of a colleague and good friend in the security community, Keren Elazari, it is our way of life. We’re no longer just defending systems, technology, and data, but instead are defending core aspects of our modern world.
As digital transformation continues, and more and more once-tangible elements of the world around us become digitized, cybersecurity becomes ingrained in that aspect of the world. Threats are growing exponentially in number and in complexity. No single group, no single discipline, no single domain of expertise can reasonably be called on to defend against all of it. The resultant attack vectors are too diverse and expansive.
The growth of our digital world through the transformation of everything we know to data and systems has highlighted another key concept: the need to protect the human element. An often-cited idea within the security community is that the human element is most often the weakest link. No matter how strong our defenses, no matter how good the technology, a single mistake made by a human being can still enable a malicious actor to complete an attack.
As this concept has grown, we’ve seen the introduction of social engineering experts into the cybersecurity disciplines. Organizations pay these practitioners to assess the readiness of their personnel to defend against attempted attacks. Experts focused on human behaviors and awareness training have become crucial elements in this type of security strategy. These experts focus on reshaping the way humans react to attempted social engineering attacks such as phishing, phone fraud, or even in-person manipulations. In 2020, the RSA Conference (one of the largest and longest-running cybersecurity conferences in the world) featured “Human Element” as the theme for its annual week-long event in San Francisco.
The inclusion of defending the human element against attack further broadens the idea of what cybersecurity is. It forces practitioners to think beyond just technology and really consider inherent behavioral patterns, manipulation techniques, and disinformation countermeasures.
Digital transformation has changed much about the way we view our world in ways we’re only just starting to understand. One example is the Internet of Things (IoT), more commonly now referred to as smart devices. Both terms describe products and technology that typically operated in a standalone fashion and now are augmented with connectivity to create a new form of functionality.
Refrigerators can detect when items are running out and order more from an online grocery store. Cars are connected to the web for wide-ranging purposes, from navigation assistance to summoning assistance when needed. In February 2020, a Kickstarter campaign was even announced for a candle that could be remotely lit by using an app on a smartphone. Everything seems to be getting connected to the internet.
However, this explosion in connected devices has predictably also caused explosive growth in threats and attack vectors. Security considerations are now a part of technologies that were never thought to have a digital threat landscape previously. Once again, security is permeating into every facet of our lives.
So, can we really refer to security as an industry anymore? Should we instead look at security as simply a facet of every part of our world, the way that safety has been for generations? Sure, some people specialize in designing safe environments. Best practices exist, standards have been created, and concepts are followed. But in the end, from workplaces to roads to homes and everything in between, safety is just an inherent aspect of all of it. Perhaps as we consider career paths and specializations, thinking about cybersecurity in the same way could be helpful.
As you can see, the cybersecurity field itself is broad and extends across not just the ever-expanding world of technology but also to securing people. Our way of life, in almost every facet, has become integral with this digital world.
So, to say that cybersecurity is just an industry ultimately is far too limiting. It is a crucial element in the way we approach day-to-day life and not something that is easily separated anymore. Whereas information security in past decades could be looked at as just a discipline under the larger information technology umbrella, cybersecurity today is more conceptual and less of a specific skill or set of practices.
discuss
In section 1.4.3, we discussed the human element and how the efforts we make within cybersecurity to defend our way of life with technological means can be undone by human mistakes. Therefore, the problem-solving that sits at the core of what we do in terms of cybersecurity must include those humans whom we ultimately seek to defend. But with a world that has so many cultures, so many differing sets of ideals, and so many levels of education and abilities, how can we hope to find answers to defending all of them?
As it turns out, one big step that must be taken toward this end is ensuring the diversity of those who are called upon to build those defenses. To protect our digital way of life, we need to improve our problem-solving through diversity of thoughts, perspectives, and ideas. Further, we need to understand the populations that we are trying to protect.
Neither of these can be accomplished if our teams of defenders all have similar backgrounds, similar educations, similar cultures, and similar career progressions (among others). To make this idea of cybersecurity work, we have to be welcoming and actively seek to include defenders from walks of life that are just as varied as the societies we live in. This means there is a place for all in cybersecurity roles. But furthermore, we truly need to have as much representation in these roles as possible.
In its 2020 “Diversity and Inclusion Report” (http://mng.bz/PW92), cybersecurity company Synack surveyed hundreds of professionals about their experiences working in cybersecurity roles. The survey asked whether the respondents felt they were given the same opportunities to progress in their careers as those of other genders or ethnicities. Of the female participants, 34 percent answered that they did not. More alarmingly, 53 percent of those from minority ethnic backgrounds answered no to the same question. These results are indicative of the diversity problem that has plagued the technology industry, and particularly cybersecurity, for years.
In 2017, the International Information System Security Certification Consortium, or (ISC)2, and Frost & Sullivan and others, released a “Global Information Security Workforce Study” (http://mng.bz/J1Op). The survey found that only 14% of respondents in North America were female. Across all other regions of the globe, that number was even smaller. A lot of press and analysis have focused on the issue of female representation in cybersecurity, yet the trouble persists. The same study found that only 23% of United States-based respondents identified as an ethnic minority, which also falls below overall population percentages for the nation. For instance, while 13.4% of the nation’s population identifies as Black or African American, only 9% identified as such in this study.
Conflicting reasons are often shared to explain this gap. I will not debate the merits of those theories in this book. However, it is important to understand that these challenges in diversity do exist—in particular, gender diversity—and this has an impact on how successful we can be in our pursuits. It is equally important to understand that this problem has been recognized and that our community as a whole is working to change it.
Diversity is often touted as a political correctness or “woke” effort. But the technology world and cybersecurity are slowly coming to realize a tangible value in diversity that goes beyond just simple ideals of morality and fairness. As I stated at the beginning of this section, we need cyber defenders to understand the mindset and perspectives of those we seek to defend, especially when the human element is the cause of so many challenges in that regard. This ability to understand the humans to which our efforts are directed allows us to better identify the right solutions that will work in defending them.
By way of example, in 2014 the US Government Accountability Office (GAO) released a report (https://www.gao.gov/assets/gao-14-357.pdf) that detailed elevated instances of false alarms in Transportation Safety Administration (TSA) body scanners at airports. Among the particular associations with these elevated numbers of false alarms were headgear, turbans, and wigs. Yet in 2017, ProPublica reported (http://mng.bz/wnd7) that the scanners continued to have high levels of false alarms, especially associated with hairstyles common among African American and Black women. This was according to data that ProPublica collected independently.
In these scenarios, we have to wonder how such issues do not get identified sooner. Were women of color not involved in the development and testing of these devices? Could a more diverse project team have proactively recognized the potential for these issues and ensured that the designs of the system took this into account? Ultimately, this is why diversity is so important. Brainstorming and problem-solving benefits when those involved have wide-ranging perspectives and experiences to draw from. So when it comes to cybersecurity, where problem-solving is the core of our calling, we too must seek to have significant diversity within our community.
This is all great, but it sounds like a problem for the community and industry as a whole. While this is true, as someone looking to launch a career in cybersecurity, it’s important to understand that these challenges exist. In chapters 8 and 9, I discuss the various challenges that can derail your career growth. For now, this particular concept needs to be recognized early as you just start to understand the makeup of the cybersecurity community, how we got to where we are today, and where we are headed.
As you begin down this career journey that has led you to this book, you might struggle to see how you fit into the community if you do not see yourself represented in the faces of those already there. That is the point where you will need to draw upon the information in this section and understand that you are not only welcome but also needed. Armed with this information, in the next chapter we will really dig into all the places you could go within cybersecurity.
- Cybersecurity is the domain of research, technologies, and practices aimed at protecting connected technology systems, data, and people from attack, unauthorized use, and/or damage.
- Cybersecurity’s role changes with context, but in our digital world of interconnectedness, it’s about protecting our way of life.
- Cybersecurity can benefit greatly from diversity of experiences and cultures, and the community continues to work to improve the current lack of diversity.