Build a Stronger Cybersecurity Team Through Diversity and Training
This blog was originally published by Microsoft here.
The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In this interview, Microsoft Security Product Marketing Manager Natalia Godyla talks with Heath Adams, Chief Executive Officer (CEO) at TCM Security about being a mentor, hiring new security talent, certifications, upskilling, the future of cybersecurity training, and lots more.
Natalia: What do you recommend to security leaders concerned with the talent shortfall?
Heath: There needs to be more openness and getting away from gatekeeping. In this industry, there’s a lot of, “I went through this path, so you need to go through this path.” Or “I did these certifications, so you need to do these certifications.” Everybody wants this perfect candidate—somebody who has 10 years of experience—even when they don’t necessarily need it. We need to be able to take somebody that’s more junior, who we can help train. Or take someone with a clean slate.
As a manager, be open to more than just what’s on the Human Resources job description. And be open to new people with different backgrounds. People are coming from all walks of life and age groups. So, if you put those biases aside and just consider the person that’s in front of you, that will help with the job shortage and help close the talent gap.
Natalia: And how has the pandemic and the shift to hybrid work changed cybersecurity skilling?
Heath: I think it’s been a positive. In our field, the ability to work remotely was always there. But the pandemic shifted things, so more companies are starting to realize that fact. I’ve worked jobs as a penetration tester where I had to relocate, even though I was working out of my home 95 percent of the time. Now, more companies are opening their eyes to talent that isn’t local. You no longer have to look in big markets; you can look at somebody on the other side of the country who’s studying cybersecurity, and they can be an asset to your team.
I was doing a lot of Twitch streaming during the shutdown, and I noticed our streams were way bigger than before. We had more people watching, more people interested. There’s a lot of people who took advantage of the shutdown to say, “Hey, this is my time to get focused. I want a new career.” There are high-paying jobs and there’s remote work. And as I mentioned, you don’t need a specific background or degree to get into this field. People can come from all walks of life. I think the pandemic helped shine a light on that.
Natalia: You’re well known as The Cyber Mentor™. How has mentoring impacted your career?
Heath: It keeps me on top of my game. I have to be able to give people direction and I don’t want to give out bad information, so, I’m making sure that I stay on top of what the industry changes are, where the jobs are heading, and how to interview properly—all of which seem to change from year to year. It helps me stay in touch with the next generation that’s coming into the security field as well.
Natalia: Do you have your own mentors that help you progress in your career?
Heath: I came up with what I call “community mentorship.” I have a Discord community, and we use that to encourage other people to give back. You want to be able to help people when they need it or get help when you need it while learning from each other. When it’s time for networking or needing a job, that goes a long way. For me, it’s more about being where there are groups of like-minded people. I’ve got a lot of friends that own penetration test companies, and we’ll get together, have lunch, talk strategies. What are you doing? What am I doing? That’s the kind of mentorship that we have with each other; just making sure we’re keeping each other in check, thinking about new things.
Natalia: What are the biggest struggles for early career mentees who are trying to grow their skills? And how can leaders address those challenges?
Heath: For a person looking to get a role, there are a few things to remember. One is to make sure you’re crawling before you walk, walking before you run. I’ll use hacking as an example. A lot of people get excited about hacking and think it sounds awesome. “You can get paid money to hack something? I want to do that!” And they try to jump right into it without building foundational skill sets, learning the parts of a computer, or learning how to do computer networking or basic troubleshooting. What I tell people is to break and fix computers. Understand basic hardware, basic computer networking, what IP addresses are, what a subnet is. Understand some coding, like Python. You don’t need a computer science background but having those foundational skills will go a long way.
If you don’t put a foundation under a house, it’s going to collapse. So, you need to think about your career in the same way. You must make sure you’re building a foundation. People don’t realize the amount of effort that goes into getting into the field. Do your due diligence beforehand.
There’s also a lot of imposter syndrome in cybersecurity. I tell people not to concern themselves with others, especially on social media. They say comparison is the thief of joy, and I truly believe that. You have to make sure you’re running your own race. Even if you run the same mile as somebody else, and they finish it in 5 minutes, and you finish it in 10; you still finish the same mile. What matters is that you got there. As long as you’re trying to be better than you were yesterday, you’re going to make it a lot farther than you think.
Finally, cybersecurity is a field that’s constantly changing. For somebody who is complacent—who wants to get a degree, get a job, and then is set—cybersecurity is not the right fit. Cybersecurity is for somebody who’s interested in constantly learning because there are always new vulnerabilities. There was just the Log4J vulnerability that caused everyone concern. I had a meeting today with a client, and if I’m not prepared, I’m letting them down. I’m letting their security down as well. I spent the weekend studying because I had to. That’s the business we’re in.
You must stay on top of this from an employer side as well—being able to train people and keep them up to date. Have a base foundation where you want your employees to be, and then encourage them to gain knowledge where they’re most interested. I’ve been sent to a training that I had no interest in whatsoever and wanted to pull my hair out. As a manager, I ask, “What do you want to learn?” When I send an employee to a cybersecurity training that they’re interested in, they’re going to retain that information a lot better. They can then bring that information back to us, and we can use that in real-world scenarios.
Natalia: How can security leaders recruit security professionals to their teams better? What should they look out for? For example, how important are certifications?
Heath: For an entry-level role, certifications are important. Their importance diminishes once you get into the field. But I’m an advocate for them; they help prove some knowledge—so does having a blog, attending a conference, building a home lab, speaking at a conference, speaking at a local community group—anything that says, “I’m passionate about security.”
I have seen some entry-level roles where the interviewers have you code something, or have you fix broken code, just to make sure you logically understand what’s going on. You don’t have to be a developer or be able to code, but you must be able to understand what’s in front of you. Having some coding challenges during the hiring process can be beneficial—but it should be open book. For a security professional, using search is 90 percent of our job, honestly. If you’re limiting somebody from searching online, you’re setting false expectations.
I go back and re-watch videos and re-read blogs all the time, because there are so many different commands, and there’s no way of memorizing all of them. But you need to understand the concepts. If you understand the tool they might need to run or the concept of it, then you can search that, find the tool, and run it. That’s more important.
Natalia: We’ve all read the statistics about burnout in the security industry. What do you recommend for leaders who want to better retain their talent?
Heath: You must be pro-mental health. Make sure there’s ample paid time off (PTO) and encourage employees to use it. Also, make sure that your employees can take time off beyond PTO. If they’re sick, they shouldn’t feel like they’re letting people down. Have flexible schedules; run on a 32-hour workweek. Try to give people as much time back and have a work-life balance. Pay for training, so people can go and focus on topics they’re interested in. Make sure that you’re investing in your employees. It’s so much more expensive to rehire and retrain. I’d rather invest in an employee and keep their mental health at a high level, and make sure I’m giving them all the tools and training they need to perform successfully.
Natalia: What trends have you seen in cybersecurity skilling? What do you think is coming next in terms of how security professionals are trained up, recruited, and retained?
Heath: There are more people interested in the field, and that’s great. We’re starting to see a lot more training providers and training options. Back when I started, a lot of it was just reading blog posts, and there were maybe one or two training providers. Now, there are 10 or 15.
Misinformation can be out there, or outdated information. If you search online for certification companies—or even look at an online post from a year ago—that information could be outdated. So again, this comes back to due diligence and making sure that you’re doing your research, not just relying on one source. If I was going to look for certifications to get into this field, I’d look at 20 or 30 different resources, get a consensus of what polls the highest, then do my own research on those organizations. It’s great job skills practice to research and make sure you understand where you need to go.
Disclaimer: The views expressed here are solely those of the author and do not represent the views of Microsoft Corporation.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.