Getting into cybersecurity: Tales from the front line
The Security industry doesn’t necessarily have a straightforward path into it, and there are many different roles to explore.
For Cybersecurity Awareness Month, I sat down with three Cisco Security experts, who all have different roles within the company, and all have a different story to tell.
- Warren Mercer is a threat researcher for Cisco Talos, our threat intelligence organisation.
- Julie McGourty is a Security Sales Engineer for Cisco UKI
- And Richard Archdeacon is an Advisory CISO for Duo Security, now part of Cisco
How did you get into cybersecurity?
Warren: I don’t have an academic background, or a degree. A lot of people think you have to be educated to the hilt to work in cybersecurity which isn’t necessarily true. I’m where I am purely down to self-learning.
I started out as a service desk engineer, doing things like password directs and internet proxies. From there I began to specialise in networking technology and installing firewalls; figuring out how they should be designed and placed within infrastructures and looking at detection sensors.
I soon developed a fascination with threat intelligence – for example, if the organisation was targeted with a specific cyber-attack, how could you design a network to stop it?
That led me to a role with the New York Stock Exchange, where I focussed on threat vulnerability, placement of sensors, and working out ways to protect the perimeter. I was tasked with working out how an attacker might think, and what would he/should target in order to inflict maximum damage. I would then inform the teams on how they should protect the infrastructure.
My role now within Cisco Talos is to create actionable intelligence for the benefit of others. With my team, I’m following clues and breadcrumbs that the attackers have left behind in order to find out their end goal, and ultimately stop them before they reach it.
Julie: I got into the industry entirely by accident! Throughout my career I’ve always sought to do something interesting, and to say yes to opportunities when they presented themselves. That mentality led me to cybersecurity, and it’s very much where I intend to stay.
I studied Business Studies at University, with computer programming on the side. When I graduated, I didn’t really know what I wanted to do, but I ended up as a networking analyst for an insurance company who used Cisco equipment, which is where I learned about what Cisco did.
I joined Cisco as a generalist Systems Engineer eleven years ago, at a time when Cisco didn’t specialise in Security (certainly we didn’t have any of expansive product portfolio that we have now). However, we were exploring that route, and my manager came to me and explained that Cisco was about to have a big focus on Security, and we as a team needed to become experts on it. I was asked to be the one to go out and learn everything I could about Security and specifically what Cisco’s plans were, bringing that knowledge back to the team.
I hugely enjoyed that learning experience, which is why I became a Security specialist. I liaise with customers to identify any gaps they might have in their network, and work with them to develop a technical action plan.
Richard: I was developing Data Centre and executive reporting systems, when I discovered a Security gap within the network of the major financial organisation I was working for.
I pointed it out (in writing), but unfortunately my report was ignored. Soon enough, the data breach happened exactly as I had described, resulting in the total collapse of the company.
That brought home to me the huge importance of Security measures. I’d experienced first-hand just how dramatic poor Security could be, so I wanted to make sure it was embedded in the entire infrastructure; not just an afterthought.
I became a Security advisor to the UK cabinet office, before joining various Security companies and ultimately ending up where I am now, with Duo Security as an Advisory CISO. I talk to clients about their Security programmes, understand their risks and concerns, and work to find the best solution. It’s our role to help the CISO be successful.
What do you like most about your job?
Warren: I’ve been with the Talos threat intelligence team for four years now, and I can honestly say it’s the best job I’ve ever had. We have a direct impact on millions of people around the world; stopping threats before they destroy organisations.
What I like most about my job is the comradery within my team. We’re not a group of “yes people”. We take peer review very seriously, because we don’t want to be putting out work which isn’t good enough, or that the industry has seen before. The things we report on are critical, so our leader has built a great culture which means that we don’t take any personal offence when something we’ve written gets rejected; it simply means it’s not quite ready yet. “Fail fast and move on” is something of a Talos motto.
Julie: Cybersecurity isn’t just another piece of technology; it’s high stakes. You have to get it right. For the customers that I work with, cybersecurity is their no.1 concern – they don’t want to end up on the news, for all the wrong reasons.
What I like most is the different types of people/roles that I speak to every day. One day I’ll be speaking to a CISO about their long-term strategy, other days I’ll be speaking to a CIO about data privacy, and other days I’ll be speaking to the networking engineer in order to help with more of the every-day type questions.
You also get to explore niche areas, such as mobile application Security which is what I’m currently focusing on.
Richard: Security is the most complex, the most dynamic, and the most high-profile industry you’ll ever work in. It’s what drives change and improvements, because you can’t make anything work without Security.
Also, cybercrime is what a lot of criminals do to fund their other activities, such as robbery, murder, terrorism and rape. By working in cybersecurity, you’re cutting off their resources to carry out these horrific acts.
Ultimately, you’re not just stopping a cyber-attack, you’re potentially stopping other violent crimes. There are ripples beyond cybersecurity that most people don’t even think about, so if you want a job that ultimately makes a difference, cybersecurity is one of those.
What would be your advice for anyone looking to develop a career in the Security industry?
Warren: Make sure it’s something that you’re going to enjoy doing. Personally, I absolutely love what I do because it’s exciting, you don’t get stuck in a rut, and every Monday morning is different. But that lack of a routine won’t work for everyone.
On the other side, Security is a constantly moving landscape, so it can be very difficult when a bread crumb you’re following turns out to be nothing at all. Plus, very often you’re not the main contributor, but you still have a vital support role to play.
The salary for a Security role can be very good, but that’s pretty much the last thing that should drive you. Working in Security is very much a calling; something that you have to be passionate about. The money is secondary.
On a more practical level, I would argue that coding/ programming isn’t everything (I don’t code or program). What’s more important, is to understand reversal. Understand how an attacker might break in, and then work backwards to fix it.
Julie: I would research the different types of role within cybersecurity. Most people have this “hacker in a hoody” image when they think about cybersecurity, but there are a huge variety of roles; hoody optional. You don’t necessarily have to be ultra-tech savvy either.
The Security industry is only getting bigger, so if you’re after a growth industry, and are prepared to learn something new every day, then Security may well be the option for you.
I also got to where I am thanks to some fantastic training courses. There are plenty out there online, which you can add to your CV. Cisco offer two free online cybersecurity courses through our NetAcademy, and I can recommend both of them very strongly.
Richard: Don’t be dispirited if you don’t have a technical degree. As this article proves, the majority of people who now work in cybersecurity didn’t start out down that route.
As Julie said, read and understand the different roles that are available. For example, if you’re interested in psychology or have some experience in that, you can get a job understanding how users think and work, and help people develop systems to cater for that. If you studied History or Politics, you clearly have an analytical mind; that lends itself well to compliance networks.
My best piece of advice would be to not restrict yourself. Explore, have fun, make a difference, and benefit a whole lot of people.