InfoSec Isn’t a Job, It’s a Lifestyle

The dynamic paradigm shift and intellectual arms race between cybersecurity and cybercrime is not a new war, nor is it one that shows any signs of abating despite constant innovations in computer defenses, the education of users, and increasingly stricter guidelines for programming practices.

What was once a secretive black art, hacking - and all its related “white hat” art forms, including pen testing and cybersecurity - has become a cornerstone of our everyday life. Whether we’re talking about the people who develop the artificial intelligence (AI) that powers self-navigating devices, the manipulation of something to make it do things that it was not intended to do, an alarming evening news headline, or the main plot twist in a Hollywood movie, it’s official: hacking is now firmly embedded in popular consciousness and culture.

We are living in a time where infosec has become not only a job, but a lifestyle. It’s an entirely new take on how life can be interpreted. This technological art, once only thought of as being practiced in the dank basement dwellings of lone outsiders, is now widely popularized by news outlets, prime time media in shows such as Mr. Robot, tech industry magazines, and real-time streaming shows.

When Hacking Goes Mainstream

The Information Security (InfoSec) community as a whole has also adapted and shifted with the times. Long gone are the days where hacking techniques were only taught by shady individuals via secret websites or underground chat networks. Nowadays, people are openly sharing ideas, training tips, techniques, and code on social media and public code repositories.

With all these drastic changes, we are seeing a huge influx of individuals who want to be part of this ‘hacker’ community, whether they enjoy playing with technology as a passion project, or they aspire to be a salaried team member employed to keep organizations secure against malicious attackers.

However, even with all these new publicly-accessible educational resources and training, we, as a community, still face many hurdles that hinder us collectively as a group. One of these struggles, and one we so often encounter from a professional and personal standpoint, is the lack of a solid foundation for providing direction and opportunity to individuals who want to get into information security as a career. 

For many people this may come as a surprise. Sure, we have more college courses and programs than ever before focusing on cybersecurity elements, programming, and the practices that go along with them. In addition, there are hundreds, if not thousands, of training courses available, both in our colleges and universities and online.

Getting information has never been easier, so what is the real issue here?

I believe there are three main contributors at fault for hindering newly-fledged cybersecurity practitioners:

  1. Outdated educational practices which cannot keep up with the fast-paced and dynamic shifting of today’s security needs.
  2. False advertisement on paper or reliance on certifications instead of real world experience.
  3. Passion, or more appropriately, the lack-thereof.

As someone who has been actively engaged in the infosec community for over a decade, I have had my fair share of interviewing individuals for entry-level positions. One of my favorite stories to share at piano bars in the desert, or other such locations where cyberwar veterans gather to tell their stories and show their battle scars, was during one of these long hiring stints where as I was interviewing three college graduates for an entry-level malware analysis position.

The story, which covers all three of these faults, goes like this.

A Tale of Three InfoSec Interviews

The first candidate was an early twenty-something male who seemed extremely nervous. It was clear that this was likely one of his first job interviews, as he had just finished his Bachelor’s degree at a respectable college. Despite this, during the interview, he showed a very high proficiency for knowing the alphabet soup of abbreviations and jargon we revel in in cybersecurity.

The interview concluded with the candidate spending twenty minutes showing me his thesis paper, which focused on identifying a five-year-old family of malware using a specialized software set that was popular in our community about three years ago. Unfortunately for him, this setup would never work in the real world, as malware had already since bypassed detection using this software, which was now reduced to a checkbox option in $100 malware-packer engines.

The second candidate was very confident in his interview. He name-dropped and mentioned other interviews he was doing simultaneously. He seemed very smart and had spent the last two years doing course after course and tacking multiple certifications onto his resume. His email signature was a smattering of abbreviations, indicating that he or his previous employer had spent a small fortune on trainings and certifications. He proudly displayed them like a boy scout with a vest full of patches.

This candidate’s technical interview lasted thirty minutes. However, although he interviewed well and looked good on paper, in a very short time it became clear that his trainings had not prepared him to analyze a piece of sample malware using randomly chosen tools he was unfamiliar with. This candidate was trained in vendor X’s toolset and we provided vendor Y’s. He was stumped.

The third candidate was a young woman in her senior year of high school. She had no certifications or real-world experience other than a small programming job she had undertaken the previous year. Her technical skills were pretty basic. We gave her the same technical test as the previous candidate to ensure that she was not familiar with the tools at all.

However, instead of complaining as the others had, she took full advantage of the time she had available. She immediately went online to search for free training resources, and learned how to use the software on the spot. She asked intelligent questions and narrated her working process as she attempted to solve the problem. In the end, she was not successful in completing our technical test and she was evidently frustrated by this. She then asked what the malware did. Even in defeat, she was curious to learn more and close the gaps in her knowledge.

A closing question I used with all three candidates was this: “Do you have a home lab and, if so, what was the last thing you worked on?”

Her answer is one I will never forget: she told me, in great detail, about every random device she had ever collected, magpie-style, into her lab. The last thing she worked on, she told me, was a step-by-step walk through of how a two-year old Java exploit worked – inspired by a YouTube demo video. 

To the dismay of her parents, this candidate even missed opening Christmas presents one year because she spent all day trying to learn how to trigger this exploit. I asked her why she chose that particular project and she responded by telling me that her school didn’t offer many exploitation classes, but she was really interested in that topic.

I asked her what she was going to work on next and, without missing a beat, she replied that she was going to take apart the malware we asked her to analyze in her interview because, “I want to know how it works, and I’m sad I didn’t get to see it.”

Hire For Passion, Not Prestige

As you’ve guessed by now, we hired the third candidate. On her first day, she spent an hour telling me all she’d learned about the interview malware, after spending several nights analyzing it. She also confessed that she was shocked we offered her a job. All in all, she was easily one of my favorite people to work with in my ten years in cybersecurity.

What set her apart was her passion. Passion is the easiest personal attribute to recognized, and the hardest to fake. You either have it or you don’t. It can’t be taught, although it can be cultivated.

Unfortunately, the flip side of the coin is that individuals may not get to fully express their passion due to nervousness in a job interview scenario. It’s also difficult to fully express real passion within the constraints of the typical resume (Pro tip: learn how to write a passionate and compelling cover letter to accompany your application).

To complicate the problem, cybersecurity recruiters and hiring managers are not always looking for that passion. In a world where many companies hire third-party recruiting firms (or keyword-driven resume-sorting software) to put backsides in seats in the fastest growing industry in the world, those passions may not be getting the recognition they deserve.

Who loses out? The industry as a whole. Organizations miss out on some of the best hires and researchers; newly inspired recruits are passed over for those who look “better on paper,” and the end product produced by these hires maybe isn’t as innovative, thorough, or user-friendly as it could be.

Next week, we’ll dive into some basic tips on how to begin changing this trend and getting the “right” hires for your cybersecurity business, rather than just filling a quota.