Do you have what it takes to become a cybersecurity expert? We interviewed 3 security professionals to find out how they got their start and what advice they would give to someone starting their career in cybersecurity.
With security threats increasing, much of business continuity has come to rely on data security. In particular, engineering teams building cloud software rely on access to an ever-growing number of computing resources. Security professionals — on their part — view new computing resources as increased attack surface area. The need for security professionals adept at interfacing with engineers and DevOps teams is high, but what does it actually take to become a security expert?
Security is an incredibly multifaceted field, and the path that security professionals take to get their start can look completely different from person to person and role to role. That said, there are certain basic skills that will serve you well in a security career, regardless of what you ultimately specialize in.
In recent conversations with security experts, Developer Relations Engineer, Ben Arent, explored the basic skills that every security practitioner needs, how to pivot into the field of security from a different career, and what you can do to continually up-level your skills. In this post, we highlight valuable feedback from Ben’s chats with three security experts: Adam Baldwin, Security Engineer at Auth0; Donnie Hasseltine, CSO at Xenon Partner and CEO at TeamPassword & TeamsID; and Luca Carettoni, co-founder of Doyensec.
Finding a mentor
One of the best ways to prepare for a career in security is to talk with security experts about their experience, and to get their advice as you begin to work in the industry yourself.
For Adam Baldwin, mentorship has played a major role in guiding his career.
“When I was 15, 16,” says Adam, “[my mentor] got me into reverse engineering and programming. That was my first opportunity.” And that one opportunity played a significant role throughout his career, as he discusses in his post here.
Once Adam was at Symantec, he found even more mentors: “Darrius Hughley and Katie Moussouris both sort of guided me on the offensive side and provided ways to educate myself, to understand how to do things and how the industry worked and how to meet people and just really offered opportunity.”
As an expert in the field himself, Adam now loves to share mentorship advice with other folks hoping to get their start in security: “I love giving opportunities and sharing with people, so sharing this here too, feel free to DM me on Twitter, my door is open. If you want to chat about a career in security, whatever, I’m open.”
Building foundational skills for a career in security
Regardless of the specific role you are interested in pursuing, there are a few key skills to focus on as you get your start in security.
Take the approach of “I could break that”
For Hasseltine, his background as an officer in the military has helped to inform his approach to security.
“When I first got into the industry through my grad school program,” says Hasseltine, “I was struck that when I interfaced with cyber professionals they thought like my infantry marines. What I mean by that is their first thought when they see something... is, “I can break that. I can get around that.” And I think that’s really the essence of a hacker. It’s someone who’s always going to find a way in and a way around things.”
Whether or not you’re coming from a military background, Hasseltine’s advice for newcomers rings true — to double-down on your instinct to look for weak points.
Pay attention to detail
When discussing what a ‘typical’ day would look like during his time as a CSO at a boutique private equity firm, Hasseltine highlighted a few recurring tasks
“The first one is kind of just what I call mowing the lawn. It’s just looking across the portfolio and the companies in the fund and keeping the hygiene up. Checking the status of training, engaging teammates, touching base with general managers and directors of operations and kind of just ensuring follow-through on our policies.”
While these tasks were specific to his role, the basic premise of maintaining security across your team was at the core of his work.
Noticing when things seem off or out of place, being proactive about assessing potential risks, and being sure to enforce security policies & best practices are important for anyone in security — whether you’re at the very start of your career or are a seasoned CSO with years of practice.
Always be open to learning
Approaching security with the drive to continue learning is essential. Hasseltine notes: “If you’re open, you keep learning, you immerse yourself. You’re going to do very well in the cybersecurity community.”
It’s important to remember that the field of security is incredibly vast, and even the most expert practitioners are constantly learning new things.
Remembering that everyone around you is constantly learning and expanding their knowledge can also help with imposter syndrome: “I think everybody in the industry tends to have [imposter syndrome],” says Hasseltine, “Some of the CSOs and practitioners that I know have it. Just understand that as you get smarter, you get more aware of what you don’t know. But understand if you immerse yourself, you’re going to keep learning and you’re going to get very, very capable, very quickly.”
Pivoting from another career
Multiple paths can lead to a career in security. For Hasseltine, getting into cybersecurity began with being a military officer.
“Even though I was an infantry officer which is generally viewed as a little less technical role, as I led larger units in formations, I could certainly see that cyberwarfare was kind of a critical part of my mission and taking care of my team.”
In his final tour in the Marine Corps, Hasseltine was stationed in Silicon Valley and began interacting with startups, military innovation groups, and hacking for defense classes. After earning an executive master in cybersecurity from Brown University, he made the switch to a full-time career in cybersecurity.
For Baldwin, the path to a career in security looked quite different. The journey that led him to choosing the security field actually began as a kid growing up in a small farming town in Minnesota with little to do but play on computers for entertainment: “I ended up getting in trouble for getting into a local bulletin board system. That sort of sparked my curiosity, but also got me a mentor and really got my interest in security, reverse engineering programming, things like that.”
Baldwin didn’t formally join the security industry until much later during his time at Symantec, where he got to meet a lot of industry experts who guided and mentored him in the offensive side of security. There, he focused on everything from firewall support, to consulting, to social engineering penetration testing.
Cultivating your passion for cybersecurity
Passion for the security field, for Luca Carettoni, is the starting point for pursuing a career in it. “Security’s a big field,” he says, “so I think it is really important to understand what the person is passionate about. To me, that’s the most important quality. It really takes a lot of passion and a lot of long nights to understand how things work and to experiment outside pure work duty. So if you are not really enjoying the continuous learning, I don’t think it’s possible to be very good at what we do in this field.”
Luca underscores the importance of understanding what you like (as a person and team leader), what team members enjoy doing, and then doubling down on what you discover. So if it’s incident response, he recommends, take that path and try to read all the possible resources out there, and if it’s application security, start reading all the articles on Reddit netsec: “Start reading and understanding the root causes of vulnerability, reading advisories, and styling all software in order to understand how vulnerabilities manifest and what’s the root cause of such vulnerabilities and start building exploits.”
Teleport cybersecurity blog posts and tech news
Every other week we'll send a newsletter with the latest cybersecurity news and Teleport updates.
While there’s no one path to starting a career in security, practicing skills like paying attention to detail, looking for breaking points or vulnerabilities, and continuing to learn as the industry evolves are critical for everyone. Breaking into the field also doesn’t require that you start in a security-focused role. In fact, you can start from just about anywhere so long as you cultivate the right skills and look for a skilled mentor to help you get your start.
Regardless of whether you pursue a job in security or not, being security-minded will serve you well in your personal and professional life. In fact, with the emergence of the shift-left movement, the task of security has started to become shared with developers and other team members who aren’t explicitly security professionals. Wherever your professional interests lie, having an eye for security will help you do your job more safely, protect your team against potential threats, and ultimately keep your business humming.
For more tips on security best practices, starting your career in security, and interesting takes on the ever-changing landscape of security, you can subscribe to our newsletter here.
SSH Certificates: How Do OpenSSH Certificates Compare to X.509?
By Sakshyam Shah
Certificate-Based Authentication Best Practices
By Sakshyam Shah
How to Record and Audit Amazon RDS Database Activity With Teleport
By Janakiram MSV