These security experts get paid to think like hackers

No hackers in here.
No hackers in here.
We may earn a commission from links on this page.

The 2017 news cycle was inundated with headlines about high-profile, large-scale data breaches. In their wake, millions of Americans were left wondering if their sensitive information—social security numbers and credit card details—had been compromised.

The apparent uptick in breaches is disconcerting. But while breaches are increasingly common, they’re not unavoidable with the right knowledge and expertise. We got four cybersecurity experts to share their thoughts on how to break into the field, stay ahead of hackers, and what the future of the field looks like.

Getting started

Those pursuing a career in cybersecurity must be natural problem-solvers, like Pieter VanIperen, a software security consultant, professor, and founding member of Code Defenders. His early interest in exploiting code got him interested in the field. “As a coder, I liked making systems do things they shouldn’t be able to do,” he explains. “Once you start down that path, you realize how startlingly vulnerable the internet is. And then you are hooked.”

Gretchen Ruck, cybersecurity practice leader at the consulting firm AlixPartners, describes a common misconception of those who work in her field. “The media often portrays security engineers and testers as self-taught tinkerers who only surface from dark recesses to collaborate and compete at hacker conferences,” she says. “But security teams are composed of individuals in specialized roles, many of which demand different skill sets, background, and expertise.”

John Iannarelli, for one, found his way into cybersecurity while working in the FBI in the mid-1990s, in the nascent era of the internet—and during the early days of cyber crime. He has watched his field evolve from a fringe career path to something taught in almost all traditional business programs.

“Formal education today is much more than writing code and learning network operations,” he says, explaining that emerging fields like information governance and computer forensics focus on niche topics within the industry.

Brian Rexroad, the chief security officer at AT&T, discovered cybersecurity when he landed an InfoSec internship with the Department of Defense. “[This] provided great opportunities for training…at a time when there was virtually no formal training available to the private sector.”  When he joined AT&T in 1995, he used those skills to pioneer an entirely new area of technology: threat analytics.

“After working in information security for more than 30 years, much of the training and experience that I gained very early in my career is still pertinent today” says Rexroad.  “Even though the specific techniques and technologies change, the objectives and needs are pervasive.”

Staying ahead of the curve

It’s a lightning fast-paced field. Vigilant study, and learning to anticipate threats associated with rapidly advancing technologies is mandatory.

“When a business decides to use a particular application or cyber resource, it’s the job of a trained professional to examine the vulnerabilities,” says Iannarelli.

Rexroad also sees it as his professional duty to stay ahead of the curve. “If you are detecting and addressing threats on a daily basis, your mindset should be similar to those looking to inflict harm.”

Constant training—such as practicing on “cyber ranges” to keep skills sharp, is critical. Staying abreast of current issues and trends is just as important. Iannarelli suggests subscribing to sites and publications like KrebsOnSecurity.com, a site authored by a former Washington Post cybercrime reporter.

Ruck agrees. “In addition to a couple of email subscriptions, I regularly follow around 25 RSS feeds spanning news sources, security vendors, and personal blogs,” she says.

Not just for experts 

When teaching companies about the threats inherent in workplace technology and BYOD (bring your own device) policies, VanIperen says it’s important to explain that cybersecurity is not something handled by a team in a dark room with wires and blinking panels.

“Cybersecurity is holistic,” he says. “To be successful in preventing breaches, everyone needs to be part of the effort. A hacker only has to be successful once. A corporation has to be successful in defending against attacks every time.”

Rexroad agrees: “It is a fact that employees will contribute to security concerns” he says. “Everyone in the business starting at the top and moving through the entire organization must be engaged.”

Still Rexroad feels that shouldn’t be a full-time job for every employee. He recommends organizations complement user training with technology that reduces the risk posed by end users. “Organizations that do not have the resources to do these things themselves should seek trusted, strategic partners that can help manage their security strategy.”

Future of the field

As technology becomes more deeply ingrained in our lives, the importance of cybersecurity will only mount.

“In just the past decade, cybersecurity has shifted from the back room to the boardroom, where lead security executives collaborate with corporate directors to tackle security risks,” says Ruck. “This remarkable journey parallels the rise of the digital economy, in which data is amongst the most highly valued, and often heavily regulated, business resource.”

Demand for specialists within the field is also on the rise.  As reported by Gartner, there are currently more than 348,000 open security positions. By 2022, there will be 1.8 million unfilled positions.

Will AI and automation obviate that need? Not entirely, according to Rexroad. “Yes, technological advancements in AI can compensate for the shortage but not entirely fill it, as coders and developers are needed to consistently innovate algorithms and other technologies.” he says. He believes in training tomorrow’s cybersecurity experts to continuously evolve and learn. “The application of skills will be part doing and part learning—for the entire course of your career.”

Learn how AT&T Business cybersecurity services and expertise help keep businesses secure.

This article was produced by Quartz Creative on behalf of AT&T Business and not by the Quartz Editorial Staff.