5 Things You Need To Create A Highly Successful Career In The Cybersecurity Industry – Authority Magazine
5 Things You Need To Create A Highly Successful Career In The Cybersecurity Industry – Authority Magazine
Women Reshaping The Cybersecurity Industry: Debbie Gordon Of Cloud Range
Practice. Practice. Practice. Don’t depend on having a certification or degree and think that you’re going to be good in your role forever. Ensure that your employers are investing in your growth and success, which is going to have a direct impact on reducing your organization’s cyber risk.
The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series we had the pleasure of interviewing Debbie Gordon.
As founder and CEO of Cloud Range, Debbie Gordon is a globally recognized entrepreneur leading a new category in cybersecurity. Cloud Range was founded on the premise of closing the cybersecurity skills gap by giving security teams the ability to gain real life experience and practice defending against live cyber attacks in a protected customized dynamic environment. A consummate entrepreneur, Debbie began her career 25+ years ago in the technical education/certification space and has since built and sold several companies in eCommerce, IT asset management, and training.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
Neither of my parents are entrepreneurs, but, growing up, they gave me the freedom to try new things and never held me back from doing anything I wanted to do. I had the drive to build something great while taking care of myself and I never felt any fear in pursuing what I wanted to do. I started my first company, a technical training business, at age 23. Fast forward almost 30 years, I have built and sold an e-commerce company, an IT asset management company, and another training company. I’m constantly driven to make change in the world and solve big problems, and I can’t do it without my amazing team that I get to work with to help make that happen.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I noticed that all the cyber attacks that were publicized on the news had two things in common. 1. They were all large enterprises that had millions of dollars’ worth of cybersecurity technology. 2. The attacks could have been detected and prevented by the people that were in the security operations center of those organizations, but they simply didn’t know what they were looking for or looking at. I realized that the people that are protecting organizations are the last line of defense and they need continuous training to make sure that they are prepared to detect and respond to forthcoming cyber attacks. At the same time, I kept hearing about how serious the talent shortage in cybersecurity is and how it was getting worse.
I knew that instead of talking about the problem, I needed to set out and find a way to solve it, understanding that it cannot be done overnight. Big problems don’t get solved overnight. Big problems have solutions that may outlive me — but it’s never too early to start to solve a problem that’s affecting the whole world.
Are you working on any exciting new projects now? How do you think that will help people?
The latest thing that we are working on is helping organizations quantify the strength of their cyber defense teams to understand the necessary growth and development to ensure that they are prepared for any type of cyber attack that may happen. This will be a very powerful cyber risk score that measures the effectiveness and competency gaps in cyber defense teams and will inform training plans and budgets to ensure that organizations are staying ahead of the game.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
Security leadership and C-suites are now acknowledging that they must invest in their cyber talent because people are in fact the most important asset in a security stack. We cannot depend on technology and compliance alone.
There is so much opportunity for employment for people who would otherwise not consider getting into cybersecurity. Most people think that cybersecurity jobs require technical expertise, but in fact, there are over 50 different types of roles in cybersecurity and many of them do not require any technical background.
I am excited that the cybersecurity community is continuing to come together to establish standards both for cybersecurity and safety. Without standards, potential solutions are often a crapshoot and leaders can spend far too much time testing possible solutions instead of following standards or frameworks that have been proven. For example, the NICE (National Initiative for Cybersecurity Education) Framework helps guide organizations to ensure that their cyber professionals have the right competencies based on their specified work role. With the availability of training, including simulation-based cyber ranges, security practitioners can get the training they need to perform their job effectively and efficiently.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
My biggest concern is the potential lack of understanding from the public and private sectors of the gravity of an attack on our critical infrastructure. There is a very real risk of attacks on our critical infrastructure, which includes our power grid, water, transportation systems, and every other sector that we depend on every day. Not only could we lose critical resources that we need every day, but our safety could be in danger, and even our lives.
With the economic downturn, some organizations are cutting budgets on their most important asset — their people. During the economic downturn, attackers don’t take a break. When resources are cut globally, there are more vulnerabilities. I am very pleased by the fact that many organizations are continuing to invest in their cybersecurity talent to maximize the valuable human assets.
AI can’t do everything and, even though people think that AI can replace different technologies, we still need humans to be critical thinkers especially in complex environments. AI is never going to replace people — it may make people’s jobs easier, or even harder for that matter. Security teams can use AI in a smart way, for example helping analysts be more efficient, but we still need human beings to have their eyeballs on things, and people need to be aware of AI’s lack of perfection.
Can you share how you are helping to reshape the cybersecurity industry?
At Cloud Range our mission is to make simulation training a standard in not only getting a job but doing a job. Cybersecurity is the only life safety field that doesn’t require people to have certain training and life experience to perform their roles, which at the end of the day, are protecting our society. Everyday Cloud Range is increasing the number of organizations that are incorporating simulation training to ensure their cyber defenders are prepared to defend against the next attack.
As products, devices and vehicles become connected, this is creating a new and emerging threat vector. How do you think manufacturers and their customers should prepare to be as safe as they can be?
Products need to be designed in a way that security is incorporated into the original design, i.e. secured by design. Whether it is a car, an airplane, or any kind of device, constant testing against cyber attacks needs to be conducted and monitored. Adoption and adherence to industry frameworks will aid in security when designing everything from automobiles to buildings. Incorporating the simulation of cyber attacks into digital twins is an integral piece of design and development as well as the ongoing maintenance of cyber safety.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
At Cloud Range we are preparing security teams every day to do exactly that. We are preparing them to eliminate the chance of a costly breach by conducting simulation training exercises monthly. Recently one of our largest customers, which is a Fortune 100 company, told us that they experienced an attack and were able to respond to it much more effectively because of the simulation training that they had been doing on an ongoing basis. It was incredibly gratifying to know that the work we do doesn’t just sound great anecdotally, but it is directly eliminating breaches.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
It is important to note that it is always better to over-report and have the security team confirm that something is not malicious than to not report something and have it missed with a nefarious actor still within your network.
1. As always, be cautious of third-party websites not used directly in your work environment. This can include sites like Gmail or YouTube. There are ways for attackers to leverage sites like these to gain access to your organization’s network, and a phishing email, for instance ,will have an easier time of reaching you outside of your organization’s security parameters.
2. Phishing is always a way for an attacker to gain access into your organization’s network. Confirm the sender of an email is a legitimate user of your organization and be cautious of emails that are generated outside of your organization. If the email contents are suspect or strange, call the person who sent it and confirm its authenticity. If you open an email attachment and it does not open the proper application, seems to not open, or contains no information, notify your security team immediately as this could be a phishing email.
3. If you have lost access or cannot open files on your local machine, notify your security team immediately as this may be an early indicator of a ransomware attack. By reporting it early, you may prevent an attacker from spreading the ransomware to the rest of the organization, or at the very least make the security team aware of an active attack.
4. If your machine is running aggressively slow and a restart does not fix the problem, that should be reported to IT, as they will investigate the machine. It may be the result of malware utilizing your machine’s resources for a threat actor’s purposes such as cryptojacking.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Organizations should always conduct a very detailed after-action review and understand what went wrong and what went right. Many organizations start preparing when it’s too late. They wait for something bad to happen and then are not prepared. Our recommendation is for organizations to not wait until after a breach to understand the potential gravity of it. They can do this by incorporating regular simulated cyber range training exercises to understand detection, investigation, response, and remediation.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
Overconfidence — People are only as good as their experience and most cyber defense teams do not have enough experience through no fault of their own. Too many technologies and not maximizing the most important asset in a security stack, which is the people. Organizations continue to invest in technologies as bandages but so many are forgetting that the people who are in their SOC are their last line of defense and they need to invest in them. By continuously doing simulation training, organizations can have measurable results to show where they need to focus to be prepared for the next attack.
Stopping an attack and starting remediation too early — Instantly initiating a vulnerability scan after the SOC receives an alert regarding an event in the system can lead to a denial-of-service (DOS) situation. That would render the system non-functional and result in a significant decrease in productivity. It’s critical for security teams to understand how attacks can work in their IT and OT systems and to communicate with each other to ensure the attack is remediated correctly and completely. Poor decision making during the incident response process could cost the organization millions of dollars.
Thank you for all of this. Here is the main question of our discussion. What are your “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry?
Understand your innate aptitude. Not every cybersecurity role requires the same parts of the brain and it is important to know what roles you are pre-programed to thrive in.
Understanding that not all cyber roles are technical. Last week I met someone who had been in marketing for 20 years and decided she wanted to get into cybersecurity and is now very successful. She realized that she had several aptitudes that were applicable to cybersecurity and she did not need a technical background.
Have a training plan. Understand that entry-level jobs are a great way to start. Don’t only be concerned about the role you’re in but look forward to all the roles you can thrive in. Talk to your employer about prospective growth in the organization and put together an action plan to achieve those. They will be happy to hear this because retention is a key component of cybersecurity.
An understanding that there are over 50 roles in cybersecurity and it’s not just what people see on TV, i.e. hackers. I was speaking with a young man who just graduated from an elite four-year university and he knew that he wanted to get into cybersecurity because he had taken computer science classes, but he had no idea what that really meant. He was able to understand that not all jobs are technical and there are many paths to take. Regardless, leadership skills are integral regardless of the role.
Practice. Practice. Practice. Don’t depend on having a certification or degree and think that you’re going to be good in your role forever. Ensure that your employers are investing in your growth and success, which is going to have a direct impact on reducing your organization’s cyber risk.
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)
It depends on where we’re eating and whether the restaurant is cybersecure.
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!
See the original article here.