Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
What I Wish I Knew at the Start of My InfoSec CareerWhat I Wish I Knew at the Start of My InfoSec Career
Security pros identify lessons learned that impact how they view infosec today.
February 3, 2021
(image by papa, via Adobe Stock)
A security career can be an extremely rewarding path and a thankless job all at once. It is a point of pride for many security pros to know their work is focused on fighting the good fight and defending their organizations from breach or hack. But as soon as one threat is identified and mitigated, a new one comes along. The battle is never really won.
Because it is so challenging – and necessary – security continues to be a hot field with near zero unemployment. What should those who are just dipping their toes into the employment pool know before diving into infosec? The Edge asked seasoned security pros what they wish they had known when they first got into the field.
Once you've read through their thoughts, ask yourself: Do these lessons learned sound familiar? Any others you'd add to the list? Would you have made any different career moves had you known earlier? Let us know in the Comments section, below.
Security Is a Team Sport
"Cybersecurity is a full-contact team sport, and there is no single person who is an expert on all the various aspects of the area of discipline.
Once I got over myself and recognized that I couldn't do it all, I focused on building the right team of experts to solve issues before they became problems. That revelation triggered great future success."
—Gregory J. Touhill, President of AppGate Federal, Brigadier General (Ret.) and first U.S. CISO under President Barack Obama
A Broad Base of Technical Knowledge Is Essential
"To be effective in cybersecurity, you need to have an understanding of all areas of IT.
"If an analyst does not understand how a Web application communicates with a database on the backend, how will he know if the traffic he is seeing is normal or malicious? Without this understanding, analysts are just relying on security tools to make the determination, and hopefully [those tools] are configured correctly.
"Sometimes you have to learn the basics to understand the more complex."
—Wayne Pruitt, Cyber Range Technical Trainer North America, Cyberbit
Diversity Lacks in Many Areas of Security
"I really wish I knew how little diversity and inclusion were practiced when I first entered the industry.
"Many of us, and our current organizations, are now working ferociously to improve this situation and are gaining ground. But within my first year, I felt like I'd entered the 1940s."
—Chloé Messdaghi, Chief Strategist, Point3 Security
... But Diversity Makes Teams Better
"Having come from a traditional STEM background, it was not until I entered higher leadership roles and began formulating hiring strategies that I realized that more diverse teams solve the toughest challenges.
"Skills such as critical thinking, how to manage risk trade-offs, and cybersecurity not being a zero-sum game are extremely fundamental in understanding and thriving in the security industry."
—Lakshmi Hanspal, Global CSO, Box
Business Priorities Overrule Security
"I wish I knew and understood that an organization's priorities are guide rails for information security teams.
"As with most starting in infosec, I wanted to solve all the security issues I came across, but this is impossible. Understanding business priorities while communicating potential risks is critical, but helping the business with those priorities gives you credibility."
—Josh Rickard, Security Research Engineer, Swimlane
Don't Doubt Yourself
"When I started 20 years ago as a penetration tester at IBM, I wondered how I even got the job because I did not feel qualified. In hindsight, no one was truly qualified because it was such a young domain, and I was hired because of my technical background, my curiosity, and my interest.
"Fast forward 10 years: I was teaching a technical audience at FS-ISAC how to build hunt teams, and I expected everyone in the audience knew more than me. A gentleman in the audience raised his hand and said, 'You're assuming we know what we are doing, but we don't." After we all laughed, we shared our notes and learned from each other."
—Mary Writz, VP of Product Management, ForgeRock
Lean on the Infosec Community
"When I was growing up, I was quite an introvert. I didn't realize until much later on in my career just how great the security and tech community [are]. Looking back, I realize how quickly I could have solved so many issues by just asking on an IRC channel or forum.
"I would tell my former self that the problem you are facing now has probably been dealt with multiple times in the past year alone; don't be afraid to ask the infosec community and learn from them."
—Ran Harel, Security Principal & Product Manager, Semperis
Take Career Risks
"Apply for jobs you are not qualified for; everyone else is.
"Security changes every day. New skills, techniques, and the needs of organizations are always shifting, and to be able to check every box from an experience and skills perspective is generally impossible.
"Looking back at 20 years of jobs in the security space, I don't believe that I was ever 100% qualified for any of them but felt confident that I could successfully do them."
—Cody Cornell, CSO and Co-Founder, Swimlane
Security Is Largely a Human Issue
"Overall, the most important lessons that I'd tell my younger self are not tech-based. Rather they focus on the human aspect of working in the cybersecurity industry.
"I think cybersecurity professionals in general tend to focus on technology and ignore the human element, which is a mistake and something that we need to collectively learn from and improve."
—Chris Roberts, Hacker in Residence, Semperis
Always Bring Data to Make the Case for Security
"You are nothing without data. Data is queen!
"Without hard data, you can only speak to security in more 'imagined' ways — or ways the board and the C-suite are aware of in the media. Cost-benefit is only achievable with related data points demonstrating how much we are fighting off, and how the tools, processes, and people make that happen."
—Marlys Rodgers, CISO, CSAA Insurance Group
Patience Is Essential for Security Pros
"When I first started out, I was fairly impatient and wanted to 'get things done' right away. And while there are some things that need to be done right now, not everything needs to be done right now.
"[Have] the ability to prioritize and focus on the items that will have the biggest impact. I think one of the biggest lessons I've learned along the way is while we may need to move quickly, this race is a marathon, not a sprint.
—Edward Frye, CISO, Aryaka
The Sky Is Usually Not Falling
"Despite the way that many in media like to portray cyberthreats, not everything will bring about the end of the world.
"For those getting into incident response and threats, try to have a sense of perspective and establish the facts before allowing your colleagues to push too quickly toward remediation, mitigation, etc.
"Expectation management amongst senior colleagues is also something you'll frequently have to do to avoid them breaking down over a mere phishing site. To quote one of my former colleagues, try to avoid 'Chicken Little syndrome.'"
—Chris Morgan, Senior Cyber Threat Intelligence Analyst, Digital Shadows
Things Change Daily
"There are entire facets of information security that we are expected to be experts in that weren't a big deal a decade ago.
"An individual's privacy is a concern that has rapidly transformed our operations and forced us to change how we do business. Third-party security or supply chain security is another issue that has come dramatically into focus over the last few years. It is no longer enough to be doing all of the right things within your company; you have to be concerned about the same issues for all of your suppliers.
—Ryan Davis, CISO, NS1
Perception of Security Is Still a Challenge
"I wish I knew about the attitudes about security.
"Security is often perceived as something that doesn't provide much benefit other than deferred cost or regulatory checkboxes. Within that, different groups worry about security in different sections. They don't worry about it holistically. Most companies don't have time to adequately plan for security."
—Phil Dunkelberger, CEO, Nok Nok Labs
About the Author(s)
You May Also Like
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023