Landing a job in cybersecurity can be fruitfulâand rewarding. Many cybersecurity professionals bring home six-figure salaries, and leaders in the field can earn million-dollar paychecks. But there are currently hundreds of thousands of cybersecurity positions open in the U.S.Â
Published on September 19th, 2022 📆 | 1603 Views ⚑
0The key to breaking into a high-paying cybersecurity job, as told by Obama admin cyber leader
BY Sydney LakeSeptember 19, 2022, 7:46 PM
Students near the Chan Shun Auditorium on the University of California, Berkeley campus, as seen in August 2022. (Photographer: David OdishoâBloomberg/Getty Images)
The massive cybersecurity talent gap is largely a result of a lack of adequately or appropriately trained professionals. But companies must also better define their cybersecurity needs to secure talent, argues Jonathan Reiber, vice president of cybersecurity strategy and policy at AttackIQ.Â
âThere are a whole range of capabilities required in cybersecurity, from basic analyst skills to higher-level operational skills. Iâm actually very confident in the countryâs ability to meet those requirements over time,â he tells Fortune. âThe challenge is much less to my mind about getting the right people hiredâitâs more about what are the right jobs that we actually need.â
Reiber has seen the need for cybersecurity grow and evolve. During the Obama administration, he served as a speech writer and chief strategy officer for cyber policy in the Office of the Secretary of Defense. In those roles, he advised Pentagon senior leadership, other high-ranking defense officials, and President Barack Obama on all matters of national security policy.Â
During that time, Reiber wrote the first and second National Cyber Defense Strategies for the United States in 2010 and 2015, working closely with the Defense Department and Intelligence Community. He also had a writing grant at the University of CaliforniaâBerkeley, where he was a senior fellow at the Center for Long-Term Cybersecurity.Â
Fortune sat down with Reiber to learn more about the needs cybersecurity companies have, the talent gap, and the type of education required for cybersecurity professionals today.
The following interview has been edited for brevity and clarity.Â
Cybersecurity concerns today
Fortune: Tell me about the differences in cybersecurity concerns then vs now.
Reiber: The threats havenât changed, the threat actors havenât changed. Whatâs changed is the really transformative understanding of our national vulnerability in cyberspace brought about principally first by Russiaâs interference in the U.S. election in 2016. That was a watershed moment for the public and the technology sector. And for the government to say, adversaries are looking for the weak underbelliesânot just in our internet infrastructureâwhich weâd known prior to that, but that they were looking for underbellies in our society and ways to manipulate society and sow doubt and fear. And the interesting thing about what happened in 2016 was the social media companies provided this very weak underbelly because people would share unverified information. So disinformation became the hammer, but the scalpel was, in fact, still hacking.Â
Since leaving government, Iâve focused on building technological capabilities and processes for organizations all over the world to improve their cybersecurity posture. At AttackIQ we do whatâs called breach and attack simulation for automated security control validation. In cybersecurity we donât focus on the adversary enough. We focus too much on things like compliance or regulatory standards that weâre trying to meet. Thatâs a rearranging of the deck chairs in a large way. Doesnât actually prove to you that youâre ready. So thereâs a process called penetration testing, which is kind of a strange phrase, but youâll hire an outside firm to try and break into your defenses once or twice a year, at most.
And thatâs not sufficient because if it only does it once or twice a yearâpeople change, technologies change, things break downâyou actually need to test once a week and some controls need to be tested every hour in some cases once a month.Â
What is the importance of public-private partnerships in cybersecurity?
Often the government and the private sector have shared information about vulnerabilities that have been discovered. This is sort of a slower level process that existed before the real ramp in attacks, before the ramp in ransomware, before the Russian interference in the election, before there was more of a dawning awareness that cyberspace was a domain of military operations.
As the threat has gotten more serious, the government and the private sector have had to work together by combining the capabilities of the large platforms to remove actors from them, with the governmentâs abilities to do things like not just cyberspace op but also sanctions.Â
A good case in point is when Russia invaded Ukraine, the first public-private actions that were taken were technology companies removed their services from Russia. The evolving nature of cyber of public-private partnership in cybersecurity can basically be said to deepen cooperation between companies and the government to share information, develop standards and best practices, design strategies, and then ultimately work together on combined voluntary operations to prevent hostile actors from conducting attacks in cyberspace.
The cybersecurity talent gap
What is your take on the cybersecurity talent gap? What are the most in-demand cybersecurity skills from your vantage?
The talent gap is something that I think a lot of folks when they first start working on cybersecurity like to think about and write about. There are roles that need to be filled, but we are going to be able to meet them. One of the things Iâve noticed is if you have cybersecurity capabilities, you will find a job.Â
There are a whole range of capabilities required in cybersecurity, from basic analyst skills to higher-level operational skills. Iâm actually very confident in the countryâs ability to meet those requirements over time. The challenge is much less to my mind about getting the right people hiredâitâs more about what are the right jobs that we actually need.Â
If you think about risk, the most important thing to think about in cybersecurity is: What is my most valuable data? Have I protected that most valuable data? And am I prepared in the event that something goes wrong? Companies havenât taken that approach to cybersecurity, and I think once they do, the question around the talent gap will begin to go away because weâll be realigning the resources that we do have to focus on the most important problems. And that will lead to a reduction in risk.
How can companies evaluate the cybersecurity needs they have?
You should start by questioning what your most important mission is. If Iâm a law firm, my most important mission is to be able to protect my clientâs data. If Iâm a retailer, my most important mission is to be able to protect my clientâs credit card information. Itâs often around protecting the data of the people that matter most. If youâre a logistics organization, it will be protecting the proprietary nature of the data around the logistics that I have. So you can then say, where is that information being stored? How is it being transmitted and what are the security controls that I have around it?
You have to make sure that that data has the appropriate levels of security around it. Ultimately, you need to make sure that that security works.Â
Cybersecurity education and upskilling
What type of education should people entering the industry have?
I actually think the most important thing for people entering the cybersecurity workforce is to have a business education. If you want to rise up in cybersecurity, youâre not gonna do it in the way that you want if you just have a technical education. Itâs far more important to understand the needs of the business.Â
Getting an MBA is actually a very good strategy for becoming a leader in cybersecurity. If you want to become a chief information security officer, you need to understand what the interests of divisions within your company are. If I work for a meat packaging company, I want to know about logistics. I want to know about plastic. I want to know about delivery. And those things are the components that drive the information technology needs of the business.
If you understand that, then you can begin to empathize with the people in the business so that when youâre providing servicesâwhich is what youâre doing as a security professionalâyouâre doing so within the construct of success of the overall organization and the shareholders and everybody involved.
Too often, I think people in cybersecurity will fetishize the technology and not focus enough on the human skills required for success within an organization. The actual hard work of being in an organization is much more of the soft skills, I think. I would urge people who are learning in cybersecurity not to leave out that aspect of the work if they try and gain a full perspective on how to lead and be effective.
What about cybersecurity continuing education?
Our academy is free and you can enroll right now in specific areas of breach and attack, simulation, threat and form defense, other capabilities like that. Thereâs a lot of good pre-education out there. I really think getting out of just the cyber universe is incredibly important and having good writing skills. Ultimately I do think getting a masterâs degree in something thatâs not just about technology will be helpful.
What are important soft skills to have for cybersecurity?
The ability to empathize with people and to understand how to build teams. Oftentimes if youâre trying to affect change with a new technology or a new process or build a new team in a companyâand thatâs a lot of what cybersecurity involvesâyou need to be able to build alliances and you need to be able to lead. If youâre just focused on being an operator, which is fine, you want to be an operator like an analyst, SOC [security operations center] operator, then you want to learn how to lead other SOC operators and other analysts. That requires leadership skills.
If you want to be a leadership leader of the business, however, you need to expand your mentality far beyond security operations and include strategy and resources and budget and management and public affairs and all those different things. And thatâs being a business leader. It depends on what somebody wants to do with themselves and their ambitions. I think no matter what, an ability to build alliances, an ability to build teams to empathize with people is all really important.
What advice do you have for anyone entering the industry?
You need to think about the field that youâre entering into less like an IT job and more like a national security job. And that can be very appealing, actually. Itâs a blending of civilian life and technology and international politics because the government that has a role to play in cybersecurity companies, have a role to play regulators at the state level.
In order to succeed, teams have to achieve what I say is combat readiness. They have to be ready to defend themselves right now against the adversary and to achieve that kind of readiness requires thinking about the adversary, focusing on the adversary and preparing for the threats that are going to come.
See how the schools youâre considering fared in Fortuneâs rankings of the best masterâs degree programs in data science (in-person and online), nursing, computer science, cybersecurity, psychology, public health, and business analytics, as well as the doctorate in education programs MBA programs (part-time, executive, full-time, and online).
Gloss